This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
The region continues to witness significant corporate investigations, substantive legal reform and aggressive enforcement. Although legislative developments and enforcement slowed down during the covid-19 pandemic as a result of the effect that it had on the operation of government departments, the general trends of the pre-covid years are continuing. The Banking Royal Commission in Australia, corporate criminal liability provisions inspired by the UK Bribery Act across several jurisdictions in Asia, the omnipresent focus of the US Department of Justice (US DOJ) on China, and geopolitical tensions more generally, mean that companies in the region continue to face clear business risk. At the same time, a combination of covid-19 and the increased use of technology have resulted in an uptick in criminal activity in certain areas, such as money laundering, cryptocurrency-related crimes and cyber-enabled fraud. For example, the Australian Competition and Consumer Commission reported in April 2023 that business email compromise scams have caused the third highest losses of all types of scams. This is a trend that has been replicated in other Asia-Pacific countries, such as mainland China, Hong Kong, Thailand, Malaysia and Singapore, resulting in the theft of hundreds of millions of US dollars.
Although the continued effects of the United States cannot be underplayed, national authorities continue to demonstrate an appetite for investigating and prosecuting large cases themselves. Partly as a result of this, there is a sustained increase in complex, multi-jurisdictional investigations. This highlights a further regional trend – increased cooperation between regulators in different jurisdictions. On a practical level, enhanced information sharing requires a coordinated response by investigated parties to manage competing requests for information, determine appropriate remedial steps and ultimately find solutions to conclude multiple investigations. In a region that combines civil law and common law jurisdictions, it is not surprising to find different approaches to data privacy and legal privilege. However, the challenges this poses have been exacerbated by the introduction of a number of blocking statutes in China, prohibiting individuals and entities from providing information to criminal enforcement and regulatory authorities outside the country without the approval of Chinese authorities. This can lead to challenges for corporates and their advisers when conducting internal investigations and responding to external regulatory investigations. In this chapter, we highlight some of the overarching themes and developments that we have been seeing.
Areas of enforcement risk
Bribery and corruption remain core areas for law enforcement, with domestic and international agencies homing in on conduct in the region. National anti-corruption agencies in Australia, Indonesia, Malaysia, India and China have all bolstered their powers of investigation and oversight. In tandem, some governments (such as in Australia, South Korea and China) have introduced more stringent corporate penalties. In terms of international enforcement, misconduct in China has long been the subject of more corporate bribery investigations under the US Foreign Corrupt Practices Act than any other jurisdiction. The US DOJ continues to pursue its China Initiative, investigating and verifying bribery more often in China than in any other geography. This focuses largely on multinational companies’ activities in China. Having said this, China’s focus on corruption-related enforcement continues unabated and corruption convictions have remained high in the past year.
Money laundering, tax evasion, (accounting) fraud, cybercrime, market manipulation, and sanctions and export controls are other key areas for corporate investigations in the Asia-Pacific region.
Anti-money laundering (AML) and counter-terrorism financing (CTF) continue to be key areas of focus, in particular in financial centres such as Hong Kong and Singapore. It is clear that law enforcement agencies continue to prioritise AML/CTF efforts, although some have shifted their focus to covid-19 predicate offences, which is evidenced by, among other things, relevant guidance published by criminal enforcement and regulatory authorities in China and Singapore. Many jurisdictions, including Hong Kong, Singapore, India and China, continue to ramp up domestic AML legislation and corporate enforcement. The region’s focus on money laundering is best highlighted by hydra-style investigations such as those in respect of 1MDB, which started in Malaysia but has spread to the highest levels of public office and corporate business globally, including world-famous banks. Governments are pursuing regulatory and criminal actions against financial and other institutions for their failure to implement sufficient controls to monitor global transactions. Financial institutions, in particular, are subject to increasing scrutiny through audits, examinations, inspections and investigations. The Monetary Authority of Singapore (MAS), the Hong Kong Monetary Authority (HKMA) and Hong Kong’s Securities and Futures Commission (SFC) have been particularly active in revoking licences or imposing significant fines (or both) during the past few years, and have continued to do so.
Tax evasion is another area in which there has been heightened activity in the region. This has been led by the United States under its Foreign Account Tax Compliance Act and the aftermath of its Swiss bank programme, when the US DOJ announced that it would be following funds that are the subject of US tax evasion from Switzerland to financial centres in Asia, such as Hong Kong and Singapore. The pressure on taxpayers and financial institutions has been accelerated and broadened further by the Organisation for Economic Co-operation and Development’s Common Reporting Standard. The ‘follow the money’ initiatives that are being pursued by a number of jurisdictions, including the United States, have highlighted Asian financial centres as targets. Two Indonesian tax amnesties in the past five years (in 2016–2017 and 2022) – the aim of which was to repatriate offshore funds – are another obvious example, as a vast majority of the funds were located with banks in Singapore. The upshot is a further focus on banks in the region, with authorities in India, Australia and New Zealand showing an appetite for reviewing tax-sharing information to root out corporate tax evasion, particularly through multilateral treaties to prevent base erosion and profit shifting.
Fraud, particularly tax and accounting fraud, continue to occupy law enforcement too. There are a number of recent high-profile examples, including investigations involving the Singapore subsidiary of a large German payment provider and one of China’s biggest pharmaceutical companies. The former has so far resulted in criminal convictions for two managerial employees in June 2023, with charges against a further five individuals pending and fines totalling S$3.8 million issued by MAS against four financial institutions; and the latter resulted in the China Securities Regulatory Commission blacklisting six executives for their role in a US$4.2 billion accounting scandal.
Cybercrime has been a board-level issue in recent years regardless of jurisdiction, but some of the biggest corporate investigations have touched on the Asia-Pacific region. Asia is considered relatively insecure in terms of infrastructure, meaning cyberattacks are more common. Singapore, one of the leading global digital economies, has become a target, particularly in the health sector. We have also seen a marked increase in state-sponsored cyberattacks, which has led to sanctions being introduced under the European Union’s new cyber sanctions regime. The sanctions were imposed in relation to individuals and organisations in North Korea, China and Russia. In response, domestic authorities and regulators have increased compliance and reporting requirements. This turns up the temperature on corporates, which must be ready for internal and external investigations emanating from cybercrime. Instances of online scams have continued to rise in the past few years as a result of the covid-19 pandemic and the resulting increase in online activities. For example, Hong Kong’s SFC has been investigating and taking action against a number of ‘ramp-and-dump’ schemes suspected of fraud and market manipulation, where fraudsters ‘ramp up’ the price of a stock (for example, by using social media to lure unwary investors to buy the stock), and then sell, or ‘dump’, the stock to take profit. The SFC has worked with the Hong Kong Police Force (HKPF) and the Independent Commission Against Corruption on a number of these investigations, where suspected fraud, bribery or money laundering are also involved (in addition to market manipulation). In one such investigation, the SFC and the HKPF launched a joint operation with MAS and the Singapore Police Force against a suspected cross-border ramp-and-dump syndicate in December 2021. Both Hong Kong and Singapore authorities and regulators have warned the public about such scams.
Another area of enforcement risk that has developed during the past few years concerns the increased sanctions and export controls introduced, in particular, by China and the United States as result of geopolitical tensions. In 2022, the Office of Foreign Assets Control of the US Treasury Department issued 16 enforcement actions for breaches across 11 sanctions programmes, involving 14 penalties and two findings of violation. These actions resulted in settlements exceeding US$42.7 million, a figure in line with previous years. Western sanctions regimes and Chinese blocking legislation mean that companies active in China and operating out of China may find themselves in the cross hairs of conflicting sanctions regimes. While there has been no enforcement activity yet in China (except for fines imposed by customs on exporters located in China who failed to obtain permission for exporting items subject to export controls), this is an area that may gain momentum depending on how the geopolitical climate develops. Also, in a rare move, Singapore has introduced Russia-related sanctions independent of the United Nations sanctions regime prohibiting, among other things, the transfer to Russia of specific dual-use goods and introducing financial measures targeted at designated Russian banks, entities and activities in Russia.
A shift from individual to corporate liability
Historically, enforcement agencies in the Asia-Pacific region have focused on individual criminal liability in the context of public sector bribery, often concentrating on prosecuting the government officials receiving the bribes; however, there have been some clear shifts in focus, demonstrated by legislative changes and statements made by enforcement agencies in some Asia-Pacific countries. The most uniform shift in a number of Asia-Pacific jurisdictions is in respect of the introduction of corporate criminal liability and accountability of senior management. Thailand, India, Japan, Singapore, Malaysia, Indonesia and China have all introduced legislation, making it easier either to attach corporate criminal liability or to penalise companies involved in bribery. Australia continues to review its corporate criminal responsibility regime for foreign bribery, with proposed reforms recently re-enlivened by the Australian government (but yet to be passed and implemented). India, Indonesia, Malaysia and Thailand were all inspired by the UK Bribery Act section 7 corporate offence in crafting their own legislation, and the corporate liability regime came into effect most recently in Malaysia, on 1 June 2020. In simple terms, under these often still fairly new rules, companies may be held criminally liable if their employees or agents or otherwise ‘associated persons’ commit bribery or other criminal offences while acting on behalf, or for the benefit, of the company. As is the case under the UK Bribery Act, these rules take into account whether a company had adequate procedures in place to prevent the criminal offence when determining the company’s liability. Although some provisions are limited to bribery offences (e.g., in Malaysia and India), others are more broadly drafted to cover other criminal offences as well (e.g., in Indonesia); however, the new corporate criminal liability offence introduced in Vietnam covers tax evasion and money laundering offences and does not extend to bribery offences.
The corporate liability offences plug gaps in domestic regimes, give law enforcement and regulators greater powers, and ease the requirement of meeting the difficult threshold of showing involvement of the ‘directing mind and will’ of the company to establish corporate liability. Critically, there is increasing pressure on companies to put adequate procedures and controls in place to prevent bribery if they wish to escape liability for misconduct carried out by employees or agents when acting for the company.
The corporate liability provisions in Malaysia and India make it clear that they cover foreign entities that carry on their business, or part of their business, in the jurisdiction. Indonesian laws go one step further and provide that a group company, including a parent or affiliate company, may be held criminally liable if it is considered to be involved in the bribery. As a result, companies operating in the region should ensure that appropriate internal control measures are in place or re-evaluate their measures so that they do comply with relevant domestic guidelines. The increased corporate exposure has also resulted in investors and, in some instances, lenders conducting heightened compliance-related due diligence on local companies before entering into a merger or a joint venture, or making an investment to gauge and manage their exposure and the exposure of their representatives appointed to the boards of the local target companies.
Senior managers are also facing enhanced exposure to liability, putting their companies under additional compliance risk. Senior manager accountability regimes, similar to the United Kingdom’s Senior Managers’ and Certification Regime, were introduced in Hong Kong and Singapore in the past few years to enable the financial sector to improve the individual accountability of senior managers. Anti-bribery provisions in Malaysian and Indian laws potentially extend criminal liability to senior management more broadly beyond the (regulated) financial sector. This means that senior managers may be held liable for bribery committed under their watch when they are seen to have either proactively authorised or at least known of, and acquiesced in, bribery. Although largely untested at this stage, there is a risk that liability may be inferred when there is a suspicion of bribery and a senior manager does nothing to stop the bribery, or turns a blind eye to clear indications of bribery.
Other trend shifts relate to broadening the focus to cover private sector bribery and supply-side bribery to an increasing extent. Notable illustrations of the former are the introduction of a private sector bribery offence in Vietnam, a bill in Sri Lanka extending bribery to the private sector (approved by Parliament in July 2023) and the fact that around 80 to 90 per cent of bribery-related prosecutions in Singapore and Hong Kong concern incidents within the private sector. Although public sector bribery is still considered to attract a higher level of enforcement risk, it is important not to lose sight of the criminality of private sector bribery. In jurisdictions that still ‘only’ provide for prohibitions on public sector bribery (e.g., India and Indonesia), the scope of who may be considered a public official is often extended. Further, recent legislative changes in India have introduced a supply-side bribery offence, and there has been an increased focus in Indonesia on those who give bribes, as seen by the rise in the number of actions being taken by the Corruption Eradication Commission (KPK) and the Attorney General’s Office against bribe givers.
Culture and ESG
Culture has become a central tenet of, and compliance imperative for, corporate investigations in the region. Financial institutions, in particular, have been facing a culture and conduct storm. The Banking Royal Commission in Australia illustrates the role of corporate culture at the meso (organisation) and macro (industry) levels. Further, regulatory and stock exchange authorities in Hong Kong and Singapore have been focusing on culture as well as stopping the ‘rolling of bad apples’ within the industry, via initiatives such as the HKMA’s review of incentive systems of retail bank front offices completed in May 2022, the mandatory reference checking scheme for the Hong Kong banking industry implemented in May 2023 (and proposed for the Singapore financial industry), and the Hong Kong Stock Exchange’s update to its Corporate Governance Code in respect of culture and other governance issues implemented in January 2022.
With most jurisdictions moving to disclosure-driven, risk-based systems, an assessment of corporate culture involves a top-down review to assess the readiness of a company to limit the occurrence of misconduct and its reaction to it once on notice. A failing corporate culture can be evidenced by any of the following: a lack of corporate policies and training, poor tone from the top, turning a blind eye, lack of personal accountability, and express or tacit authorisation of poor conduct.
UK Bribery Act-inspired legislation in certain jurisdictions, particularly those with adequate procedures defences, highlights the growing relevance of corporate culture in Asia. Further, corporate culture continues to affect enforcement outcomes; for example, the US DOJ Criminal Division’s updated Guidance on the Evaluation of Corporate Compliance Programs helps to benchmark the effectiveness of a company’s compliance programme. The Guidance assists US authorities with decisions when conducting an investigation, determining whether to bring charges, or negotiating pleas or other arrangements. Whether in the United States, the Asia-Pacific region or elsewhere, the Guidance sets out useful prompts for a best practice compliance framework. Given the propensity of regulators to borrow from each other’s procedures and practices, it will also be of interest to companies subject to regulatory scrutiny, investigation or enforcement outside the United States, as a benchmark for appropriate remediation and resolution.
Guidance has also been issued by the Prime Minister’s Department in Malaysia, setting out anti-corruption programmes and procedures to be adopted by companies doing business in Malaysia. The guidance (which is similar to that issued in the United Kingdom under the Bribery Act 2010) describes an effective, risk-based compliance programme that minimises the risk of misconduct occurring and, where it does occur, mitigates the potential consequences for the company. When reviewing anti-corruption policies and procedures of listed companies, the Securities Commission Malaysia found that approximately 68 per cent of listed companies had displayed a good overall level of compliance, having an anti-bribery or corruption framework in place.
Separately, a number of jurisdictions have introduced (or are in the process of introducing) laws and regulations to mandate disclosures by listed companies and investment funds in respect of environmental, social and governance (ESG) matters (e.g., China, Hong Kong, Singapore and Australia). The recent publication of the International Financial Reporting Standards’ Sustainability Disclosure Standards by the International Sustainability Standards Board will no doubt provide additional impetus to governments and regulators around the globe to further initiatives on ESG disclosure. The region has begun to see investigations, enforcement action and litigation relating to greenwashing and false and misleading statements designed to induce the purchase of products and services (e.g., in Australia), and these are only likely to increase going forward.
Information-sharing and multi-jurisdictional investigations
It is rare for an allegation into corporate misconduct to remain a domestic affair, such is the global nature of modern commerce and communication. Regulators are ramping up cross-border cooperation and resolutions in response. Some very high-profile corporate investigations demonstrate how concurrent multi-jurisdictional investigations are now the norm. It is noteworthy in this context that cross-border information sharing between authorities is often informal and will not always follow formal and time-consuming procedures under mutual legal assistance treaties.
An example of where local enforcement action has followed and built on enforcement by US or UK authorities (or both) is the Rolls-Royce matter, in which the settlement covered allegations that Rolls-Royce had bribed officials in multiple countries for more than 20 years. The British company’s alleged bribery of officials at airline company Garuda Indonesia and others was covered in the £671 million settlement that Rolls-Royce reached with the United Kingdom’s Serious Fraud Office (SFO), the US DOJ and Brazil’s Federal Prosecution Service in January 2017. Using information obtained from the SFO/US DOJ investigation, the KPK in Indonesia opened an investigation against several individuals at Garuda Indonesia, including the company’s former president and chief executive officer, Emirsyah Satar. Mr Satar was convicted of accepting illicit payments totalling US$1.5 million and other items worth US$2 million and was sentenced to eight years in prison in May 2020. Separately, in 2018, Garuda Indonesia commenced civil proceedings in the Indonesian courts against Rolls-Royce, seeking annulment of an agreement between the parties as well as compensation. The proceedings were withdrawn after the parties reached a settlement in 2021. India’s Central Bureau of Investigation and Thailand’s National Anti-Corruption Commission have also opened investigations and filed criminal proceedings against Rolls-Royce and related parties, including two former senior executives of Thai Airways International. A similar pattern has been playing out involving allegations of corruption, involving Airbus and executives of the Malaysian airline, AirAsia. Airbus entered into a deferred prosecution agreement (DPA) at the beginning of 2020 involving authorities in the United Kingdom, the United States and France requiring Airbus to make payments totalling €3.6 billion. This led to investigations by the Malaysian Anti-Corruption Commission and the Securities Commission Malaysia (with the former confirming in February 2020 that it had been in contact with UK authorities in relation to the matter), although there has been no subsequent announcement by the regulators on the outcome of these investigations.
GlaxoSmithKline plc (GSK) is another famous example of a global brand being caught up in bribery in Asia, leading to investigations and charges in multiple jurisdictions. Between 2004 and 2010, GSK’s sales teams in China were alleged to have bribed doctors to prescribe GSK products. A Chinese court fined GSK China a record 3 billion yuan (US$492 million) for bribery in 2014. The former head of GSK China and four other former GSK senior executives were also found guilty, and GSK China’s financial compliance and legal departments were found to have been complicit. Related international investigations have been carried out in the United States by the DOJ and the Securities Exchange Commission (SEC) for potential violations of the Foreign Corrupt Practices Act, and in the United Kingdom by the SFO for possible breaches of the Bribery Act. The US investigation ended in a settlement in October 2016, with GSK paying the US SEC a US$20 million civil fine. The US DOJ and the SFO later declined to prosecute.
Privilege and data privacy: complexities in the Asia-Pacific region
With a mixture of common law and civil law jurisdictions, law enforcement agencies and regulators in the region adopt very different approaches to legal professional privilege and data protection; for example, China, Japan, Korea, Indonesia, Thailand and Vietnam do not recognise legal privilege, but lawyers owe duties of confidentiality over documents provided to them by their clients. However, this can be overridden by authorities in investigations.
In contrast, common law jurisdictions such as Hong Kong, Singapore, Malaysia, India, Australia and New Zealand all recognise legal privilege to a greater or lesser extent. In general, internal investigation notes and investigation reports produced in the context of corporate investigations may be covered by legal privilege and protected from disclosure in common law jurisdictions, depending on the extent of involvement of either internal or external lawyers in the investigation process. In the same vein, there is a basis for pushing back against seizure of privileged material during dawn raids or other inspections by authorities and regulators. This does not apply in civil law jurisdictions, meaning that in cross-border investigations, the approach of authorities and regulators on the question of legal privilege can be diametrically opposed. Corporates and their lawyers will often try to assert legal privilege in civil law jurisdictions, expecting it to be claimed as part of a broader regional investigation in which common law jurisdictions are also involved. However, this will not prevent documents and data being seized or handed over to authorities and regulators in civil law jurisdictions. These bodies could potentially then share the evidence with authorities and regulators overseas, resulting in a broader loss of privilege protection.
Furthermore, it has become more common for corporates under investigation, particularly financial institutions, to consider waiving their right to legal professional privilege to certain documents and disclosing them to one or more regulators as an act of cooperation, in the hope that this cooperation will be recognised in the investigation outcome. Disclosure would normally be made under a limited waiver of legal professional privilege, if recognised by the jurisdiction and permitted by the regulator (i.e., a waiver as it applies to the regulator who has agreed to maintain the confidentiality of documents) but not waiving privilege as it applies to the rest of the world. Although the concept of limited waiver is recognised in some jurisdictions (such as by the Hong Kong SFC, which has expressly stated that a waiver of legal professional privilege over a document, even on a limited basis, may be recognised as an act of cooperation to be considered when deciding the enforcement outcome), the consequences of a limited waiver remain unpredictable, particularly in a multi-jurisdictional investigation.
A related issue is data privacy. In the context of cross-border investigations, the extent to which Asian countries restrict data transfers offshore varies. India, for example, passed its new Digital Personal Data Protection Act in August 2023 after a five-year legislative process. Although the new law imposes fewer obligations than the European Union’s General Data Protection Regulation (GDPR) and similar data protection laws, it restricts data transfers to countries listed on a ‘negative list’ to be created by the government. In addition, although the new law does not include a general data localisation requirement in relation to personal data, it allows for sectoral localisation requirements, such as those that have been introduced in relation to the payments sector. New Zealand has also passed amendments to its Privacy Act, which came into force in December 2020. The changes bolster New Zealand’s data privacy regime by, for example, introducing mandatory data breach reporting and restrictions on offshore transfers. Further, there are multiple laws in China that restrict the transfer of information or data overseas; for example, the state secrecy laws (which restrict the transfer of a broad list of items that may constitute state secrets), the International Criminal Judicial Assistance Law (which restricts the provision of assistance in criminal proceedings outside China without the approval of competent authorities), the Data Security Law and the Personal Information Protection Law (which restricts the provision of data and personal information to foreign judicial and law enforcement bodies, including regulators, without the approval of competent authorities). In addition, recent amendments to the Anti-Espionage Law (which took effect on 1 July 2023) expanded the scope of protected information to ‘other documents, data, materials, articles relating to national security and interests’ in addition to ‘state secrets and intelligence’ as stated in the earlier version, which gives rise to additional ambiguity around the scope of the protected information.
The extraterritorial nature of the GDPR adds a further potential layer of complexity for corporates operating in the Asia-Pacific region, since many have branches or processing operations within the European Union. The substantial fines that may be issued under the GDPR are a sober warning to all companies, regardless of location. Ensuring that the processing of data complies with the GDPR, where it applies, is a commercial imperative. In the context of investigations, the GDPR, in line with most domestic data privacy laws, gives authorities the right to receive personal data from investigated companies, or other authorities, in the context of regulatory criminal investigations. In internal investigations, a combination of processing conditions under the GDPR and local data privacy law exemptions and derogations (where applicable) will dictate whether transfers are permissible. This needs to be assessed in each individual case and will remain an area of interest in investigations in the region.
Challenges are also posed by the significant rise in the use of off-channel communications (such as WeChat and WhatsApp) for business purposes, a global phenomenon prompted by the increased availability of instant messaging platforms and pandemic-induced remote working. Enforcement cases in the United States in the past two years have illustrated the perils associated with data that is stored on employees’ personal devices and the need for financial institutions to put in place policies and measures to limit off-channel business communications and to ensure proper records are kept of all business communications. These cases involved around 30 large financial institutions that admitted to widespread record-keeping failures, where employees at multiple levels of seniority were communicating with customers and internally via text messages, encrypted messaging applications (such as WhatsApp and Signal) and personal email accounts, and the institutions were not able to produce the off-channel communications to the SEC when required to do so. The US DOJ’s Guidance on the Evaluation of Corporate Compliance Programs (updated in March 2023) includes new sections on the use of messaging applications. Companies are required to have clear policies on which communication channels are allowed for business communications and should be able to explain the rationale behind these policies. This should include how the company has adapted its policies by business function, jurisdiction and differing applicable laws. Prosecutors are likely to want an explanation of why the policy is reasonable, given a company’s needs and risk profile, and whether it is actually being enforced. This is likely to be an area that Asia-Pacific regulators will also be looking into.
Increased pressure and incentives to cooperate
The Asia-Pacific region has seen the emergence of corporate settlement regimes in recent years. As seen in the United States and the United Kingdom, DPA regimes create strong incentives for self-disclosure by companies, and those that disclose, cooperate and remediate may avoid prosecution in favour of fines or monitorship; however, they have also been criticised as providing a means for companies to ‘buy’ their way out of ‘meaningful punishment’. In Australia, this criticism was directed at the Crimes Legislation Amendment (Combatting Corporate Crime) Bill 2019 proposed by Australian Labor Party senators after it was reintroduced to the Senate at the end of 2019. This Bill lapsed in July 2022 and, although the government has re-enlivened proposed reforms to Australia’s foreign bribery landscape after introducing the Combatting Foreign Bribery Bill in June 2023, these proposed reforms no longer contemplate a DPA process. Accordingly, without further reforms, DPAs will not be available in Australia for serious corporate offences, such as foreign bribery, false accounting, money laundering and sanctions violations.
These voluntary self-reporting regimes are to be differentiated from statutory reporting obligations that exist under many anti-money laundering laws across the region and in some jurisdictions in relation to certain predicate offences. Anti-money laundering laws may require the reporting of a suspicion of criminal proceeds flowing from a criminal act such as bribery. Laws in Malaysia and Vietnam go further and require the reporting of a bribery offence (regardless of whether the offence has resulted in criminal proceeds). The failure to report will often constitute a criminal offence in itself, and reporting obligations will need to be kept in mind whenever potential criminal misconduct is being investigated.
New Zealand’s regime falls short of a DPA system, but certain agencies, such as the Financial Markets Authority, may obtain ‘enforceable undertakings’ that help companies avoid prosecution.
India and China have no non-prosecution agreement or DPA system, although in practice, self-reporting and cooperation may be taken into account in mitigation.
DPAs were introduced in Singapore in late 2018. This followed on the heels of the first multi-jurisdictional DPA entered into with the US DOJ involving Singaporean authorities. This was a rare example of a Singapore company being penalised by the Singapore authorities under national anti-bribery laws for bribery committed abroad. It was by far the highest penalty levied against a Singapore company and was the first DPA involving cooperation between the Brazil, Singapore and US authorities. Singapore’s DPA regime is similar to that of the United Kingdom, except that Singapore DPAs cover a more limited range of criminal offences and Singapore prosecutors are not required to issue guidelines on when a DPA is appropriate and on what ‘discounts’ may be offered in the case of self-reporting, meaning that prosecutors retain maximum flexibility. Further, the Singapore DPA regime is unusual in that, unlike other jurisdictions with a DPA regime, Singapore has not yet introduced a separate or stand-alone corporate bribery offence.
In Japan, a plea bargaining regime was introduced in June 2018. Unlike DPAs, this regime applies to individuals rather than companies. Suspects and defendants will be rewarded with leniency if they cooperate by providing information or evidence in resolving another person’s crimes or by giving depositions against partners in crime (including corporates). Despite incentivising individuals to inform, this new regime has not led to the expected uptick in corporate investigations. That said, company executives have been found guilty on each of the three occasions the regime has been used. Serious concerns about falsification of evidence remain, with the court denying the credibility of many statements made under the plea bargain.
Further to the introduction of the plea bargaining regime, in 2020, the Japan Fair Trade Commission (JFTC) implemented new leniency rules and administrative surcharges. These further incentivise corporates to swiftly cease misconduct and report to the JFTC when they uncover competition-related misconduct.
Whistleblowing regimes are a corollary of DPAs, which both encourage early notification and cooperation. Australia’s whistleblower protection laws, which came into effect on 1 July 2019, strengthen protection and compensation for whistleblowers and impose on regulated companies the requirement to implement corporate whistleblowing frameworks, including confidentiality and non-retaliation provisions. India passed a Whistle Blowers Protection Act in 2014 but it has not yet been brought into effect. Long-awaited amendments were introduced to Japan’s whistleblowing law in June 2020 to address criticism about the lack of sanctions for companies that treat whistleblowers unfairly. Although the amendments, which came into force in June 2022, do not address this, they do introduce additional protective elements, such as a duty to protect whistleblowers’ confidentiality, extend the scope of the law to former employees and provide for a duty to establish a reporting mechanism. Hong Kong and Singapore still lack dedicated whistleblower legislation, but do have provisions in a patchwork of laws and regulatory requirements to protect whistleblowers in certain circumstances. China’s whistleblower legislation goes further than most in the region in including a reward mechanism for whistleblowers who report crimes to people’s procuratorates or the State Administration of Market Regulation (or its local branches). Various other financial reward schemes are scattered in sector-specific regulations. However, this does not compare with the large financial incentives and bounties available in the United States under the Dodd-Frank Act. Regardless of incentives and protections, in Asia at least, there remain cultural and hierarchical norms that often militate against blowing the whistle and reporting up. These may mean that new legislation has limited traction, but time will tell.
 Kyle Wombolt is a partner and Pamela Kiesselbach is a global practice manager at Herbert Smith Freehills LLP. The authors wish to thank their colleagues Valerie Tao, Leon Chung, Jacqueline Wootton, Christopher Clay, Priscilla Bourne, Tracy Cui, Kayla Laird and Emily Lim of Herbert Smith Freehills, Daniel Chia of Herbert Smith Freehills Prolegis, and Debby Sulaiman, Tedy Rachmanto and Rizky Putra of Hiswara Bunjamin & Tandjung, for their contributions to this chapter.