Practical Solutions in Cross-border Investigations
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Regulatory developments impacting Asia-Pacific and the after-effects of the pandemic have created opportunities for new approaches to investigations in the region. Investigators that can combine global experience, local knowledge and technical expertise will have the upper hand, and the right expertise need not necessarily be the nearest. This article explores methods and technology that have satisfied authorities and courts in Asia-Pacific as well as proven fraud risk mitigation efforts to avoid regulatory scrutiny.
- Data transfer, data management and data privacy requirements
- Document review for structured and unstructured data
- M&A-related reviews
- Third-party due diligence
- Risk assessments
Referenced in this article
- The US Foreign Corrupt Practices Act and the US Bureau of Industry and Security Entity List
- Japan’s Whistleblower Protection Act and Act on the Protection of Personal Information
- Korea’s Act on the Prevention of Conflict of Interest in Public Office
- China’s Anti-Foreign Sanctions Law, Data Security Law, Personal Information Protection Law, Implementation Rules for Personal Information Protection Certification, Measures for Security Assessment for Cross-Border Transfers and Standard Contract Measures for the Export of Personal Information
- Singapore’s Personal Data Protection Act
- Thailand’s Personal Data Protection Act
Since the outbreak of covid-19, the world has changed in more ways than could have been initially predicted. The after-effects of the pandemic continue to have an impact on the cross-border investigations landscape in the Asia-Pacific region, along with geopolitical tensions and macroeconomic issues. Counsel and investigations experts have been forced to shift their approach to investigations in the past few years, and this necessity may ultimately have revealed more efficient, sustainable and innovative tools for resolving investigations in a manner that satisfies authorities and stakeholders in Asia-Pacific as well as those further west.
Certain trends were already evident before the pandemic: strengthening local enforcement in some countries; multi-jurisdictional matters highlighting closer coordination among authorities; and advanced technologies and remote capabilities creating new, robust and compliant ways of handling investigations across borders. These trends have accelerated as the world establishes its new normal. Investigators that can combine global experience, solid understanding of regulators’ expectations, local knowledge and technical expertise will have the upper hand. In short, the right expertise need not necessarily be the nearest, especially with remote working capabilities and efficiencies enabling greater access to global experts.
In this article, we look at recent regulatory developments impacting the Asia-Pacific region, which may create opportunities for new approaches to investigations in the region. We explore methods and technology that have withstood the authorities and regulatory scrutiny in the region, as well as proven fraud risk mitigation efforts.
Overview of major developments in the Asia-Pacific region
In December 2021, the US Biden administration announced its intention to focus federal resources on anti-corruption efforts across the globe, and the Asia-Pacific region continues to see enforcement actions by the US Securities Exchange Commission (SEC).
Since then, there have been several notable events reinforcing the United States’ focus on fighting corruption within the Asia-Pacific region, as shown in new investigations disclosed and enforcement actions resolved. Boston Scientific Company announced in August 2022 that it was cooperating with government agencies in a probe into potential Foreign Corrupt Practices Act (FCPA) violations in Vietnam. In March 2023, Swedish telecommunications company Ericsson agreed to plead guilty to FCPA violations and pay US$206 million after it breached its 2019 deferred prosecution agreement (DPA) related to the company’s misconduct in countries including China, Vietnam and Indonesia. The plea agreement is significant because it is rare for a company to be penalised for violating a DPA. That same month, federal prosecutors in the US charged Sam Bankman-Fried, the founder of failed cryptocurrency exchange FTX, with conspiring to bribe at least one Chinese official after authorising a bribe of at least US$40 million. More recently, a corporate enforcement action was taken against Dutch conglomerate Koninklijke Philips in May 2023, in which the SEC announced that the company would pay more than US$62 million to resolve charges that it violated the FCPA through improper conduct related to sales in China.
Authorities in the Asia-Pacific region are not sitting idle when it comes to fighting corruption either. Korea’s Act on the Prevention of Conflict of Interest in Public Office, which ‘prevents and manages conflict-of-interest situations that may be faced by public officials, and eradicates pursuit of improper private interest’ took effect in May 2022. In Japan, amendments to the Whistleblower Protection Act came into force in June 2022, thereby requiring companies with more than 300 employees to establish a whistle-blowing system and companies with fewer employees to also ‘make efforts’ to do so. In Australia, the long-anticipated National Anti-Corruption Agency, which will investigate serious or systemic corrupt conduct in the public sector, launched operations on 1 July 2023.
Elsewhere in Asia, the anti-corruption campaign drive in Vietnam, which has resulted in a number of high-ranking Vietnamese government officials being kicked out of the ruling Vietnamese Communist Party, has continued, with Vietnam President Nguyen Xuan Phuc resigning in January 2023 after rumours circulated that he was about to be sacked as part of that campaign drive.In neighbouring Malaysia, yet another former prime minister, Muhyiddin Yassin, was charged with corruption in connection with government spending during the covid-19 pandemic. China has also expanded its international anti-corruption reach through the dispatch of anti-corruption inspectors to Chinese embassies abroad, particularly in countries where corrupt Chinese officials may have concealed stolen assets.
From a sanctions and export controls perspective, Asia-Pacific is known to be one of the world’s hotspots. In 2023, the US has continued to intensify its use of sanctions and export controls, and within just one week in April 2023 the US Department of Justice (DOJ), the Office of Foreign Assets Control (OFAC) and the Bureau of Industry and Security (BIS) announced a number of record-breaking sanctions and export controls settlements linked to Asia-Pacific companies. This includes BIS’s announcement of a US$300 million settlement with a US data storage company (Seagate Technology LLC) and its Singaporean subsidiary (Seagate Singapore International Headquarters Pte Ltd) – the largest in the agency’s history; the DOJ’s announcement of its largest ever criminal sanctions penalty; and OFAC’s largest ever settlement with a non-financial institution (British American Tobacco’s settlement of more than US$635 million in connection with the violation of North Korean sanctions by itself and one of its indirect Singaporean subsidiaries).
Historically, countries within the Asia-Pacific region tend to be relatively less active than other countries in imposing sanctions; however, that changed when Australia, Japan, New Zealand, Singapore and South Korea joined a coalition of nations imposing sanctions against Russia on the back of its invasion of Ukraine in 2022. For New Zealand, which previously had no legal framework for issuing broad, unilateral sanctions, this involved issuing its ‘first of its kind’ Russia Sanctions Bill. China, too, has been developing its legal framework for sanctions and export control against a backdrop of rising tensions with the US. Following the June 2021 adoption of its Anti-Foreign Sanctions Law, a framework for China to resist foreign sanctions, China added Lockheed Martin Corp and Raytheon Missiles & Defense, two major US defence contractors, to its Unreliable Entity List in February 2023. The designations were in response to the firms’ weapon sales to Taiwan and came less than a week after the US restricted six Chinese companies in response to an alleged Chinese spy balloon entering US airspace.
These are but some examples of how the investigation and compliance landscape in Asia-Pacific is constantly evolving, bringing about new challenges in navigating cross-border investigations in what is known as ‘the new normal’ post covid-19.
Innovative solutions to cross-border challenges
Data transfer, data management and data privacy requirements
Data privacy and national and commercial secrecy have long been key considerations for anyone conducting investigations. China passed its Data Security Law (DSL) in June 2021 and its Personal Information Protection Law (PIPL) in August 2021. Both laws impact every business operating in or doing business with China, bringing forth extensive obligations regarding processing data and potential significant penalties for non-compliance.
Further developments continued throughout 2022 and 2023, including the issuance of the Implementation Rules for Personal Information Protection Certification in November 2022, which ‘incorporate key principles and requirements for certifying the collection, storage, use, processing, transmission, provision, disclosure, deletion and cross-border transfer of personal data’. In September 2022, the Cyberspace Administration of China (CAC) brought into force the Measures for Security Assessment for Cross-Border Transfers, which require that companies must pass a CAC security assessment before exporting personal information overseas. In February 2023, CAC released the Standard Contract Measures for the Export of Personal Information, which outline contractual procedures for conducting cross-border data transfers; this took effect in June 2023. Furthermore, in April 2023, a significant amendment to China’s Anti-Espionage Law was passed to allow state enforcement authorities to establish a legal basis over a wider range of data and digital activities. Among other impacts, this amendment has caused trepidation among foreign businesses operating in China when engaging third parties to provide due diligence and investigation services, as those activities could potentially breach the Law.
While Chinese data protection laws garner significant attention, many other countries in Asia-Pacific are, and have been, stepping up their respective data protection laws. In Japan, the Enforcement Rules amending the Act on the Protection of Personal Information came into effect in April 2022. The amendments provide clarification on what constitutes a data breach notification and the processing standards for pseudonymised information. In Australia, the government is considering European-style privacy laws that would allow the rights to be forgotten and to sue for privacy breaches and would see an increase in penalties for data protection failures.
Turning to Singapore, an amendment to the Personal Data Protection Act 2012, passed in November 2020, which increased the non-compliance penalty to up to 10 per cent of local annual turnover for organisations whose turnover exceeds S$10 million, took effect on 1 October 2022. Thailand’s Personal Data Protection Act, initially enacted in May 2019, and which eventually took effect in June 2022 after being pushed back twice during the pandemic, has extraterritorial applicability for companies collecting personal data outside Thailand where the processing relates to the provision of goods and services to individuals in Thailand. Indonesia’s long-awaited Personal Data Protection Bill became law in October 2022. The Bill also has far-reaching extraterritorial applicability covering ‘any personal data of Indonesian subjects outside of Indonesia either being processed in Indonesia or outside of Indonesia provided that such processing has legal impact in Indonesia’.
To add to the complexity of different legislation around data transfer, data management and data privacy, we should not forget that in an increasingly complex world, the sheer volume of data is growing exponentially every year. One International Data Corporation paper projected that the entire ‘global datasphere’ will reach a mind-boggling 175 zettabytes (or 175 trillion gigabytes) by 2025. As data growth accelerates at an unprecedented pace, companies and investigators alike face the unenviable task of managing and controlling this data stockpile.
Using Singapore again as an example, the country’s main prosecuting body, the Attorney General’s Chambers, which overseas crime and financial sector cases, announced in 2019 that it was set to launch an automated litigation analysis work platform aimed at improving efficiency in its courts and also to embrace large-scale text analysis for major evidence reviews. While this is not yet as developed as systems in some other countries, it is definitely the way forward considering the ever-expanding volume of data to be considered in cross-border investigations.
Additionally, employees’ use of ephemeral messaging applications, such as WeChat, has grown exponentially in the Asia-Pacific region. This presents challenges for employers as the visibility of this information is limited, especially if employees are conducting conversations on a personal device outside of the company’s network. Data privacy and state secret laws such as those in China are additional barriers for a company to consider when trying to collect information contained on these platforms and to ensure that any efforts to do so comply with all local regulations. In the United States, the SEC and the Commodity Futures Trading Commission levied fines of approximately US$2 billion on a number of large financial institutions for failure to preserve ‘off-channel communications’ on applications and platforms such as WhatsApp. This crackdown by the US enforcement authorities has continued into the first half of 2023, with HSBC Securities (USA) Inc and Scotia Capital (USA) Inc paying fines of a combined £37.5 million for similar violations.
Companies should not only ensure that they have proper safeguards and governance internally, but also within all third parties, including supply chain partners where applicable. Efforts should not stop short at just a paper compliance programme. Rather, regular reviews should be performed to ensure that the company’s data transfer and data privacy policies are adhered to, and broader network penetration tests should be conducted periodically.
Practical tips: mobile solution, remote data management and air gap
There are situations where concerns over the sensitivity of the data, or the investigation matter, are heightened. These situations may stem from the need to comply with country-specific laws or managing potential reputation risks to the company. When dealing with these concerns during a cross-border investigation, consider the deployment of a mobile solution, where data is collected and processed in-country and also, possibly, on the client’s site. This solution allows for the review of data to ensure compliance with the relevant laws and regulations prior to the transfer of data out of the respective jurisdiction.
Remote data management is another application that investigation teams should consider when handling cross-border investigations, as the entire application resides on the client site and the data management resides on a remote server or host. In addition to remote data management, the solution could be further enhanced through the building of an air gap environment for the data and the team working on the matter, which reduces the risks of access to the restricted data through a common or widely used network within the organisation.
Practical tips: information governance platform
As data continues to grow globally, the volume of data that investigation teams have to manage increases and innovative solutions should be considered for deployment to enable investigation teams to efficiently and effectively conduct their work. Investigation teams should consider the use of an artificial intelligence (AI) based information governance platform to support critical data collection and early case assessments. Examples of these platforms include innovative remote collection capabilities, which involve identifying the relevant data from multiple structured and unstructured data sources simultaneously and presenting actionable intelligence in just a matter of hours. This real-time insight and access to documents gives users the opportunity to learn and understand their data immediately, providing valuable strategic advantages for organisations during regulatory investigations.
Document review – structured and unstructured data
For certain investigative matters, investigators have to interrogate both the structured and unstructured data to find the smoking gun. Where the volume of data is sizeable, it is like finding the needle in the haystack. This may mean that a large team of document reviewers is required, or a significant amount of time is required to complete the document review process, both of which will have an impact on costs and investigation strategy.
Practical tips: machine learning
Machine learning is no longer a foreign term to cross-border investigation teams. Correctly deployed, it can drastically cut down the number of search term hits, which directly impacts the number of relevant documents that are required for review, resulting in a more effective investigation methodology. While this approach has been tested and accepted by regulators in certain countries, it is important to remember that technology acceptance by regulators and enforcement agencies around the world will vary significantly, even within one enforcement agency. It is crucial for investigation teams to invest the time in explaining the methodology to the regulators and enforcement agencies at the early stage of the investigation and also to demonstrate the robustness of the methodology deployed. This will allow the regulators and enforcement agencies to understand and appreciate how powerful, and effective, the application of machine learning can be in an investigation.
The use of AI, and in particular ChatGPT, has dominated the news across the globe. While there are benefits in deploying these tools when dealing with cross-border investigations, there are also increasing concerns regarding the potential breach of data protection rules with the use of certain AI tools. Accordingly, investigation teams should perform a robust assessment of the risks associated with the use of the chosen AI tools.
Practical tips: triaging data
Where structured data and unstructured data are scrutinised during an investigation, often these are done separately and in silo. This means that there is a lot of back and forth between the various teams to inform one another of their findings and incorporate those findings into their respective reviews. While this process works for small to medium-sized investigations, it may not be effective for larger investigations as the review teams may be distributed across different offices and in various parts of the world.
Organisations should consider the use of technological solutions where the findings from structured data and unstructured data are triaged and cross applied for a cost-effective, yet robust, investigation methodology. This does not mean doing away with either or both of the structured and unstructured data reviews; rather, it enhances learnings and key findings from both types of review and in turn enhances the output of the investigation.
Practical tips: collection of ephemeral messaging data
Companies should develop a policy that mandates that any business-related communication takes place on company-owned devices and that this information is subject to collection where necessary. Regular training should be provided to reinforce compliance with the policy, and periodic monitoring can be used as a tool to test adherence. Finally, a clearly defined records retention policy that mirrors corporate practice is now an essential element to demonstrate compliance in this area.
If an investigation arises that requires the collection of information from a personal device, consent from employees may be difficult to obtain. In light of this, the company should consider ways to obtain consent through targeted collection that only obtains the information relevant to the matter at hand, including the need to preserve relevant ephemeral messaging records, and should utilise experts to perform the work, ensuring that the information gathered is complete and complies with all data privacy, state secret or other local regulations.
M&A-related compliance reviews
The Asia-Pacific region has long attracted the interest of foreign investors with its abundance of opportunities and growth prospects. Despite a lag in global M&A activity in the second half of 2022 and the first quarter of 2023 as a result of regulatory changes, geopolitical instability and market volatility, analysts predict an increase in activity in the Asia-Pacific region in the second half of 2023 and for the next couple of years thereafter.
It goes without saying that investors need to be on the lookout for potential non-compliance with multiple laws and regulations when entering into a transaction in the region, where laws, regulations and risks are far from homogeneous from country to country. The consequences of non-compliance or a potential breach can be very costly and can, as a result, make transactions non-viable for investors. Conducting robust pre- and post-transaction due diligence is a must.
Practical tips: pre- and post-transaction due diligence review
Appropriate due diligence pre- and post-transaction should be performed on a timely basis to manage risks, including the risk of successor liability, namely the risk of acquiring a company that is already under investigation and has already violated laws that expose the acquirer to potential liability based on pre-acquisition acts over which it had no control. Where possible, it is prudent to perform transaction testing to assess the accuracy of the verbal representations provided by the target and obtain a proper understanding of the target’s go-to-market strategy and third parties engaged.
Third-party due diligence
Third-party due diligence has always been fundamental, and the rapidly shifting supply chain landscape only heightens its importance. Basic third-party due diligence is no longer sufficient as it is increasingly important for companies to thoroughly investigate existing third parties. This includes the third parties’ stakeholders, and their connections, key corporate officers and employees, and other upstream and downstream providers. Transactions through intermediaries and agents continues to be a high-risk area across the global supply chain, as is ensuring that products are sourced from regions where labour or other human rights abuses are common.
This trend of vetting third parties through the environmental, social and governance (ESG) lens has only grown in prevalence. Not only do organisations need to determine their ESG commitments, but those commitments should also be aligned to the organisation’s third-party management processes and programmes to demonstrate due accountability across the third-party ecosystem. The recent issuance of guidelines and probes by enforcement agencies on greenwashing reinforces the need for organisations to up their game in complying with ESG regulations. For example, the Malaysian government announced in April 2023 that it will introduce an ESG framework to support, both from funding and capacity perspectives, small and medium-sized enterprises to transition to renewable energy by the end of 2023. This further reinforces Malaysia’s commitment to ESG topics following the updated Malaysian Code on Corporate Governance in 2021 by the Securities Commission Malaysia, which emphasised the role of boards of directors and senior management in identifying sustainability risks and opportunities. Also in April 2023, the Stock Exchange of Hong Kong published a consultation paper seeking feedback on proposals to enhance climate-related disclosures in ESG reports: it proposes to mandate all report issuers to include climate-related disclosures within their ESG reports and introduce new climate-related disclosures that are aligned with the International Sustainability Standards Board Climate Standard. Another example is Singapore, where, in February 2023, the Green Finance Industry Taskforce launched the final consultation on its Green and Transition Taxonomy. Its approach is akin to other international taxonomies in that it uses thresholds and targets to assess and identify activities or assets that meet key ESG-specific objectives to determine whether an investment is sustainable.
From a sanctions perspective, with new laws introduced and frequent updates made to the prohibition lists, including the US’s BIS Entity List, regular reviews should be performed on third parties to ensure that sanctions rules are not breached by trading with sanctioned individuals or entities. As discussed above, several Asia-Pacific countries joined other countries in taking the exceptional step of imposing significant financial sanctions on Russia following its invasion of Ukraine, including Australia, Japan, New Zealand, Singapore and South Korea. This increases the complexity of identifying and conducting appropriate screening of third parties. Even where the application of laws remains unclear (for example, the implementation of the Hong Kong Autonomy Act), companies may wish to proactively review and screen their existing clientele and supply chain to identify those potentially designated as material contributors, even if this is a precautionary step.
With the wealth of information that is now publicly available, it is unacceptable and indefensible at court to claim wilful blindness or ignorance. Regulators increasingly require companies to demonstrate that they have done their utmost to obtain and review relevant information during third-party due diligence reviews.
Practical tips: tailored third-party due diligence
Without belabouring the point about screening third parties, which has been discussed at length over the years, this topic will continue to be an important one for all organisations. Identification of the third parties that organisations do business with, as well as the ultimate beneficial owner (UBO) of those third parties, remains a key point.
Today, there are many platforms and applications to which organisations can subscribe for the screening of third parties. It is important to remember that the sources for each of these are likely to differ from one another. Some platforms may be better suited for due diligence reviews for third parties domiciled or operating in certain countries, based on their sources of information, so organisations should consider which sources are most appropriate for the due diligence that they intend to conduct.
Practical tips: third-party monitoring
The data landscape is growing at a rapid rate, as referenced earlier. Organisations need to understand the universe of data created and systems leveraged, the quality of the data and how to harness those data sources effectively. It is not about creating more data for the sake of it, but how to use existing data to perform effective third-party monitoring.
For example, where companies have existing platforms and applications that already perform and produce some of the due diligence procedures and documentation required, they should consider how best to maximise the use of information available for an improved monitoring process, including possible system interfaces, reporting dashboards and built-in notification alerts. This type of data visualisation is a helpful way of understanding the organisation’s use of third parties globally (that is, their go-to-market strategy, and types and location of risks to focus on), as well as ensuring timely notification of instances where an updated due diligence review is required, or where transactions have triggered certain red flags and the investigations or compliance team should conduct a review.
Practical tips: use of forensic science
There are innovative solutions available in the market to go beyond identifying the UBO of the third parties that organisations work with, placing the focus on the company’s products instead. For example, forensic science can be used to test products to prove their origin. Verifying products’ integrity is an important way to combat, as well as safeguard against, complex supply chain issues, including forced labour and greenwashing.
Periodic risk assessments conducted at least annually are now the regulators’ expectation. The importance of periodic reviews to ensure that appropriate consideration is given to a rapidly changing global trade and regulatory landscape cannot be overstated. Used effectively, a robust risk assessment will allow management to make informed business decisions, and identify and mitigate potential non-compliance occurrences, as well as ensure the implementation of an effective compliance programme.
Practical tips: leveraging data analytics
While there is no one-size-fits-all approach to risk assessment, there are innovative ways in which organisations could consider conducting, or enhancing, their risk assessment. Data analytics can be deployed to normalise and interpret responses from control and process owners. Furthermore, other data sources such as internal audit reports, substantiated investigation findings and due diligence results should be digitalised and analysed to produce and refine a comprehensive risk assessment focused on the highest perceived risks.
Practical tips: integrating risk assessment and controls testing
Very often, governance, risk and compliance (GRC) tools are not always fully integrated. For example, organisations may perform a risk assessment using a separate tool or stand-alone methodology and subsequently document the identified risks in the GRC tool. Thereafter, actions and regular testing required to mitigate or remediate the identified risks are performed outside the GRC tool, and the results are manually input into the tool without a full audit trail to the underlying input and analysis. This tends to create challenges for investigators and compliance officers in obtaining access to the information that allows them to fully evaluate the origin and assessment of the risks and the effectiveness of the remediation.
Organisations should consider ways to interface the various systems within the organisation, streamline the data where possible and invest in solutions that allow effective management and remediation of risks.
While DPAs and monitorships are not yet used by regulators and enforcement agencies in the Asia-Pacific region, they are prosecution tools that are used regularly by other countries and therefore impact companies operating within the Asia-Pacific region. In 2022, there was somewhat of a revival in the use of corporate monitorships by the US DOJ, as shown in the FCPA resolutions with Stericycle, Inc, Glencore plc and related entities. This gives rise to new questions about the role of independent compliance monitors and, more importantly, whether they are back to stay.
Looking at prosecutions in Asia-Pacific, Singapore, for example, introduced its DPA framework, which was modelled on the UK’s approach, in 2018. The framework allows corporates to defer prosecution by the public prosecutor in exchange for various conditions; however, at the time of writing, no DPAs have yet been entered into.
That said, it does not mean that it is a moot point for organisations operating in the Asia-Pacific region. Companies with a US touchpoint could find themselves subjected to an FCPA investigation and prosecution; Deutsche Bank, Amec Foster Wheeler Ltd, WPP, Airbus, Cardinal Health, Inc, Herbalife, Goldman Sachs Group, Inc and Goldman Sachs (Malaysia) Sdn Bhd, and Beam Suntory are examples of DPA settlements with the US, some of which involved coordinated enforcement action with the local authorities. This increased cooperation will be coupled with the Biden administration’s increased penchant for mandating monitors as one of the resolutions for corporate criminal offences where compliance programmes are deemed ineffective.
Other flashy Biden administration DOJ mandates include the following.
- Considering all misconduct by a company when determining charging decisions, regardless of whether it is similar to the instant offence.
- Mandating that a company must provide the government with all non-privileged information concerning all individuals involved in the misconduct (not just those whose involvement was substantial) to receive cooperation credit.
- Potentially requiring chief compliance officers (CCOs) and chief executive officers to certify that compliance programmes have been ‘reasonably designed to prevent anti-corruption violations’, a requirement that is meant to ensure that CCOs stay in the loop on potential company violations and have the appropriate resources to prevent financial crime. For multinationals, the application of this rule will likely include sub-certifications pushed down to local affiliates’ management, including those in Asia-Pacific.
- Emphasising that incentives for compliance and disincentives for compliance failure (including ‘compensation structure’ and clawbacks) are hallmarks of an effective corporate compliance programme.
Rest assured these mandates have caught the attention of the global compliance officer community, and it will be interesting to follow their application in future settlements. What remains absolute is the importance placed on the robustness of corporations’ compliance programmes.
Practical tips – regular health check (on compliance programmes)
Organisations should conduct regular reviews of their compliance programme, and it is even more crucial when an organisation is under investigation or trying to reach settlement with authorities. A well-built compliance programme should not be static; rather, it should evolve to reflect how the organisation works and the environment in which it operates. Furthermore, regulators require corporations to demonstrate that their compliance programme is sufficiently robust to detect and prevent violations of key laws and regulations that they are subject to.
All organisations have a sizeable volume of data available, which should be used by compliance and internal controls teams to assess the appropriateness and operational effectiveness of controls. Analytics, system-driven notification and alerts, dashboards and other visuals are some examples of solutions that should be considered in enabling effective monitoring of controls and key risk areas within an organisation, including determination of topics or subject matter, and jurisdictions of highest concern, so that appropriate resources and attention are dedicated to addressing those concerns. Of course, the aforementioned solutions do not remove the need to perform appropriate transaction testing to demonstrate the operational effectiveness of selected controls. Instead, it helps to focus testing on areas that matter most.
The pandemic may have temporarily put the brakes on some investigations and prosecutions, but the momentum has definitely picked up as we emerge on the other side. The lessons learned on conducting remote investigations during the pandemic and the innovative solutions developed will undoubtedly continue to be put to use. As we have seen in recent legislation updates, prosecutions and settlements, investigations and enforcement actions by both international and local enforcement agencies are on the rise, and organisations must ensure that they are prepared should they find themselves in the cross hairs.
 ‘The Digitization of the World: From Edge to Core’, International Data Corporation, November 2018, https://www.seagate.com/files/www-content/our-story/trends/files/idc-seagate-dataage-whitepaper.pdf.