"Global Compliance, Ethics, and Crisis Management," Crowell & Moring's Regulatory Forecast 2016
Contributors: Cari N. Stinebower, Peter Eyre, Ryan C. Tisch, Jeffrey L. Poston, Grégoire Ryelandt, Charles De Jager, Larry Boggs, and Patricia L. Wu.
COMPLIANCE & CRISIS MANAGEMENT:
Danger and Opportunity
Building a compliance and ethics program for today means creating a program that is as dynamic as the business.
The test for whether a company’s compliance and ethics program works well is not only measured by the problems avoided, but also by whether the program can stand the test of public and government scrutiny once a crisis has already hit. A compliance program can become a significant asset or a tremendous liability in the event of a crisis, and the companies that benefit from them are committed to meeting both the written and unwritten expectations for their organizations.
The standards have changed. Effective compliance requires a new level of transparency and authenticity that mirrors many of the ways the public’s everyday experience has changed—reduced concern for privacy and confidentiality, instant gratification with real-time reporting, personal accountability, and an expectation of high-tech capabilities. Programs must move beyond checking the boxes and embrace a more robust and dynamic approach.
With many of its easy targets gone, government has become more aggressive in picking companies to investigate. The need for strong compliance programs is crossing borders, industries, and practice areas. That means executives can glean best practices from businesses in very different business sectors since compliance practices apply to cross-functional areas such as international trade, government contracting, antitrust law, privacy, and cybersecurity.
OPEN THE LENS
Companies building robust compliance programs must empower compliance specialists to have a greater view into business operations and potential problems even beyond their immediate purview. And the training they undergo must be documented and captured. Companies need to be ready, always, for that knock at the door, with the expectation that they’ll need to show investigators just what they were doing on any day in question.
“For example, in banking, it’s long been known that you need to know your customer, and now it’s increasingly clear that regulators are expecting that you know your customer’s customer as well. As banks go, so goes the rest of the business community, with companies up and down the supply chain facing increased scrutiny,” says Cari Stinebower, a partner with Crowell & Moring’s International Trade Group and a former counsel for the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).
Along those lines, compliance specialists reviewing accounts for evidence of, say, money laundering need to keep their eyes open for evidence of fraud and cybersecurity issues as well. “The key is to open up the lens so they can see other areas,” says Stinebower. “When you are building a crisis handbook, cross-issue spotting needs to be taken into account.” This broader view can be essential in identifying cross-disciplinary issues—and may run counter to the increased specialization many compliance officers have faced.
Companies with foreign operations face some of the largest compliance challenges, says Stinebower. They must grapple with laws that often conflict, and regulators have enlisted them as partners in their quest to stem corruption, terrorism, drug dealing, and other ills. “It’s part of the burden of being a U.S. corporation: you are going to have to enforce U.S. policy or pay the price,” says Stinebower.
Regardless of industry, your compliance program must have strong documentation, says Peter Eyre, a partner in Crowell & Moring’s Government Contracts Group. “Some companies used to be reluctant to write down their practices and processes, but that won’t cut it anymore,” he says. “When the time comes to demonstrate the effectiveness of your compliance program, the documentation itself is critical. It must cover the key elements of compliance, and that requires a focused and intentional understanding of the business, what the risks are, and which risks have the highest and lowest impacts.”
MOVING WITH THE BUSINESS
But as the business changes, so will that risk assessment, says Ryan Tisch, a partner with Crowell & Moring’s Antitrust Group. “At many companies, the underlying existence of risk—and its degree—has long been assumed,” he says. “But as new people join the organization, a new product is introduced, or a new geography is entered, they inherit the previous definition of risk without examining it. The level of risk can change.”
The need to stay dynamic is especially powerful in fast-moving areas like data privacy and cybersecurity, says Jeffrey Poston, co-chair of Crowell & Moring’s Privacy & Cybersecurity Group. “These policies and procedures need to be living, breathing documents that evolve as circumstances change,” he says. “If they are simply documents locked in a computer file or a file cabinet and no one is paying attention to them, then they are going to be worthless in terms of ensuring your compliance.”
Companies should have an Incident Response Plan in place as well as a protocol to train their workforce on how to protect and secure data and how to respond when there is evidence of a breach, Poston notes. “Ideally, the training should be tailored to the business, the business unit, and even the trainee’s individual role, because each role’s risk profile is different. Document that the training took place and engage in ‘tabletop’ exercises to rehearse how the company would react to an actual incident.
“If there’s an investigation,” he adds, “there may be things that you can never prove or disprove. But if you can show you’ve trained people on the rules of the road, regardless of the nature of the event, you have a better chance of showing the company was not acting recklessly or negligently.”
As part of the training, make clear who speaks for the company in a crisis, says Eyre. “Break down the silos, use a consistent story and message, and make certain you communicate effectively both internally and externally. Be prepared to call in outside expertise because in some regulatory crises a failure to communicate effectively can lead to a bigger crisis.”
Moreover, notes Poston, “As you plan your response, make sure the key decision makers have all the information in hand and that the company is speaking with one voice. Companies that plan, document, and implement an Incident Response Plan effectively have a better chance of withstanding government scrutiny and of minimizing liability.”
Choose Your CCO Carefully
For companies with a significant compliance burden, a keystone to successful compliance and crisis management is a strong chief compliance officer. “Their job description goes far beyond drafting policies,” says Peter Eyre. “They’ll often be sitting in the hot seat when regulators, prosecutors, or plaintiffs’ attorneys are asking questions in the event of a crisis. And regulators expect the compliance officer to have the authority to bring up concerns to top executives and even the board as they arise.
“The compliance officer also needs to understand the distinction between compliance and ethics,” adds Eyre. “Your compliance program can’t contemplate every dilemma that your employees might face. By the same token, responsible companies don’t take advantage of loopholes if it would be unethical to do so. The Justice Department has been pushing hard for companies to have programs that discuss ethics and doing the right thing.”
Compliance Takes Root Worldwide
Traditionally, corporate compliance efforts have focused primarily on U.S. regulations. But compliance is rapidly becoming a global issue—one that is complex and evolving, and requires constant attention.
The historic emphasis on U.S. compliance has stemmed from several factors. For example, the U.S. has long had high civil and criminal penalties for noncompliance. It also has numerous well-funded nongovernmental organizations that can bring citizen enforcement actions under a number of statutes. And when regulators take enforcement action against U.S. companies, there is the very real potential for follow-on tort litigation that compounds the risk of noncompliance. In all, such factors have created a strong, deeply engrained compliance culture in the U.S.
But now, more and more of those elements are being adopted outside the U.S., and a stronger compliance culture is taking root in a number of countries. The globalization of business, efforts to harmonize regulations, and a growing interest in protecting consumers are all contributing to this changing compliance landscape. Thus, while the importance of U.S. compliance has not diminished, companies now need to take the regulatory regimes of many other countries into account and bring a more global perspective to their compliance efforts.
THE SPREAD OF COMPLIANCE CULTURE
A growing compliance culture can be found in a number of countries. The European Union (EU) has certainly seen an increased emphasis on regulation and compliance in recent years. But so too have other countries, from Japan to Brazil to South Korea and beyond. And developing countries around the world are rapidly becoming more sophisticated in terms of business and regulatory regimes.
In China, for example, officials are now working on enforcing intellectual property (IP) law—a significant change for a country long known for problematic IP protection. In the past, it was not unusual for Chinese manufacturers that produced goods for European partner companies to sell the same goods under their own brand names. “However, many Chinese companies are moving up the value chain and developing more of their own IP, and they don’t want other companies taking it,” says Grégoire Ryelandt, counsel in Crowell & Moring’s Brussels office. “So China is now implementing and enforcing more IP laws—and global companies doing business there need to take that into account.”
Meanwhile, the EU is strengthening regulation in a range of areas, including product standards, labeling, and food safety. What’s more, EU regulations are increasingly likely to be backed up by strong penalties. “European countries are getting very serious about infringements to the regulatory framework, and they’re now levying fines and in some cases even pursuing criminal charges,” says Ryelandt. While potential penalties are still not as severe as those in the United States, this represents a significant departure from the EU’s past leniency.
THE KEY GLOBAL CHALLENGES
Globally, compliance requirements are changing in virtually every field. But three evolving areas present particular challenges: data privacy, antitrust, and environmental compliance.
Data Privacy Compliance
In October 2015, the Court of Justice of the EU in the Schrems case determined that the U.S.-EU Safe Harbor framework did not provide a valid legal basis for transfers of personal data from the EU to the U.S. “The framework was in place since 2000 to facilitate transfers of personal data from the EU to eligible U.S. companies that certify to and comply with the Safe Harbor principles,” explains Charles De Jager, counsel in Crowell & Moring’s Brussels office. “The elimination of the Safe Harbor leaves a large number of companies to find other, potentially more onerous mechanisms to transfer data lawfully from the EU to the U.S.
Under the current EU data protection directive, EU member states’ national data protection authorities have retained a significant degree of independence to enforce the rules as strictly as they see fit. “Over the years, the data protection authorities of France, Germany, Spain, and other EU member states have imposed fines as a result of enforcement actions,” says De Jager. “This trend is likely to continue under the forthcoming update of the EU data protection regime.”
By the spring of 2018, the EU should be working under a new, single set of data privacy rules—the European General Data Protection Regulation (GDPR). Agreed in late 2015, the GDPR means that companies will need to comply with just one unified framework, rather than the patchwork of varying national laws that had been in place. While the GDPR streamlines compliance significantly, it also brings increased risk because it allows the EU to levy fines for noncompliance of up to 4 percent of a company’s annual worldwide revenue.
Beyond the EU, says De Jager, “global companies’ attention must also turn to a number of other countries, such as Argentina, Mexico, Israel, Japan, Korea, and Singapore, which are implementing and increasingly enforcing data privacy rules resembling those of the EU.”
Data privacy compliance is changing in Russia as well. New laws recently took effect that require companies to process personal data of Russian nationals on servers located in Russia. Questions remain about the way the implementation of this new framework will be scrutinized by Russian authorities. “Will companies be allowed to hold a copy of personal data outside Russia? And how strongly will they enforce the law?” asks Ryelandt. “So there is a big question mark there.”
Worldwide, antitrust enforcement has been growing stronger—so much so that the total amount of antitrust-related fines levied in the EU has been exceeding the total levied in the U.S. In a related development, the EU adopted a new directive in 2014 aimed at helping citizens and companies claim damages from companies that engage in antitrust behavior—something that has long been in place in the U.S. but less so in Europe. In 2016, EU member countries will be implementing that directive in their respective laws and regulations. This will further strengthen the compliance culture in the region.
Antitrust compliance is also becoming increasingly important in South America and Asia. For example, Brazil’s competition authority, known as CADE, has been actively enforcing that country’s 2011 Competition Act. And in South Korea, the head of the Korean Fair Trade Commission (KFTC) has called for enforcement that protects consumers “by actively responding to international cartels and global M&As, which have significant impact on the market in Korea.” Over the past year, the KFTC has imposed multimillion-dollar penalties on Japanese and German auto parts companies for anticompetitive behavior.
Many countries are moving ahead with stronger environmental regulations, often surpassing the U.S. approach in terms of rigorous oversight. In addition, after years of high-profile environmental incidents, China has started to seriously address environmental protection. “China is moving faster on the environmental front than the U.S. and Europe did when they began implementing environmental regulations,” says Ryelandt.
In Europe, the implementation of the Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH) regulation continues. Companies have already had to register the chemicals that they use in large volumes with the European Chemicals Agency. Now, the implementation is focusing on smaller volumes of chemicals, requiring companies to register those by 2018. As a result, a wider range of businesses will need to comply with REACH. “This now involves companies that are not primarily active in the chemicals industry,” says Ryelandt. “Many of them are not aware that they have this obligation and are not up to speed on this fairly complex regulation, which of course increases their risk of noncompliance.”
THE CONTINUING EVOLUTION
Looking ahead, ongoing geopolitical uncertainty is, in turn, creating uncertainty for global compliance. This is especially evident in the imposition of economic sanctions imposed by the U.S., the EU, and other countries on Iran and Russia, as well as the sanctions maintained until recently by the U.S. against Cuba. “In addition, enforcement efforts are being ramped up,” says De Jager. “For example, the United Kingdom is establishing as of April 2016 the new Office of Financial Sanctions Implementation to increase awareness of sanctions and to ensure they are properly enforced.”
With respect to Iran, the agreement reached on the Joint Comprehensive Plan of Action (JCPOA) in July 2015 will have important compliance implications for global companies, especially since the U.S. and EU are likely to proceed differently in implementing the JCPOA. “While the EU is expected to lift most of its primary sanctions against Iran in the first half of 2016, the U.S. will maintain its primary sanctions, with its authorities continuing to enforce the facilitation rules,” says De Jager. “As a result, the economic opportunities presented will be, with a few narrow exceptions, for non-U.S. companies.”
Under sanctions imposed on Russia because of its intervention in Ukraine, U.S. and EU companies are prohibited from trading certain goods with Russia, transacting with certain persons in Russia, or conducting any transactions in certain areas. If they want to do business in Russia, they must follow a complicated administrative process to gain approval. “Companies in Europe or in the U.S. have to be very careful when they export to Russia—and the same is true for multinationals established in Russia,” says Ryelandt. “This is a situation that can evolve quickly, so you have to monitor the developments there very closely.”
The interplay between economic sanctions and data protection also highlights the difficulty in ensuring compliance across substantive areas. “For example, while companies must screen transactions against the lists of sanctioned parties established by the U.S., certain EU member states’ strict data protection measures may seek to restrict or prevent the transfer of personal data for purposes of such screening,” says De Jager. “Companies thus occasionally face the dilemma of complying simultaneously with U.S. sanctions rules and EU member states’ data protection rules, and must reconcile these requirements in their compliance programs.”
In today’s environment, companies working across international borders will need to proactively monitor and plan for a broad and changing compliance landscape. At the same time, they can define practical standards for products and operations that can apply across multiple jurisdictions, which can streamline internal compliance activities and reduce compliance costs and risk. Companies should also be sure that they have the processes and systems, including auditing, that will allow them to discover, correct, and report noncompliance in the countries in which they operate. And, says Larry Boggs, senior counsel at Crowell & Moring, “clear standards can help make compliance less of a burden, and ISO and other standard-setting organizations are increasingly important. Companies would be wise to participate in these organizations.”
At the same time, companies will need to make some practical trade-offs. Global compliance is becoming so complex that it is simply not possible to do it all. “While a company may be committed to total compliance, the hard reality is that it is virtually impossible to ensure 100 percent compliance with all laws and rules governing a company’s operations and products in every country,” says Boggs. “That is simply beyond the constrained budgets of in-house legal teams.” Instead, companies will need to understand the different risks involved in different areas and prioritize their compliance efforts accordingly—while being prepared to adapt to a changing compliance landscape.
Shaping Compliance Requirements
Companies typically react to regulation, but some work proactively to shape their regulatory environment. For example, says Patty Wu, senior director at Crowell & Moring affiliate C&M International, “the Asia Pacific Economic Cooperation (APEC) forum brings together 21 governments and a number of industry stakeholders to promote industry self-regulation in certain sectors, better align regulatory procedures, and work toward regulations that create an enabling environment for business.”
APEC initiatives cover areas such as data privacy standards, global data standards for track and trace, and food safety. An action agenda for advertising standards and practice was adopted by APEC leaders last year, and a set of principles for governments’ role in promoting self-regulation was recently developed in APEC for consideration. In addition, APEC successfully expanded high standard codes of conduct in the medical device and biopharmaceutical sectors to 10 APEC member economies, including China, where they previously did not exist. “This not only improves the operating environment and reduces risk for companies, it helps governments to combat corruption," says Wu.
Overall, she says, “this kind of government-industry cooperation helps companies to avoid waiting for the traditional heavy hand of a top-down government approach, and instead work cooperatively with regulators to address compliance strategically—at the front end of the process.”
A Renewed Focus on Climate Change
With governments and business increasingly concerned about the risks of climate change to the global economy, the signatories to the UN Framework Convention on Climate Change concluded a new multilateral agreement in late 2015 (the “Paris Agreement”). The new “bottoms-up” framework allows each country to set its own approach to addressing climate change while establishing common rules for transparency and accountability. The agreement promotes carbon market mechanisms, greater action to define and measure climate risk, and public and private investment in low carbon technologies.
By the time the agreement was concluded, nearly 190 countries—accounting for the majority of global greenhouse gas emissions—had announced their individual reduction goals. China, for example, is targeting a 60 percent to 65 percent reduction by 2030. The EU plans 40 percent and the U.S. 26 percent to 28 percent by 2025. Overall, governments sent a clear policy signal; a concerted effort to decarbonize the economy has formally begun. “Climate change regulation is an area that companies should follow closely over the next year and beyond,” says Larry Boggs.
Chemical Shipments: Evolving Global Rules
Chemicals shipped across international boundaries can be subject to a number of different labeling and management regimes, including the Globally Harmonized System of Classification and Labeling of Chemicals (GHS). The GHS guidelines have been adopted at least in part by 67 countries and regions, including the U.S., China, and the European Union. In the U.S., the Occupational Safety and Health Administration (OSHA) is incorporating GHS into its labeling and safety data sheet requirements and phasing those changes in through June 2016. Companies need to understand these new OSHA requirements. More broadly, says Larry Boggs, “companies seeking to move chemicals internationally must determine whether and to what extent the exporting and importing countries have adopted the GHS.”
If those chemicals are wastes shipped for disposal or recycling, they may also be subject to hazardous-waste restrictions under the Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and Their Disposal, which allows the shipping of waste only if environmentally sound management practices are employed. Although the U.S. is not a party to the Basel Convention, many other countries and regions are, including China, the European Union, and India—and U.S. companies planning to ship chemical wastes overseas should understand this potential compliance risk.