Think local, act global? Designing multi-jurisdictional compliance programmes
Compliance professionals in many large organizations face a dilemma: is it possible to maintain the clarity of a single global compliance policy while complying with increasingly divergent local laws?
As many KYC360 readers will know from their own experience, having jurisdiction-specific compliance policies subordinate to global standards can be more trouble than it’s worth: the more intricate the policy structure, the more confusing it is for our colleagues. (And let’s be frank among colleagues: not even we enjoy reading long compliance documents.) At the same time, jurisdictions are increasingly passing legislation that tends towards divergence, not convergence. So is it possible to comply with all relevant laws without driving everyone crazy? This article compares different approaches across several otherwise similar markets, to highlight the issues at play.
The basic dilemma
Carrying out global business in compliance with local statutory requirements is a challenge to any corporation with cross-border operations. The emerging trend of country-specific anti-corruption laws is a significant compliance related development to be tackled in international business. The feedback received from international organizations such as the OECD when conducting their evaluation rounds has led to many jurisdictions not being satisfied with merely criminalizing bribery related offences, but also imposing an obligation for corporations to adopt a compliance program with certain minimum requirements.
In jurisdictions like the UK or the US this is already old news, and now it seems that continental Europe is following the regulatory trend. It goes without saying that the content of the regulations varies jurisdiction by jurisdiction, putting international companies in the crossfire of several different and potentially conflicting regulations.
The wide range of statutory requirements
In some jurisdictions, an adequate compliance program (for example, a proportionate policy, real implementation, a whistleblowing facility that works and a decent standard adequate level of internal controls) may be mandatory as a term of a financial services licence. In others, its existence might serve as a defence to a prosecution of a legal person under anti-corruption or fraud law (as in the UK), or at least as a mitigation of associated penalties (as in the USA). Consequently, corporations operating in these jurisdictions are usually willing to attempt to put such a system in place. (Whether those programs are any good is a different question: Eversheds Sutherland’s research shows that only 41% of managers think that their company’s anti-bribery programme works well in practice.)
However, there are many jurisdictions without any statutory obligation to adopt a compliance program. The structure and content of the legislation thus varies country by country.
Let us consider whistleblowing regulations in the Nordic countries (despite them ranking high in anti-corruption statistics) as an example. In Finland, there is no specific anti-corruption code imposing obligation to adopt a statutory anti-corruption compliance program. The Government is in the early stages of preparing legislation for protection of whistleblowers, but no bill has yet been prepared. Bribery and related offences are criminalized as in any other OECD member country, but implementing a statutory compliance program with certain checks and balances is by no means a legal obligation. In neighbouring Norway there is a statutory obligation to adopt a whistleblowing system for e.g. anti-corruption purposes (Arbeidsmiljöloven 2005). In Sweden, new legislation that entered into force in January 2017, provides for more efficient protection for whistleblowers (Lag (2016:749) om särskilt skydd mot repressalier för arbetstagare som slår larm om allvarliga missförhållanden). In Denmark, there is no special legislation protecting whistleblowers as such, but there is a statutory obligation for financial services businesses to have a whistleblowing channel in place (lov om financiel virksomhed).
More recently, some jurisdictions have gone even further: they now oblige all corporations to have compliance programs in place and prescribe key elements, with a particular emphasis on whistleblowing. It seems that the practice of adopting a separate anti-corruption code with provisions on compliance programs and whistleblowing is spreading from the UK and the US reaching continental Europe.
An example of a country that has recently followed this trend is France. Mostly inspired by the UK Bribery Act and triggered by the criticism from the OECD, the new French anti-corruption legislation known as Sapin II (Loi Sapin II pour la transparence de la vie économique”) provides a new set of legal obligations that will significantly impact companies operating in France and their directors. As of 1 June 2017, medium to large companies and their directors will be required to implement a French specific compliance program against corruption and trading in influence in order to comply with Sapin II. Further, Sapin II obliges the companies to inter alia adopt a whistleblowing procedure, due diligence of major clients, suppliers or similar and implement accounting and auditing controls. Failure to comply with these new provisions is punishable under law.
Escaping the requirements of various jurisdictions is not easy. All OECD Member Countries have undertaken to implement a wide extraterritorial jurisdiction to investigate and prosecute cross-border bribery related offences when ratifying the OECD Anti-Bribery Convention. Same applies to the UN Convention against Corruption. And if these provisions appear increasingly hard to encapsulate when they emerge from jurisdictions that are fundamentally similar (France, Sweden, Finland etc), then it’s going to be even harder to do so when they emerge from jurisdictions like Nigeria or China.
What this means for businesses is that even a remote link to some country may trigger the jurisdiction of the local authorities to investigate and prosecute a corruption related offence. Looking at the issue from the perspective of business compliance, the statutory requirements in all such potentially affected countries shall be taken into account when designing global policies.
Why would I adopt a compliance program if the law doesn’t impose any obligation to do so?
If a company operates its business only in a jurisdiction which does not impose any obligation to adopt a statutory compliance program, it is still highly recommended to adopt one. A well-functioning compliance program may help in identifying and preventing bribery, which is a criminal offence despite the non-existence of a statutory requirement to run a compliance program.
Compliance programs promote transparency in all corporate operations. These days, compliance, transparency and business ethics are seen as a competitive advantage. Companies with well-functioning compliance programs benefit from risk reduction, cost savings and sustainable growth. Anti-corruption policies and transparency drive performance. Research has shown that companies engaged in sustainability reporting significantly outperform their counterparts over the long term, both in terms of stock market and accounting performance.
How can a company with cross-border operations manage the differing regulations?
It goes without saying that the first step to efficient compliance is awareness of the affected jurisdictions, followed by awareness of the content of relevant legislation. No matter how trivial this may sound, many companies are caught in unawareness when it comes to the law applicable to their business. The most notorious jurisdiction in this regard is probably the US, which assumes the reach of its legislation and jurisdiction of its authorities to investigate and prosecute offences with regards to many foreign businesses with only a remote connection with the US. A jurisdictional link may, for example, be constituted by an interbank payment made in US dollars.
When the applicable regulations have been identified and related obligations mapped, a company should adopt a compliance program to meet the requirements of the regulations. It should be taken into account that, for example. a whistleblowing policy needs to be tailored jurisdiction by jurisdiction.
All compliance policies should be monitored, and practices audited and updated from time to time. As the business grows and expands its presence into new jurisdictions, new compliance requirements may arise. Compliance programs are by no means stable instruments of which the content remains the same for decades.
An efficient policy, put into practice, serves as an excellent tool for preventing criminal behaviour in business operations. It also promotes anti-corruption culture in a company—important because bribery is a criminal offence in all OECD and UN Member Countries, irrespective of whether there exists a statutory obligation to implement a compliance policy.
Marja Boman is a Senior Associate in the Helsinki office of Eversheds Sutherland. Qualified in both Finland and England & Wales, she advises corporate clients on issues around bribery, money laundering and regulatory compliance.