Asian-mena Counsel: Sanctions & Investigations Special Report 2020Published in
Asian-mena Counsel sought wise counsel on the key issues in these risk-heavy areas from those with expertise at leading International law firm Baker McKenzie, and two thought-leading GC’s:
|From Baker McKenzie:
Mini vandePol, head of the firm’s Asia Pacific Compliance & Investigations Group, focuses on anti-bribery and corruption, trade sanctions, fraud and other senior executive misconduct investigations across Asia but most particularly in Hong Kong, China and India.Celeste Ang’s practice encompasses corporate dispute resolution, compliance and investigations. She has significant experience acting for global clients in cross-border disputes and advising clients on compliance and regulatory issues in the context of cross-border investigations.
Simon Hui is ranked among the leading lawyers for dispute resolution/regulatory and compliance in China. He has conducted complex internal investigations for a large number of multinational companies across a range of industries.
Vivian Wu focuses on China-related corporate regulatory and compliance matters, in particular anti-corruption and trade compliance. She is experienced in compliance investigations, due diligence, risk assessment and training. In 2014, Wu worked at the Baker McKenzie’s Washington DC office with the firm’s North American Compliance and Investigations Practice Group on various compliance matters. She is experienced in advising Chinese companies and financial institutions on managing overseas compliance risks, including without limitation bribery, trade sanctions and export control issues.
With In-House Insight from:
Carl Watson is a GC and member of the leadership team for Arcadis covering the Asia region. He is passionate about optimizing legal operations, using digital tools, so his team can focus on enabling practical and commercial solutions to a wide range of contractual, legal and compliance matters.
Pro-actively identifying the legal liabilities for your corporation can be a complex task. Can you suggest an ideal process which in-house legal departments can implement to detect these liabilities? What key points should an organisation bear in mind when mapping out a process?
Mini vandePol: A helpful way to approach this task is through a risk assessment exercise. While such an assessment will look different for each company (e.g., based on its jurisdictional reach and business profile), the idea is for counsel to look more deeply into the jurisdictions and types of business model that the company engages in, to better understand the core risk areas. To frame the process, it’s often helpful to start out with a scoping document laying out the breadth of the exercise and its methodology. Elements can vary depending on the risk assessment, but it usually involves a combination of review of key documents, conversations with key individuals in high-risk business areas and transaction testing. The results of such a risk assessment can be used to further the company’s compliance programme going forward, such as to tailor policies and trainings to identified risks. We often do such risk assessments for clients, but they can also be structured such that in-house counsel conduct the risk assessment and we provide guidance. This can be a great way for in-house counsel to get a bird’s eye view of the company’s risks.
We have also developed the Compliance Cockpit, which provides companies with unique insights into their risk exposure in multiple areas of law and enables them to assess whether the implemented compliance program effectively reduces the overall risk exposure. The Compliance Cockpit aggregates the information collected from multiple sources within the company, analyses it via pre-defined risk evaluation formulas and presents the results in interactive dashboards.
Simon Hui: A company will be exposed in different types of risks in doing business. It is always hard to exhaust all underlying legal liabilities. However, operating routine business with risk awareness will make a big difference. From the legal perspective, the first step is to have an accurate and complete understanding of the company’s business and the challenges it is facing. After an assessment of current operations, the counsel will need to map out potential labilities from different parts of the operation, such as, in general, corporate governance, license/approvals, interactions with public sectors, sales and marketing, procurement, and special regulations related to the company’s business. Given the fact that the business may change from time to time, the assessment should be conducted periodically in order for the risk control to be effective and proactive. In addition, when a company is exploring new areas or planning future transformation, it is advisable for the in-house counsel to step-in at the very beginning and evaluate the legal risks in advance. For instance, when a trading company decides to enter the manufacturing industry, safe production and environment protection requirements will become new areas for it to focus on.
The in-house counsel will also need to keep an eye on the recent legislative development and enforcement trends and to have the company react promptly to the changes in laws and be prepared for potential government actions. Moreover, some risks might be common in their particular industry, so those lawsuits, administrative orders, and punishment decisions against competing companies may have reference value.
Nonetheless, as aforesaid, legal liabilities cannot be eliminated completely. There could still be unexpected government investigations into the company. In a number of jurisdictions in the Asia-Pacific region, such investigations are usually commenced by the government conducting a dawn raid. The company is required to put in place a well thought out procedure and arrangements to handle such investigations. The legal counsel should be clear as to which government organs are the key regulators of the industry in which the company is operating in, the boundaries of their powers, and enforcement trends.
Another point that needs attention is that the company’s obligations/labilities could be extended due to certain contractual arrangements. Compliance requirements may not only come from local laws and rules, but also from the home jurisdictions of counterparties (such as rules under the FCPA and the UKBA). It is also worth noting that directors and employees of state-owned or state-controlled companies would be deemed as public officials under ABC related laws and regulations in many jurisdictions. Control measures should extend to the business with these types of business partners.
Celeste Ang: The risk assessment is a practical starting point. Once a risk assessment is done, and the gaps and deficiencies (if any) are identified, the next steps are to:
- bolster/supplement the existing compliance policies and processes and/or put in place the necessary policies and processes to address the gaps and deficiencies;
- ensure that these policies and processes are effectively communicated to all employees and that there is comprehensive training offered to all employees.
In order to properly assess whether these policies and processes are effective in detecting, avoiding or managing liabilities, an active monitoring and auditing schedule or process should also be put in place and implemented. If there are any further gaps or weaknesses detected, the policies and processes will have to be further improved. Internal reporting systems, such as whistleblowing policies and hotlines are critical to the detection of liabilities that may not arise in the normal course.
It is important to bear in mind that the above process of risk assessment, audit/monitoring, improvement of the policies and processes and communication/training is a continuous process.
Stanley Lui: A commercial process should ideally (perhaps must) reflect commercial reality. It’s therefore crucial that the formulation of the same is based on first-hand knowledge and 360° analysis.
A few effective ways to gather the relevant building blocks are:
- ride shotgun when front-line sales/marketing colleagues go on customer or on-site visits to experience and verify pain points up-close;
- be the co-pilot of internal audits, with the aim to identify regulatory and operational deficiencies, game out possible disruptive scenarios from those inadequacies, then develop process checkpoints to counter; and
- (when normalcy returns…) attend key industry / product conferences, in order to acquire latest market intelligence on the risk landscape, gain insights into the operations of your customers, suppliers and competitors, then zero-in on key areas of improvement
“What gets measured gets done” – so the saying goes. Similarly, a process would stay relevant only if it’s rigorously applied and undergoes timely tweaking.
As such, it’s critically important for the in-house legal team to maintain continuous communications with and react swiftly to feedback from stakeholders and corresponding business units, who carry out the process in their day-to-day operations. Another vital means to ensure sufficient meeting of process standards is via the introduction of unannounced audits and spot-checks in the process workflow.
Expected or unexpected, a crisis situation can be overwhelming and disastrous for the corporation if ill-managed. What are your suggestions for in-house counsel on crisis management? Have there been changes to what companies should focus on between pre-pandemic days and the ‘new normal’?
Mini vandePol: The Covid-19 pandemic has created a range of challenges for compliance. Work-from-home arrangements, while necessary, have made it harder for management, as well as legal and compliance departments, to oversee employees (especially those in high-risk business areas). Furthermore, the economic downturn resulting from Covid-19 has created pressures for companies to get creative to “make ends meet”, and this can sometimes happen in non-compliant ways. When a crisis hits, there are a number of things that in-house counsel should do to ensure that a crisis does not become a catastrophe. The first is to create a “core group” outside of which information about the crisis is not shared. This is important to allow consistent messaging, to ensure that the “rumor mill” does not exacerbate the problem and to tackle the crisis in a coordinated fashion. It’s also important to protect legal privilege, in those jurisdictions that have privilege protection. We offer a range of training options to clients that can help prepare in-house counsel and others for potential crises. One is our dawn raid training, which prepares companies for what to do in the event of a dawn raid by a regulator, such as an antitrust, anti-bribery and corruption or securities regulator. Another is our Investigations Academy, that takes clients through the lifecycle of an internal investigation, from when the crisis is first revealed (e.g., through a whistleblower report) until it is resolved, either internally or via negotiation with a regulator. These programmes can help clients to be well-prepared should such a crisis scenario arise.
Celeste Ang: There are usually many ongoing issues to consider when a crisis befalls a company, including internal and external communications, public relations, reputational impact and legal ramifications. What would help a company tide through these unrelenting waves is to have a proper crisis management plan already in place before the crisis hits, so that individual teams or departments know their roles within the company and what they should be dealing with. How the company reacts would then depend on the nub of the crisis. Is the issue one of widespread defect of the company’s products, leading to a product recall? Was a whistleblower report on the company’s alleged shady dealings released to the press? Senior management will have to be prepared to make tough decisions on the issues that surface, but it can be dealt with in a much smoother manner if a proper crisis management plan was put in place. Taking control of internal and external communications is important particularly in these times of information and social media explosion.
In the current post-pandemic world, crisis management may have a slight shift towards being prepared to deal with issues such as a breach of data privacy, data leakage and cyber fraud. With the increasing volume of online activity as employees work remotely, there may be a higher threat of fraudsters committing cyber fraud by impersonating a colleague or a counterparty, directing payments to be made out to the fraudster. As companies steadily get on the e-commerce bandwagon to maintain an online presence, they must also be better equipped with data collected from its customers – a corollary of that is to be prepared in the event of a breach of data privacy.
Simon Hui: When encountering a crisis situation, such as a dawn-raid by an enforcement authority, etc, it is very important for the company that the in-house counsel take on the role of coordinator. The coordinator should become the exclusive voice from the company on the matter to avoid further impact or a new crisis resulting from misconduct by others in interaction with officials or the public. For the same reason, the in-house counsel/coordinator should be delegated with sufficient resources, authority and independence to perform his/her duty, even in monitoring senior management activities.
Apart from legal exposure or consequences, a crisis may also lead to an operational and reputational impact on the company. Therefore, cross-department cooperation is vital. For instance, the human resources department will need to guide and monitor employees’ individual social media to prevent improper discussions and comments. Simultaneously, the public relations department shall proactively communicate with the media and provide timely and transparent disclosure to the general public. All the actions require the legal department’s advice and coordination. We also noted that, since the Covid-19 pandemic commenced (the new normal), more and more people are inclined to follow or discuss breaking news or events via their individual social media. This gives the legal, PR and HR teams a greater challenge in how to effectively control and manage reputational risks and handling inaccurate and inappropriate voices.
Work-from-home arrangements have led to a large number of employees are relying heavily on IT networks to communicate with each other. This has created increased cybersecurity risks for organisations leading to potentially substantial losses.
Stanley Lui: This may sound counter-intuitive, but “Slow and Steady Wins the Race” should ‘always’ be the legal department’s mantra when facing a crisis. One of the main tasks of an in-house counsel is to anchor all stakeholders in order to navigate a business through a sea of chaos, uncertainty and misinformation. Regardless of whether pre- or in the midst of Covid-19, the legal team must preserve the methodical approach to adding value with legal review, risk mitigation, temporary procedural and policy changes, and supporting the business with an effective internal and external communications strategy.
Demonstrating the right leadership is equally important: keeping an open mind, being strategically creative, fostering a trusting environment that permits “rumble with vulnerability” and upholding dignity and a healthy sense of humour when everyone really needs it.
Carl Watson: Roadblocks can be navigated but to do so, mindset is critical. That mindset (of the organisation and its people) needs to be built upon clear compliance communication pathways together with an appreciation and understanding of what the bespoke compliance and governance framework of the organisation is intended to achieve. The role of inhouse counsel is to act as the translator of often complex regulatory/legislative and/or risk governance frameworks into digestible modules of deployable knowledge. With a “bought in” mindset, a business team that understands the benefits and consequences of actions can then, to a point, self-serve around key aspects of compliance and provide a depth of assurance to the corporate. That said, engagement and awareness of the strategic drivers of the corporate, the contextual understanding of the global, regional and national priorities of the corporate; and, fundamentally, the proactive engagement (including, listening first) to the business teams are the invaluable investments the in-house counsel should make in order to capture and then retain the mindset of compliance.
What are some of the potential compliance roadblocks for corporations?
Mini vandePol: While it really depends on the particular company’s business, a big issue tends to be developing the connection between legal/ compliance on the one hand and the business on the other. Trainings that are more conversational in style and focus on the actual challenges faced by the business can be very helpful in this respect. Developing this relationship is essential so that legal/ compliance are informed before issues arise.
Simon Hui: In mainland China, along with the development and reform of the legislation, administration and enforcement activities (such as government inspections and investigations) have become more transparent and standardised. Nonetheless, it is inevitable that some grey areas in administration will bring uncertainty and potential risks to the business team when they interact with local governmental organs. Legal advice and guidance will be needed in this regard.
The growing tensions and competition between major trading nations in the world also presents challenges to a company with operations in different parts of the world. Legislation issued by national governments designed to prevent or frustrate the long-arm jurisdiction of other nations means that a company needs to tread carefully so as not to be caught by the conflicting legal obligations.
While internally, as the business grows, a company may use more complex structures with operations in different regions. How to implement a consistent compliance standard over different types of business and multiple locations is a considerable task for those responsible for compliance. Periodical assessment is thus necessary. Furthermore, although most companies have some compliance training at present, that training is often becoming less effective as the form is too rigid and the content out-of-date. Among others, functions like public relations, marketing, sales, procurement are higher compliance risk. Enhanced and customised training sessions (perhaps with case studies that originate from the participants’ daily work) will be more beneficial and effective.
Last but not least, on some occasions, in-house counsel might be aware of the risk-related issues but lack the resources to take prompt remedial action, therefore, it is always advisable for a company to seek advice and assistance from external legal and compliance professionals.
Celeste Ang: The attitude towards compliance remains one of the biggest hurdles for corporations, especially in the current economic climate. Where revenue and growth have been hampered due to a slump in economic activity, there may be a disconnect between the focus on compliance by the legal and compliance team on the one hand, and a focus on growth and profits by the management on the other. Companies may now be more focused on conserving resources, but compliance should not be overlooked.
For corporations working on cross-border transactions, which jurisdictions should the legal department consider high-risk for sanctions and political environment?
Mini vandePol: In terms of US sanctions (and US sanctions tend to be the most aggressive), the “comprehensively sanctioned” jurisdictions are Iran, Syria, Cuba, North Korea and Crimea. However, there are individually sanctioned individuals and entities in a broad range of countries, including ones that one would not picture as “high-risk.” As a result, it is important to screen individual counterparties, customers and other business partners for a global range of sanctions programmes, and to create a sanctions compliance programme tailored to the company’s unique jurisdictional exposure and business focus.
Vivian Wu: Recently, China has become a jurisdiction with relatively high US sanctions risk, although not at the same level as other jurisdictions subject to comprehensive sanctions. Due to the geopolitical considerations, this is an area under fast development, which warrants close monitoring and timely adjustment as needed.
Sanctions lists are ever-evolving and becoming more complex. How can in-house legal departments stay on top of these changes and proactively manage risks?
Mini vandePol: This is an area that many of our clients struggle with. The first line of defense, as noted above, is to put together a sanctions compliance programme tailored to the company’s unique jurisdictional exposure. This is something that we regularly help clients with. A portion of this programme should involve a clear, easy to follow sanctions policy and procedure, which should (among other things) guide employees in conducting regular sanctions screening of counterparties, customers and other business partners. A user-friendly, functional training on the policy and procedure for those employees engaged with sanctions issues (and those who need to be aware of them) is another key component of such a sanctions compliance programme. If resources allow, we strongly recommend using a reputable, professional screening service that aggregates the various global restricted parties lists, and that updates these instantaneously as new sanctions are announced. We have found that such a method is less likely to lead clients astray than conducting individual “word searches” on PDF lists provided by the various governments and international organisations operating sanctions programmes. Some of these screening vendors offer reasonable cost options. Another important element to keep in mind is when (and how often) the company does sanctions screening. Screening at the on-boarding of a new customer is essential, but so is screening at regular intervals, so that the company is aware should a customer (or other business partner) be added to a sanctions list mid-way through the commercial relationship. Such regular screening will allow the company to act pro-actively if such a mid-stream sanctions listing does occur.
Vivian Wu: First of all, it is important to have the appropriate organisational structure to manage the trade compliance risks. In the past, quite often trade compliance functions in many companies would be performed by the logistics another business department. Nowadays, given the increasing complexity of trade compliance matters as well as the aggressive enforcement, we have seen a trend in the separation of the trade compliance function from the business operations and as a result of such, the legal and compliance department has taken on a much more important role in managing trade compliance risks.
Further, in the past many companies mainly relied upon the in-house automated or manual screening tools as the primary risk-mitigating measures, and quite often the focus has been the name of the business partner itself. Nowadays, the screening process becomes more complicated. For instance, the trade compliance due diligence needs to look into the direct and indirect shareholders of the business partners, in particular those controlling more than 50 percent of the equity interests of the business partner. In addition, how to draw the distinction between a civil and military end-user would require further due diligence on not only the company’s shareholders but also its staff and any connection with any militaries, which can be quite challenging. As a result, we have seen in-house legal and compliance teams enlist support from external counsel with respect to such a due diligence exercise.
Carl Watson: Research is showing that now, and increasingly as we move to a post-Covid-19 landscape, a global trend in governmental policy is toward protectionism in terms of pandemic recovery in the near term. That recovery may see governments (and blocs) “looking after their own” for a period, with the potential to impact established multi-lateral arrangements. This adds a layer of complexity to established sanctions regimes which are more overt and entrenched. Global businesses operating across multiple jurisdictions for a blend of global, regional and national clients/customers need to be aware of this shift, having eyes open to the impact on established sanctions compliance systems; and exposure to other operating restrictions that may be imposed in a “new normal”. Retaining a trusted expert sanctions counsel who undertstands your global footprint and operations; and ensuring a tailored programme of alerts and practical guidance is flowing into the business is an essential and basic fundamental. It is critical, not only when building new business but also for established work, that proactive screening is undertaken at both the gateway point (via tailored due diligence, etc), but also through the delivery of a programme of work. To manage the evolution of risk in this area. the importance of being alert to the fact that policies and politics are evolving ever more rapidly is essential for in-house teams – having agile screening systems in place which enable reviews of projects/programmes of work from “cradle to grave” will provide greater assurance in a complex operating environment.
What are some key licensing considerations in the context of compliance to sanctions?
Mini vandePol: In terms of US sanctions, the US Office of Foreign Assets Control (OFAC) provides licenses which are authorisations from OFAC to engage in a transaction that would otherwise be prohibited for a US person. There are two types of OFAC licenses: (1) general licenses, which authorise a particular type of transaction falling within the parameters and conditions of the general license without the need to apply for a license; and (2) specific licenses, which are issued to a particular person or entity, authorising a particular transaction in response to a written license application. Persons engaging in transactions pursuant to general or specific licenses must make sure that all conditions of the licenses are strictly observed. A range of license types exist. One common type of license is the “wind-down” license that allows parties a limited amount of time to cease interactions with a recently sanctioned entity. For example, on July 31, 2020, OFAC issued General License No. 2 to its Global Magnitsky Sanctions Regulations, which authorised transactions necessary to wind down dealings with Xinjiang Production and Construction Corps (XPCC)’s subsidiaries until September 30, 2020. These wind down licenses tend to acknowledge that it is often impossible for parties to immediately cease dealings with a newly-sanctioned entity. Other general license types also exist, such as those to allow parties to protect their intellectual property in sanctioned jurisdictions.
How do US and EU sanctions on China affect international entities doing business there?
Mini vandePol: The main concern for companies as to the US and EU sanctions has been the volatility we have seen over the past few months (as well as other restricted parties listings, such as those related to export controls). It often seems that new restricted parties are announced every day. Further, China has implemented its own sanctions as regards certain US individuals and entities (such as the Unreliable Entity List Regulations), meaning that companies need to be aware of these as well, and must include them in their screening programmes. Fortunately, a robust sanctions compliance programme can bolster a company’s defenses even in such volatile and unpredictable times. With all of the new sanctions being announced, it is doubly important for companies to understand their jurisdictional exposure and to ensure that they are conducting screening at regular intervals.