Be alive to supply chain pressures leading to misconduct
The Russian invasion of Ukraine, and post-pandemic pressures, have led to increased pressure on supply chains. Business pressure to find solutions can inadvertently lead to behaviours that fall foul of laws on bribery and corruption, financial sanctions, terrorism financing (e.g. for making payment to groups for safe passage of goods in certain territories). Enhanced expectations and, in some countries, specific supply chain due diligence laws mean that such misconduct is less likely to go unnoticed.
How you should respond – make sure that commercial knowledge on pressure points is shared with those who have responsibility for providing risk-based training and guidance on policies and procedures. To mitigate those risks, identify areas/personnel of higher risk based on current events, geographies, and check the local controls and oversight of those controls. Some compliance functions have been stretched due to diversion of resource to sanctions‑related matters and budgetary constraints. Check that those who remain have the necessary skills and expertise, and time, to adequately support effective compliance. Both the U.S. Department of Justice and the UK Serious Fraud Office are increasingly focusing on resourcing and capability of the compliance function when evaluating a corporate compliance programme.
Understand evolving expectations on corporate accountability on environmental and human rights issues
Expect increased scrutiny of corporate behaviour. Higher standards and expectations on corporate accountability have manifested in different ways across the globe. The direction of travel is firmly towards increased scrutiny of corporate behaviour regarding the environment, people working in, and impacted by, all parts of a company’s value chain (including third party suppliers) and employees. In addition, pressure is being exerted by a broader range of stakeholders. Activist shareholders, employees, employees of third party suppliers, local communities and others are using both litigation and reputational levers to hold companies to account for environmental harms and human rights violations. Belgium is likely to be the first European country to introduce a criminal offence of ecocide. The French courts have been upholding unprecedented indictments against companies for aiding and abetting war crimes and crimes against humanity. 2023 will be marked by the development of a wide array of new sustainability obligations for companies operating in the EU.
How you should respond – Prevention is the best medicine so companies should check that compliance and whistleblowing procedures are working as intended – the ongoing implementation of the EU Whistleblowing Directive means that this is an area of focus for many EU Member States. If misconduct is suspected, any internal investigation should be carefully structured to take into account the very real risk of follow-on civil or criminal litigation and regulatory action. Many whistleblowers that communicate with government regulators have first raised concerns internally and not felt their concerns have been adequately addressed. A measured and proportionate whistleblowing response and internal investigations programme may help identify and stop misconduct before external stakeholders are aware.
Don’t take your eye off intermediaries
The use of intermediaries remains a high corruption risk. Almost all FCPA and other corruption cases involve the use of third parties or intermediaries to make corrupt payments. The true purpose of the payments is invariably disguised, such as in improper mark‑ups, poorly defined “service fees,” or other schemes designed to evade a company’s internal controls. Bribery and corruption remain high on many existing enforcement authorities’ agendas and those of new ones, eg the new Australian Anti-Corruption Commission.
How you should respond – Companies must ensure that their policies and procedures around the hiring of, and commercial terms with, business partners are properly implemented and reviewed on a regular basis to reflect the business as it evolves. Commercial pressures should not be allowed to trump adequate due diligence. Compliance and finance functions need to be properly resourced with staff with the right level of experience and seniority. Not only will this help prevent misconduct, but it will also be a mitigating factor should there be any enforcement action. Data analytics offer insights to drive compliance programmes, and authorities’ expectations in this regard are increasing. Compliance teams should consider whether they use data effectively to: (i) save time and cost; and (ii) inform the design, implementation and effectiveness of compliance programmes.
Ensure corporate culture supports effective compliance, even during an economic downturn
Expect continued scrutiny of how corporate culture and compliance interact. Recent enforcement suggests that merely having policies and procedures in place, even if externally certified, will not necessarily be adequate either to prevent financial crime in an organisation or to provide an ‘adequate procedures’ defence for a company faced with prosecution under English law ‘failure to prevent’ type offences relating to bribery and tax evasion. How the policies and procedures are embedded in an organisation is critical to making them effective. At a time of budget constraints, eg on legal and compliance for many businesses, we still expect to see continued scrutiny by authorities on “tone from the top” and the “tone from the middle”.
How you should respond – How an organisation responds to issues that arise is seen as one of the litmus tests for the culture of an organisation. The implementation of the EU Whistleblower directive across many EU Member States highlights the importance of companies having fit‑for‑purpose whistleblowing programmes. The identification of incidents through a proper compliance and whistleblower programme, a prompt and objective investigation, and appropriate and timely remediation not only limits damage for the company but may also be viewed positively by the authorities if the conduct comes to their attention.
Navigate conflicting laws driven by national security and geopolitics
Expect increasing global geopolitical tensions to ensnare more companies. The dynamics of geopolitics and national security concerns mean that businesses can increasingly end up as pawns, often being stuck between conflicting requirements that require delicate navigation. For example:
The war in Ukraine has led to a surge in sanctions measures relating to Russia, which apply to businesses in all sectors.
China’s data laws add substantial complexity to the cross-border transfer of documents and evidence for investigations, particularly in the context of requests from foreign government authorities, and also for internal investigations
How you should respond – Companies will need to consider the commercial, legal and enforcement context in order to adopt a sensible path through these national security‑driven and often conflicting requirements. Make sure that the reasons for internal decisions are properly documented. Where appropriate, maintain an open dialogue with the authorities if the company is unable to comply with a request or order due to conflicting requirements. It can sometimes be possible to negotiate a path forward that avoids direct conflict.
Managing risk of unsanctioned communication channels for business purposes
The unauthorised use of unmonitored personal devices and encrypted communication applications is widespread, and poses significant enforcement risk, particularly to those in regulated sectors. It also impairs the ability of internal investigators to access and uncover facts quickly should an allegation of misconduct arise. The U.S. Department of Justice is expected to issue new guidance in 2023 in this area for all companies, not just those that operate in highly regulated sectors.
How you should respond – GCs and Heads of Risk must ensure that employment policies and agreements are fit for purpose, and actively policed. One approach is for policies to make clear that personal devices cannot be used for business purposes in any circumstances, and then to reiterate this message in the regular compliance training and communication programme. Privacy and employment laws can pose additional challenges to consider if access to a personal device becomes necessary. A common practice is developing to retain pool counsel or independent counsel for individual employees to review and identify responsive correspondence from an employee’s personal device. Obtaining consent to access a personal device, particularly during the throes of an investigation, can create tensions and test your policies and employment agreements.
Investigate how technology can help to quickly and effectively review data to pinpoint key communications during an investigation. Using technology to do the heavy lifting at the document review stage often saves costs in the longer term and narrows the scope of manual review needed.
Be alive to the pinch points on privilege
Expect more pushback when claiming legal privilege. This is not new for 2023, but it remains a challenge in many investigations. There is often a tension between an authority’s expectations of cooperation, and rules on legal professional privilege.
How you should respond – In-house counsel are advised to continue to consider carefully how to manage issues of privilege and cooperation, perhaps adopting a tiered approach with “crown jewel” privilege claims (for example, communications with external lawyers) and other privilege claims which it may be less uncomfortable about waiving (for example, notes of interviews with some employees). Any decision to waive privilege must be informed by a strategy to minimise the wider impact of any waiver as well as an analysis of the possible use that an authority may make of the material, including possible onward transmission by the authority to a third party. Additionally, take care to consider privilege laws in the different countries in which you operate and minimise the likelihood of inadvertent waiver by engaging in best practices when conducting internal investigations, for example.
Look after your (and others’) data
Expect cybersecurity to remain a priority. Risk has increased due to the Russian invasion of Ukraine and the post-pandemic economic environment. Key threats include:
- malicious cyber actors targeting internet-facing systems, such as email servers and virtual private networks (VPNs) with newly disclosed vulnerabilities;
- a 300% increase in ransomware attacks since 2019, with the most common entry points being Remote Desktop Protocols (RDP) ports as well as unpatched software, hardware or VPNs; and
- denial of services attacks.
Cybersecurity remains a favourite on many authorities’ compliance and enforcement agendas.
How you should respond – Invest in strong defences and experienced personnel while implementing robust processes and procedures so that a business stands ready to react to, respond to and remediate any incidents that occur in a timely fashion and in a manner that considers stakeholder concerns, reporting obligations, and any potential liability. Board engagement is vital, so it should receive regular reporting on cyber risks. Read our blog on considerations for boards.
Expect more investigations to be investigated
When the outcome of an employee misconduct investigation goes against an individual, or a regulator is a stakeholder, the spotlight can turn onto the investigator. Were they independent? Was there a conflict or perceived conflict? Did the investigator have the necessary skill-set to understand the nuances of a particular allegation? Was there institutional bias? What experience did the investigator have in running hybrid, multi‑disciplinary or multi-jurisdictional investigations? Did the investigator have the necessary time and resources to dedicate to the process? If there are shortcomings in any of these areas, it can lead to the need for a second, independent, external investigation, adding delay and cost.
How you should respond – This can be avoided if time and thought are invested at the outset, when triaging and ‘scoping out’ investigations, to identify those cases that are, whether optically or practically, more appropriate to be outsourced. For example, if the investigation involves a senior executive with a high profile, outsourcing may help avoid questions of independence. Another example is where the investigation involves serious allegations of sexual or racial harassment and it is felt that the available investigators do not have the appropriate skill‑set for the investigation. The key point is that these factors need to be taken into account at the outset.
Balance the costs and benefits of self-reporting and cooperation
In-house counsel can face tough decisions on whether and how to self-report and/or cooperate with authorities. Some authorities have a much more active enforcement record than others. The benefits and drawbacks of cooperation vary by jurisdiction. There have been substantial discounts on fines for companies that have not self-reported but pleaded guilty before conviction, thus avoiding a trial.
How you should respond – A decision to cooperate must take into account the time and cost of doing so, and the potential reputational and financial upside, a discount on a fine. This should be compared with what might happen if the business takes a more passive stance.
Our lawyers have a vast amount of strength and depth in many geographical areas and are used to helping our clients navigate all these issues to reach effective and practical solutions. If you would like to discuss any of these issues please contact firstname.lastname@example.org or your normal Allen & Overy contact.
These top ten challenges are part of the Allen & Overy Annual Cross-border White Collar Crime and Investigations Review.