The increasingly complex demands of our changing regulatory environment alongside the effects of globalization have elevated the importance of understanding due diligence for general counsel to new heights. Recently the costs of fines for noncompliance have ballooned significantly in tandem with the amount of regulatory enforcement actions taken. From 2004 to 2009, fines for breaches of U.S. sanctions never broke a billion dollars. In 2012 HSBC was fined US$1.9 billion and in 2014 BNP Paribas was fined US$8.9 billion, both record-breaking fines for regulatory breaches. Recent trends clearly show that an increase in regulatory enforcement actions and larger fines for noncompliance is the new norm. These costs can lead to the end of a career and even possibly the end of a firm. These challenges highlight the important role general counsel must play in strategically navigating our complex regulatory climate.
Although awareness of the commercial ramifications of noncompliance is important, it is also necessary for general counsel to maintain deep insight into and knowledge of the myriad forms of risk encountered today. Globalization and exponential changes in technology have directly led to new forms of risk, such as challenges to consumer privacy, intellectual property rights, data security, cyber security, supply chains and much more. These risks in turn have the potential to irrevocably damage a company's reputation globally — a serious issue of increasing importance today.
General counsel should be aware of the enormous importance of properly managing risk through a strong understanding of due diligence and the execution of an effective compliance program. In doing so, general counsel will be able to better identify and mitigate risk in this increasingly complex regulatory environment, and ensure the long-term success and viability of their organizations. The following ten points discuss the most important topics in due diligence that a general counsel should know in 2015.
1. Effective compliance starts at the top
General counsel have to make complex decisions to solve difficult business problems daily. They must be leaders that are able to motivate and "lead from the top" in order to effectively communicate new business ideas and cultural changes throughout an organization's structure. As a result, general counsel must help build a culture of compliance that extends internally and externally, top to bottom. This involves managing relationships at various levels, instituting new policies, implementing training, and adapting to past mistakes to create a more resilient and effective culture of compliance. This is an important first step and failing to do this can expose an organization to unnecessary risk and possibly hurt its commercial and reputational interests.
2. Keep pace with changing compliance requirements
It is more important now than ever for an organization to keep pace with the rapid changes in the regulatory landscape. There were over 40,000 regulatory compliance updates in 2014, and OFAC's "Specially Designated Nationals and Blocked Persons List" currently stands at over 6,000 names of companies and individuals. The current regulatory climate continues to become more demanding, and not keeping pace with changes can potentially be very costly. According to Thomson Reuters, the average total value of monetary resolutions in 2014 corporate FCPA enforcement actions was US$156,610,000 — a 96% increase from 2013.
3. Understand the cost of noncompliance
The cost of noncompliance is varied and can hurt an organization in many different ways. Some financial costs include severe monetary fines, termination of business relationships, and negative impacts on share prices. Personal, regulatory, and operational costs can also be incurred, such as greater regulatory scrutiny, increased personal liability, increased regulation in a particular sector in general, reputational damage, enforced changes to business practices and management, and much more.
4. Create and actively implement a risk-based approach to due diligence
As previously stated, the severity and frequency of fines has increased rapidly over the past several years in parallel with a more demanding regulatory environment. Adopting a risk-based approach to mitigating risk and conducting due diligence is vitally important for an organization's ability to remain compliant and avoid costly punishments. Risk-based approaches to due diligence generally try to identify risk, assess it, understand it, and then monitor it actively going forward. If implemented correctly, exposure to certain risks, like the continuously evolving EU and U.S. sanctions lists on Russia, can be lessened.
5. Globalization and supply chain risk
Over the past thirty years, the way global business is done has changed dramatically due to globalization. One defining reality of this change is the extended interconnectedness of business relationships and their more complicated supply chains. The international business community now has access to countries that were previously closed to the broader international business community because of geopolitical and economic factors. Although globalization provides many benefits for businesses, it also significantly heightens a company's exposure to risk in many ways, especially when supply chains cross through countries with inadequate or nonexistent labor and environmental laws. A famous example of a multinational corporation's exposure to supply chain risk is the Rana Plaza garment factory disaster that occurred in Bangladesh in 2013 and killed over 1,000 people, which created a major debate internationally on the issue and could have caused lasting reputational damage. This is still a salient issue, as a recent Human Rights Watch report attests, stating that a number of governments are still failing to adequately protect workers in the global garment supply chain. Supply chain risk can be reduced by conducting enhanced due diligence on suppliers and other third parties in line with a broader organizational compliance program.
6. Cybercrime and risk
Cybercrime poses significant risk to the financial sector and has caused huge monetary losses in certain cases, a trend which is forecast to continue. For example, JPMorgan was recently subject to cyber-attacks that compromised the personal information of 83 million households and businesses. In response to the many cyber-attacks on large banks, regulators and law enforcement internationally have made cyber security a top priority. As a result, compliance programs within financial institutions can expect to undergo more stringent and frequent examinations of the effectiveness of their cyber security programs. Financial institutions will have to increase their cyber security in order to secure client information and other sensitive data from attackers.
7. Disruptors and changing regulations
Part of the changing regulatory landscape is in response to new forms of business models, services, and products, such as the leaders of the sharing economy Airbnb and Uber, and new financial services like Prosper and Lending Club. Digital currencies such as Bitcoin also represent new regulatory issues and challenges. Although these companies offer many benefits to consumers and certain industries alike, such as Bitcoin's ability to slash costs in the payments arena, these new companies and services currently operate in an uncertain regulatory environment, and as such are exposed to noncompliance risk.
8. Anti-money laundering (AML) and compliance
The penalties for failing to comply with AML legislation are severe. HSBC paid US$1.9 billion in fines for being used as a conduit for Mexican and Colombian cartel drug money. The severity of fines and frequency of regulatory enforcement for breaches of this kind has increased, which is a trend that is likely to continue. In addition, many countries internationally are increasing AML legislation and enforcement. For example, the anticipated enactment of the European Union's Fourth Money Laundering Directive (4MLD) will increase Europe's scope of existing AML regulations significantly, and provides a window of only two years for EU countries to fully implement the requisite changes.
9. Foreign Account Tax Compliance Act (FATCA)
FATCA was crafted to prevent offshore tax evasion by U.S. citizens. It is estimated that the U.S. government loses up to $500 billion annually to offshore tax evasion. FATCA requires organizations to enhance information reporting and more via a set of rules governing these processes. Over 80 countries have agreed to the new law and over 77,000 financial institutions as well. Countries that do not comply with FATCA will face considerable trouble in accessing U.S. markets. Expect FATCA to make banking more transparent, even in areas deemed tax havens, such as Switzerland. However, the challenges in instituting the required changes in order to be compliant with FATCA regulations are great. FATCA will have a lasting impact on corporate due diligence and the compliance sector for years to come.
10. Anticorruption and bribery
Recent anticorruption and bribery legislation such as the Foreign Corrupt Practices Act (FCPA) and the United Kingdom's Anti-Bribery Act of 2010 show a clear intent by regulators to clamp down on this type of criminal activity worldwide. In 2008, Siemens AG was found guilty of violating the FCPA and fined over US$800 million. British Aerospace Engineering (BAE) and KBR/Halliburton were fined US$400 million and US$579 million each respectively between 2009 and 2010. Clearly the penalties for breaching FCPA regulations are great, and highlight the importance in fostering an institutional culture of compliance in order to reduce an organization's exposure to this type of risk.
A strong culture of compliance in conjunction with an effective overall risk-based approach to due diligence is a necessity for doing business globally today.
Reprinted with permission from the Association of Corporate Counsel 2015 All Rights Reserved