Realistically, something’s gotta give. Whether you’re a compliance officer at one of the companies thriving in these unprecedented times (hello Zoom and Amazon), one in a company full of furloughs and layoffs (hello airline and hotel groups), or one in a company somewhere in between, the tension is palpable. Generally speaking, right now business leaders aren’t overly concerned about compliance initiatives or compliance concerns. The focus isn’t on compliance – it’s on survival.
But compliance can’t be complacent. As David Fuhr, Assistant Chief of the US Justice Department’s FCPA unit said on April 23, 2020, “Prosecutors are trying to be reasonable given the conditions companies face as a result of the pandemic, but compliance has to continue.”
In this time of challenge and change, we must be willing to bend but not break. Where can we bend to be team players responding to the crisis? And conversely, where do we hold the line in the various areas of risk? As always, your risk assessment is the place to start, because every business is different. However, there are some general places where the rope can be relaxed, and others where you shouldn’t give an inch.
Bribery and Corruption
Bribery risk escalates exponentially in times of crisis. The seeds of prosecutions in 2022 – 2025 are being planted now. However, not all bribery risk is the same. This is a time when gifts giving and hospitality provision have likely fallen off a cliff at your business. Training on the Gifts and Hospitality policy isn’t as useful now as it could be later in the year. Likewise, with most budgets constricting, your company may not be giving charitable donations. Hold the line on:
Performing Third-Party Due Diligence of High-Risk Partners: Hold the line when it comes to third-party due diligence, especially of high-risk partners like sales agents. There will be temptation within the business to push third-parties through without going through the whole due diligence process. Say no. Consistent application of due diligence is critical to program defensibility and the capacity to receive mitigating credit should something go wrong.
If you have the bandwidth, make getting third-parties quickly through due diligence a focus of your job. By prioritizing this task, you’ll have a better chance of maintaining buy-in for the review.
As global tensions escalate, especially between the US and China, more trade sanctions are likely coming. Countries are focusing inwardly and taking care of their own people. Economies are collapsing, and governments need to protect their internal sources of revenue. The time is ripe for economic warfare in the form of trade sanctions. If you’re lucky, you have some sort of screening program to find people or companies on the OFAC Specially Designated Nationals List and other sanctions lists. Whether you do or don’t, hold the line when:
Moving into New Jurisdiction/Markets: You must be involved when your company moves into new markets, especially if the new market is in a place where sanctions currently apply. Many times it isn’t obvious that sanctions are an issue. For instance, some companies have expanded into the Middle East using sales agents in Saudi Arabia. That’s fine under most circumstances unless the contract includes the right to sell products into potentially sanctioned nearby countries. It is critical that you remain in consultation as the move to new markets takes place.
Conferences are canceled and aren’t likely coming back in the near future. This can relieve some pressure from the antitrust front. It’s easier to manage collusion risk when there are no trade shows or trade association meetings for your employees to go to. Regardless, antitrust concerns still exist. You should hold the line during:
Mergers and Acquisitions Discussions: There are a number of reasons for Compliance to be involved in the due diligence portion of the mergers and acquisitions process, but now more than ever, competition risks should be a focus. When competing companies collapse or become vulnerable, industries constrict and may end up with one or two dominant players. It is important for Compliance to consider antitrust issues, and if necessary, to involve outside counsel in communicating with the regulators for review of the merger or acquisition. Moving too fast may create massive problems later.
Modern Slavery/Human Trafficking
Supply chain disruptions are everywhere. Governments across the world are enforcing social distancing rules, and the manufacture of most goods cannot be completed at a home office. If your company’s supply chain suddenly collapses, there may be a scramble to find a new supplier at virtually no notice. You should hold the line and require that:
Due Diligence Be Performed on New High-Risk Suppliers: Reputational risk abounds when it comes to engaging suppliers involved in modern slavery or human trafficking. The repercussions of getting the decision wrong could go on for years. High-risk suppliers frequently come from industries where modern slavery is common (e.g., agriculture, mineral, and other extractive industries, fishing, forestry, domestic help, etc.), or suppliers in countries in which modern slavery is more common. [Check the annual US Trafficking in Persons report for detailed information (https://www.state.gov/trafficking-in-persons-report-2019/)]
While in-person audits may not be possible right now, create as strong a due diligence review as you can for high-risk suppliers. Ask the new supplier for photos, attestations, audit rights, termination rights, references, and strict contract terms to prove their compliance with anti-slavery laws.
There have been rumors that the US healthcare privacy law HIPAA and the European General Data Protection Regulation (GDPR) have been suspended because of the COVID crisis. This is simply untrue. While there is great debate about the conflicting values of public health management and individual privacy, the laws affecting companies with respect to privacy remain virtually the same as they were. Many companies are pivoting to digital advertising and digital products, and they are pivoting as quickly as possible. There is a palpable sense of panic at many companies. Disruption abounds, and companies need to adapt q
uickly. You should hold the line and require that:
Data Privacy Impact Assessments Be Completed: Partner now with the marketing department and new product development to insist that data privacy impact assessments are completed. Failure to complete the assessment so that privacy is considered at the design stage can result in multi-million dollar (or Euro) fines. Protecting the company in the future comes from completing this exercise now.
At this moment, your activities and priorities may have to shift. You may need to revamp your training schedule, or write a new Bring Your Own Device (BYOD) policy instead of updating your data inventory as previously planned. While Compliance does its required pivot, some lines must be held and not crossed. By knowing what you can and can’t compromise, you’re more likely to be viewed both as a team player and as a leader.