If Compliance were a food, it would be alphabet soup.  FCPA, OFAC, UKBA, CCPA, GDPR, DPA, DOJ, SEC, AML, SFO, SDN… the list goes on.  This gaggle of letters tangles many a compliance officer.  Deciphering the meaning of each acronym is tough enough on its own.  Creating a program that meets the requirements of all of them is much more challenging.

One of the questions I am asked most frequently is how to manage a multi-national program effectively.  There are many considerations for doing this, and each one must be weighed based on the company’s individual circumstances.  Nevertheless, there are ways to approach running a multi-national program that produces more effective compliance programs. 

This is the first of two blog posts exploring how to manage competing laws and making decisions in a multi-national world.  In this blog, we’ll explore the challenges of competing laws, and reveal the best way of structuring your program to respond to them. 

The Problem of Competing Laws

Bribery, money laundering, invasions of privacy, modern slavery, and unethical conduct take place within every country in the world.  These challenges are universal, and therefore, all or nearly all countries create laws to reign in and punish these behaviors.  The problem is that each country tries to manage these challenges differently – sometimes drastically differently.  This leads to competing obligations for the compliance department. 

Two Approaches to Handling Multi-National Programs

Generally speaking, there are two approaches to managing international programs.  One is to choose a regional approach, creating an overarching program implemented with regional differences.  The other is to choose the strictest law with the harshest penalties and create the global program framework around those requirements.

The Problem with the First Approach

The problem with the first approach is that it leads to inconsistencies.  An inconsistent program can be confusing for employees, especially those who work cross-border.  Let’s take the example of an employee creating a customer event.  The event will take place in Holland, and include delegates from Europe and the Middle East.  The gifts and hospitality limits, reporting requirements, data privacy protocols, and forms to fill out may be different for different delegates depending on which country each is from, which can lead to immense confusion. 

In addition, if an employee moves from one region or country to another, there will need to be a re-education process, which may lead to less compliance, simply because the rules are unclear.  The Chief Compliance Officer may not even know what rules apply in each region.  This is a recipe for chaos.

Reasons for Choosing the Second Approach

There are many benefits to creating a global program based on the strictest law with the harshest penalties.  First, it is easier to manage.  From policy drafting, to aligning metrics, to performing investigations, one program means one way of administering all of the seven elements of an effective compliance program.

Second, having one global program helps employees to understand their obligations clearly.  There is no need to amend eLearning for several different jurisdictions – it is the same everywhere.  This can lead to unexpected benefits like a streamlined learning process and a reduction of costs.  Employees that change countries or relocate for promotions will be able to move forward without having to learn a new program.

Next, when you choose a framework based on the law with the highest penalties for violation, you put the company in the best position possible if misconduct is discovered.  In cases where there are explicitly competing laws (like boycott and anti-boycott laws), it is sensible to abide by the law with the larger penalties to protect the company from the highest fines.

Lastly, a program built on the strictest law will enable the company to follow the other laws affecting the business.  For instance, the European General Data Protection Regulation (GDPR) bestows certain rights on European citizens.  These include the right to correct inaccurate data, the right to know which data has been collected, and with whom that data is shared.  The California Consumer Privacy Act (CCPA) has recently bestowed similar rights upon consumers within California.  Many US states are contemplating laws similar to the CCPA, and more and more countries are enacting laws that are similar to GDPR.  By choosing to structure your program based on the strictest law, you will help future-proof your program so that it matches the requirements of laws coming into force.

 Following Local Laws while Managing a Global Program

There will always be local laws and rules with which compliance is required.  For instance, in some countries, registration with data privacy authorities may be required for certain types of data processing, or works councils must be consulted before certain policies can be implemented.  This is not a reason to change your global program.  It is simply a matter of having local or country-specific procedures in place that do not contradict the rest of your program.

The distinction between your program’s global framework and a local law that should remain local is that a local rule affects the procedure that has to be completed in a country.  A local law requiring permitting does not change the global program.  Where local laws require local procedures, those must be followed, but that should not disrupt the framework for the entire program.

Running a multi-national program will always be challenging.  By choosing to create a global framework for a global program, comprehension by employees will be stronger, which in turn, makes the compliance program itself more effective.

In Part II of this series, we’ll discuss where to get help to ensure your program is successful, and how to document your decision-making to meet regulatory expectations.