We asked our global white collar crime team for their views on key challenges in 2022 for in house investigations teams and white collar crime lawyers, and how to manage the associated risks. Here are the top ten.
Understand evolving expectations on corporate accountability
Expect increased scrutiny of corporate behaviour - Higher standards and expectations on corporate accountability have manifested in different ways across the globe. However, the direction of travel is firmly towards increased scrutiny of corporate behaviour regarding the environment, people working in, and impacted by, all parts of a company’s value chain (including third party suppliers) and employees. In some countries (France, Germany, Belgium) there are new corporate vigilance obligations either in force or proposed. In addition, pressure is being exerted by a broader range of stakeholders. Activist shareholders, employees and others are using both litigation and reputational levers to hold companies to account for environmental harms and human rights violations.
How you should respond - Prevention is better than cure so companies should check that compliance and whistleblowing procedures are working as intended. If misconduct is suspected, any internal investigation should be carefully structured to take into account the very real risk of follow-on civil or criminal litigation and regulatory action.
Don’t take your eye off intermediaries
The use of intermediaries remains a high corruption risk – Like many previous years, the enforcement authorities took action in 2021 on corrupt payments made to third parties including those concealed as, for example, consultancy fees, sponsorship or charitable donations. Post-pandemic pressure on supply chains means that some companies may be keen to enter business arrangements with new partners, quickly. The U.S. Biden administration views corruption as a core national security interest, and its new anti-corruption strategy promises to ‘surge resources’ for corporate FCPA enforcement.
How you should respond - Companies must ensure that their policies and procedures around the use of such business partners are properly implemented, and reviewed on a regular basis to reflect the business as it evolves. Ensure that commercial pressures are not trumping adequate due diligence.
Old and new financial gatekeepers must keep up to date with AML compliance
Expect tougher anti-money laundering and counter-terrorist financing laws - Every jurisdiction surveyed this year is bolstering anti-money laundering and counter-terrorist financing laws, many following the recommendations from the Financial Action Task Force. The traditional financial gatekeepers such as banks are prime targets for enhanced regulation and tougher laws. But a broader range of gatekeepers are increasingly being bought into the frame with regulations being expanded to catch virtual asset service providers and fintechs. Whilst automation and AI can do some of the heavy lifting on AML compliance, enforcement shows that performance of AI will only be as good as (1) the data it relies on, and (2) the quality of the human decision making at the point when the system raises a red flag. We expect to see continued close scrutiny and rigorous enforcement in this area, particularly around weak systems and controls.
How you should respond - All types of business, not just those in finance, should identify money laundering risks and implement controls, with appropriate senior management oversight, to mitigate them. Compliance functions must be adequately resourced. Staff should be sufficiently experienced and feel empowered to independently question decisions taken by others.
Consider the risk of corporate criminal exposure
Expect law reform on corporate criminal liability: Proposed and actual legislative reform in several jurisdictions is aimed at making it easier to convict large companies of a criminal offence. Some jurisdictions have adopted, or are considering adopting (e.g. Australia), the UK Bribery Act 2010 s7 model of ‘failure to prevent’ bribery. There is pressure on the UK government for this type of offence to apply to a broader category of financial crimes.
How you should respond - Any analysis of corporate exposure following allegations of misconduct should factor in the jurisdictions involved, and the risk of corporate (and individual) liability. Companies should reduce their financial crime risk, and maximise their chance of successfully mounting an ‘adequate procedures’ defence, where applicable, by implementing an effective compliance programme. Companies which formulated their policies some years ago should review relevant guidance, update policies, provide regular training to staff and ensure that both senior and middle management set the right tone in their behaviour and communications. This is particularly so given the move to more remote working. Data analytics offer insights to drive compliance programmes and authorities’ expectations in this regard are increasing. Compliance teams should consider whether they use data effectively enough to inform the design, implementation and effectiveness of compliance programmes.
Ensure corporate culture supports effective compliance
Expect more scrutiny of how corporate culture and compliance interact - Recent bribery enforcement suggests that just having policies and procedures in place, even if externally certified, will not necessarily be adequate either to prevent financial crime in an organisation or to provide an 'adequate procedures' defence for a company faced with prosecution under 'failure to prevent' type offences. How the policies and procedures are embedded in an organisation is critical to making them effective. Large global companies with sophisticated ABAC policies and procedures have fallen foul of bribery laws where the culture at the company has permitted bribery to take place. We expect to see continued scrutiny by authorities on 'tone from the top' and the tone from within (i.e. middle management).
How you should respond - How an organisation responds to issues that arise is seen as one of the litmus tests for the culture of an organisation. The implementation of the EU Whistleblower directive across many EU Member States highlights the importance of companies having fit for purpose whistleblowing programmes. The identification of incidents through a proper compliance and whistleblower programme, a prompt and objective investigation, and appropriate remediation not only limits damage for the company but may be viewed positively by the authorities.
Navigate conflicting laws driven by national security and geopolitics
Expect increasing global geopolitical tensions to ensnare more companies - The dynamics of geopolitics and national security concerns means that businesses can increasingly end up as pawns, often being stuck between conflicting requirements that require delicate navigation.
New data and national security laws in China need to be carefully considered during any investigation which has a Chinese nexus. The U.S. government has explicitly said that fighting corruption is now a U.S. national security priority – meaning more FCPA enforcement. There are new sanctions aimed at overseas corruption and human rights abuses (e.g in the US, EU and UK). And counter-measures/blocking rules (eg. in China and the EU) are aimed at limiting the impact of some sanctions.
How you should respond - Companies will need to consider the commercial, legal and enforcement context in order to adopt a sensible path through these national security driven and often conflicting requirements.
Don’t underestimate the expanding global enforcement web
Expect greater international collaboration and information sharing among enforcement agencies - Despite the geopolitics, there is undoubtedly more collaboration between some jurisdictions either informally or formally. A June 2021 White House memo states that working with international partners on anti-bribery enforcement is a priority. The new European Prosecutors Office started work in 2021 and is already involved in investigations. More countries are entering into bilateral cooperation agreements in the fight against financial crime.
How you should respond - Any investigation that has touch points in more than one jurisdiction will likely involve the authorities talking behind the scenes at the investigation, charging and settlement stages. This should impact a company’s strategic decisions, particularly around interactions with authorities during an investigation.
Looking after your data
Expect more attention from regulators and enforcement agencies as they double down on data protection and cybersecurity failures - More jurisdictions are introducing data protection laws or national security laws which apply to a company which needs to move or use data during an internal or external investigation (e.g. Hong Kong, China, South Africa).
How you should respond – Understand the legal and enforcement context that applies to any use or movement of company records, documents or any other data during an investigation. There is no substitute here for being attuned to the attitudes of the authorities involved, and knowing the options when navigating a path which deals with data privacy and other legal concerns whilst at the same time enabling a company to investigate allegations of misconduct or meet requests from foreign regulators.
Expect enforcement agencies to want to see evidence stored abroad: Criminal authorities are keen to have the ability to access data held abroad relating to a company under investigation. There have been law reforms or proposed law reforms in the US, UK, EU, South Africa and Australia all aimed at making it easier for authorities there to obtain data directly from foreign third party communication service providers. There have been legal challenges (for example in the UK, Australia, Belgium) over authorities’ ability to access data or compel production of documents abroad.
How you should respond - Lawyers involved with external investigations need to understand the proper remit of authorities’ powers to order or seek disclosure of data held abroad (e.g. by a holding company or by a third party communications service provider). This insight should inform a workable, risk-reducing approach to disclosure as well as capitalise on cooperation credit if a company decides to provide documents that go beyond what an authority is legally entitled to compel.
Expect cybersecurity to remain a priority. Companies face hefty fines, and cybersecurity remains a favourite on many authorities’ compliance and enforcement agendas. U.S. SEC Chairman Gary Gensler has prioritised cybersecurity, including cyber-hygiene and incident reporting. In Australia, ASIC has brought its first court action against a company for failing to have adequate cybersecurity systems in place. The pandemic provided a breeding ground for cyber criminals to infiltrate organisations on a scale not seen before, with ransomware the malware of choice for many seeking to cause maximum disruption to businesses during already challenging times.
How you should respond: The most effective way to address the threat of these attacks is to invest in strong defences and experienced personnel whilst implementing robust processes and procedures so that a business stands ready to react, respond and remediate any incidents that occur. Read more on our cybersecurity series: “Infiltrate, extort, repeat”.
Understand the risk/benefit analysis on 'cooperation'
Expect to have to weigh up the pros and cons of cooperation - Many developed regimes encourage a company under investigation to cooperate with the authorities in order to obtain 'credit' which can, in turn, mean a greater chance of avoiding a corporate conviction and help to secure a discounted fine.
How you should respond - Corporate appetite for cooperation will depend on the perceived benefits. Consider whether penalty discounts are sufficiently differentiated from a company that is convicted following a guilty plea or does not initially self-report. The degree of cooperation that a company will want to engage in should be informed by an understanding of the advantages and disadvantages, its approach in other jurisdictions, and also an analysis of the risk of corporate criminal liability, which varies by jurisdiction and, as above, is another evolving area of law.
Be alive to the pinch points on privilege
Expect more pushback when claiming legal privilege – This has been a challenge for some years. There is often a tension between an authority's expectations of cooperation, and rules on legal professional privilege. Some authorities are hardening their stance on privilege, eg by demanding either third-party certification of privilege claims or exercising or demanding more power to determine the applicability of legal privilege in particular cases.
How you should respond - In-house counsel are advised to continue to consider carefully how to manage issues of privilege and cooperation, perhaps adopting a tiered approach with “crown jewel” privilege claims (for example communications with external lawyers) and other privilege claims which it may be less uncomfortable about waiving (for example, notes of interviews with some employees). Any decision to waive privilege must be informed by a strategy to minimise the wider impact of any waiver as well as an analysis of the possible use that an authority may make of the material, including possible onward transmission by the authority to a third party.
Our lawyers have a vast amount of strength and depth in many geographical areas and are used to helping our clients navigate all these issues to reach effective and practical solutions. If you would like to discuss any of these issues please contact firstname.lastname@example.org or your normal Allen & Overy contact.
These top ten challenges are part of the Allen & Overy Annual Cross-border White Collar Crime and Investigations Review.