As the end of the year is fast approaching, we take a look back at a few of the most important compliance and anti-corruption trends that defined 2019.
This year saw a ton of activity from regulators in several jurisdictions developing their corporate leniency programs, major developments in the data privacy sphere, and a few enforcement actions in which botched implementation of compliance software led to dire consequences, among other developments. It goes without saying that the trends described below are not an exhaustive list, but rather a selection of the most interesting developments for the year.
We recap the most compelling compliance and anti-corruption trends of the year and identify the lessons that can be learned.
1: Data Privacy Takes Center Stage
Data privacy has been a hot topic for several years now, but the introduction of the General Data Protection Regulation (GDPR) in May 2018 ensured data privacy will be top of mind for compliance professionals. There has been tons of nervousness about how the regulation would actually be enforced and 2019 gave us some clues as enforcement actions got underway. Most notably, the French regulator CNIL fined Google 50 million euros in January as it determined that the search giant violated key principles of GDPR by not allowing users sufficient granularity in the way its user privacy settings are designed in the course of creating a Google account when setting up an Android phone.
Then, over the summer, the UK's Information Commissioner's Office (ICO) announced its intention to issue GBP 100+ million pound fines to both British Airways and hotelier Marriot International in separate data breach cases on article 32 grounds that the controllers had insufficient technical and organizational measures in place to ensure information security. All three businesses have publicly stated that they will appeal the fines. The appeals are likely to stretch well into 2020 (and possibly beyond) and once settled, should provide some of the first jurisprudence to guide compliance and privacy officers going forward.
Compliance officers will soon have another worry to add to their list as the entry into force of the California Consumer Privacy Act (CCPA) is slated for January 1st, 2020. CCPA is somewhat similar to GDPR, but at a base level, companies will be required to disclose what personal data is being collected, if they sell it and to whom, and provide users with the option to opt-out of any sales.
Other U.S. states are already following California's lead: Nevada passed a CCPA-style amendment to its existing privacy laws which entered into force on October 1st, 2019 and New York has been debating an even tougher set of rules, but the bill did not pass in the state's most recent legislative session. With this emerging patchwork of privacy laws, compliance officers face a real challenge of keeping up. A few public corporate reactions have included Microsoft stating that it will apply the key principles of the CCPA throughout the U.S and Twitter is going even further by opting to make global changes to its privacy practices from Jan 1st, 2020 onwards.
Perhaps as a consequence of privacy legislation and the publicity given to data breaches and scandals of the likes of Cambridge Analytica, privacy appears to have become a marketable selling point. Apple's Tim Cook has been publicly calling for Federal privacy legislation in the U.S. and the company he helms has extensively advertised its privacy philosophy through ad campaigns this year. Even Google, the subject of the first high profile GDPR fine, has recently been advertising how customizable its privacy settings are to the public.
It is also clear that the general public is increasingly concerned with privacy and data security. A consumer study by PwC found that 92% of those surveyed believed they should have control over their data, and 71% said they would no longer wish to do business with an organization that shared their data without their consent. The bottom line is: with data privacy legislation quickly developing in multiple jurisdictions, regulators stepping up enforcement, and consumers becoming increasingly privacy-conscious, data privacy has gone from an afterthought to one of the most central compliance issues for any organization. Going into 2020, ensure data privacy plays a central role in your overall compliance and anti-corruption strategy.
2: Corporate Leniency Programs Firmly Take Hold on Both Sides of The Atlantic
The focus on self-reporting, cooperation, and remediation from the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the U.S. is in itself nothing new. Yet, 2019 saw a notable flurry of activity from a range of regulators pertaining to a wider area, making this a top compliance and anti-corruption trend for the year. First off, the DOJ released a major update to its Evaluation of Corporate Compliance Programs document that was first released in 2017. While the document is not a list of best practices, but rather guidance for prosecutors on how to evaluate a compliance program once a business is already in trouble for alleged violations, the document has become a de-facto guide for many compliance professionals. The DOJ also made revisions to its FCPA Corporate Enforcement Policy on two separate occasions this year, in an effort to make it clear to companies what it expects from them if they wish to qualify for leniency. The updates concerned topics including ephemeral messaging apps and clarification on what is required when a company self-reports.
Second, the DOJ announced in July 2019 that its Antitrust Division will now also consider offering Deferred Prosecution Agreements (DPAs) and reduced fines to companies who had strong pre-existing compliance programs — a dramatic reversal from its previous winner-takes-all approach to self-reporting. In addition, the U.S. Commodity Futures Trading Commission (CFTC) announced in March 2019 that for companies who self-report violations of the FCPA to the Commission may be spared civil monetary penalties if they self-report, cooperate, and remediate the conduct, in a fashion similar to the DOJ's guidance.
On the other side of the Atlantic, British and French authorities issued their own guidance. The U.K.'s Serious Fraud Office (SFO), released guidance in July 2019 for corporations on how to self-report violations. The document makes it clear that the SFO is keen to shape the way in which corporations conduct their own internal investigations to aid quicker resolution of investigations.
In France, the national prosecutor (PNF) and the French Anti-Corruption Agency (AFA) released guidelines on when they would consider a company is eligible for a Convention Judiciaire d'Intérêt Public (CJIP) — France's version of a Deferred Prosecution Agreement. The move towards CJIPs means a reversal from the traditional adversarial fight-to-death model where companies would defend themselves to the maximum extent to a model where cooperation is encouraged for a better outcome. The AFA also released draft guidance on how to handle Gifts & Entertainment compliance.
As helpful as all this guidance is to compliance officers, the differences in approaches to leniency from different regulators in various jurisdictions increase the challenge of coordinating a coherent global compliance program. In fact, the chair of the OECD's bribery group recently expressed concerns about 'piling-on' and a lack of coherence between enforcement agencies investigating the same conduct. However, over time the convergence of prosecutorial practices and cultures is likely to further encourage multi-jurisdictional cooperation between authorities which in turn further increases the potential liability companies face in case of violations. To keep up with the pace of these developments going forward, compliance teams should coordinate their programs globally while accommodating the regulator's expectations locally.
3: Focus on Anti-Money-Laundering in Europe
Over the past few years, money-laundering scandals have been grabbing headlines across the globe, but nowhere more so than in Europe. Regulators are finally waking up to the problem and have begun cracking down on the scourge. Last year, Denmark's largest bank, Danske Bank, became embroiled in a far-reaching money-laundering scandal involving its Estonian branch where it may have allowed up to EUR 200 billion to be laundered. The fallout from that scandal continued this year, as Sweden's Swedbank is now under investigation by authorities in Sweden, Estonia, and the U.S. Swedbank fired its CEO earlier this year and has admitted shortcomings in its anti-money laundering efforts as a reported USD 135 billion in "high-risk non-resident" money flowed through its Estonian branches. Germany's Deutsche Bank is also under investigation for involvement in the scandals, with reports coming in this week that the U.S. Department of Justice is now investigating the bank's role in moving tainted money into the United States. Following the scandals, a number of the EU's biggest members, including Germany, France, and Italy, are now calling for a central supervisory anti-money laundering body to tackle the problem.
In the European Union, the requirements of the 5th Anti-Money Laundering Directive (AML5) are due to become law across the EU on January 10, 2020. As part of AML5, larger emphasis is placed on verifying Ultimate Beneficial Ownership (UBO). Affected businesses will have to identify and verify the ultimate beneficial owners of an organization before engaging in business with a new partner. While every EU Member State will be required to have a publicly accessible UBO register, in practice compliance departments will need additional data sources. Reflective of the seriousness of the problem, follow-on Directive AML6, which increases maximum sentences for individuals and extends criminal liability to legal persons for money-laundering offenses conducted by a 'directing mind' in an organization, will be transposed into national laws by December 2020. Going into 2020, expect anti-money laundering to become increasingly prominent compliance and anti-corruption trend that compliance teams, particularly those in sensitive industries such as real estate, will have to address with increasing urgency.
4: The EU Whistleblower Directive: A Big Leap Forward?
Whistleblowing once again rose to public prominence this year. The role of whistleblowers in a functioning democracy has been extensively discussed this year following the anonymous complaint a whistleblower lodged against U.S. President Trump in relation to alleged misconduct by the President in foreign policy dealings with Ukraine. Leaving aside partisan squabbles about whistleblowing, operating an effective internal reporting program remains a priority for compliance departments around the world.
For compliance departments in Europe in particular, whistleblowing is going to become an even hotter issue over the coming two years following the somewhat surprising passage of the EU Whistleblower Directive in April 2019. In brief, once the Directive is fully transposed into Member States' individual legal frameworks in late 2021, all organizations with more than 249 employees will be required by law to run effective internal reporting systems. Moreover, concerned persons will be allowed to bypass internal programs completely and go straight to the authorities if they are not confident that their complaint will be handled correctly internally. Also, it will no longer be possible to stifle employees with non-disclosure agreements. As a result, companies will be greatly incentivized going forward not only to facilitate whistleblowing but to foster a true speak-up culture to ensure that employees won't feel compelled to bypass internal channels completely. Facilitating a speak-up culture includes implementing proper technology to easily allow for claims to be made, documentation to be automated, and investigations to be streamlined across the organization.
5: Poor IT Resulting in Violations
While perhaps not rising to the level of a compliance and anti-corruption trend, we would be remiss to not point out that this year has shown what can happen when your compliance IT procedures are not up to par. Certainly most dramatically, Australian bank Westpac landed in hot water after it was revealed that it failed to file mandatory reports with Australian regulators for 19.5 million transactions worth over USD 11 billion. The reason for the failure? A key part of the scandal revolves around a systematic failure in the bank to design, implement, and maintain appropriate IT infrastructure.
As part of Australia's Anti-Money Laundering and Counter-Terrorism Financing Act in 2006, banks were required to set up a way of automatically feeding information on international incoming funds transfers to Australian financial regulators AUSTRAC. In order to comply, Westpac's IT teams created a "convertor" program that converts information associated with these transfers into the format required by the regulator. The program appears to have worked well for most foreign correspondent banks, but for a few banks the system failed to automatically generate reports to be sent to AUSTRAC — it appears that the program simply wasn't configured properly. However, the seemingly innocent glitch wasn't discovered for almost eight years.
In another case, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) fined Apple a modest USD 467,000 to settle sanctions violations after the tool it uses to screen for sanctioned companies and individuals failed to detect a sanctioned company and its owner. Apple did business for several years with a company called SIS, d.o.o. and its owner Savo Stjepanovic after Apple's tool failed to match uppercase and lowercase letters that differed between Apple's system and the list maintained by OFAC. This happened despite the fact that the address Apple had on file for the company matched the address on OFAC's list.
Compliance departments deal with an enormous amount of data that needs to be screened every day, and the reality is that it is impossible to ensure compliance without a strong technology setup. However, if you are not using the latest technology or fail to properly implement, maintain, and audit the outputs of the tools, then you remain at risk of (spectacular) failures. If you think your current technology solution, or lack thereof, could be putting your program at risk, 2020 would be a great time to go through a vendor selection process and elevate the technology that supports your compliance strategy. Although switching vendors can be time-consuming, it can be one of the most transformational and impactful things you can do for your program.
The Year Ahead: Compliance and Anti-Corruption Trends
There you have it: a few of the most prominent compliance and anti-corruption trends in 2019. It is clear that compliance teams have a ton of challenges facing them heading into 2020 as they grapple with data privacy laws, tweaking their programs to adjust to the latest regulatory guidance, and crucially, ensuring that their compliance technology is up to par.
