Introduction
Key compliance issues
Mitigation strategies
Comment
In March 2022, 44% of respondents to a survey of corporate counsel, and legal and compliance professionals in the United States, Europe and Asia cited data breach and cybersecurity as the highest legal threat to their organisations, followed by contract disputes (30% of respondents) and regulatory risk (27%).(1) These issues are also the pressing factors that may impact organisations in China and thus key issues for compliance officers to consider (for further information please see "While the cat's away: assessing risk in dynamic environments").
This article highlights the key compliance issues for Chinese companies in 2022 and considers how companies can mitigate risks.
Data regulation
New Chinese legislation on data and cybersecurity, the Data Security Law and the Personal Information Protection Law, have taken effect. The introduction of these two new data laws was a significant move towards comprehensive data regulation in China. However, specific and operable requirements remain unclear. Authorities have published only limited implementing measures to date, many of which remain in draft form.
Contractual obligations
Business disruptions are expected given China's current pandemic control strategy and will inevitably affect many companies' ability to meet contractual obligations or delivery milestones, exposing them to potential risks of contract default where compliance strategies and regulations are concerned.
Increased sanctions activities and government enforcement
Increased sanctions activities and government enforcement has resulted from geopolitical tensions. The outbreak of the Russia-Ukraine crisis has triggered a series of sanctions activities against Russia. China and Russia have significant business ties. For companies and financial institutions located in China, having direct or indirect business relationship with Russia is exposing them to unprecedented and tremendous sanctions risk. In the meantime, the geopolitical tension between the United States and China continue. By applying the newly established Anti-Foreign Sanctions Law, China has implemented reciprocal sanctions against foreign entities and individuals.(2)
The following are measures that can be taken to address the issues above. Compliance and legal professions should:
- look out for the implementation guidelines and/or judicial interpretations from the authorities in relation to the new data laws, especially for companies that collect, process and transfer personal data and/or data that may be of importance to state interests (eg, geographic data);
- proactively review and supplement the existing compliance programmes to address any blind spots, and adjust business processes and/or infrastructure where necessary;
- perform a comprehensive evaluation of operations that may be subject to pandemic disruption and thus heightened government rules. It is important to reassess risks, and then prepare contingency and response protocols, just as for health and safety incident management;
- designate knowledgeable professionals to continuously monitor foreign sanctions updates, as well as local laws and regulations;
- adapt sanctions compliance programmes to reflect counter-sanctions measures – for example, by including on the company's watch list those entities and individuals targeted by China's Ministry of Foreign Affairs; and
- establish and finance training and learning protocols, so that employees are always up to date and can form an effective part of the "prevent, detect and respond" compliance cycle.
A special consideration should be made for organisations that have some local control functions in China but rely more on centralised regional or global headquarters to exercise corporate governance (eg, finance, legal, internal audit and IT departments). These companies should look out for the ongoing fraud and compliance risks arising from the travel restrictions to and within China; the effectiveness of monitoring and controls may be hindered by the inability to visit the site in person. Transforming the critical controlling exercises into a hybrid or fully remote operation that is carried out regularly and according to plan can help mitigate risks. Additionally, compliance officers may want to consider reviewing company protocols and reiterating the company's commitment to the code of conduct and business ethics.
For further information on this topic please contact Stephen Yu, Tao Shen or Jiayan Xu at AlixPartners by telephone (+852 2236 3500) or email ([email protected], [email protected] or [email protected]). The AlixPartners website can be accessed at www.alixpartners.com.
Endnotes
(1) To view the full global survey results, see "2022 Litigation and Corporate Compliance Survey".
(2) In 2021, the Chinese government reacted to every OFAC designation resulting from Hong Kong and Xinjiang-related sanctions. For further information see here.