Between a Rock and a Hard Place: Navigating Disclosures to U.S. Regulators Within the Framework of China’s State Secrets Law
U.S. Securities and Exchange Commission (SEC)-registered companies operating in China face unique challenges when responding to requests for documents from U.S. regulators. Under China’s State Secrets Law, Chinese companies cannot disclose any document that contains “state secrets” without prior authorization from the Chinese government. China’s broad prohibition on disclosure of state secrets may encompass workpapers and other documents prepared in the course of audits of the financial statements of Chinese issuers or material subsidiaries. However, U.S. regulators believe that reviewing workpapers and other documents is a fundamental component of investigating potential misconduct and ensuring the quality of the audit work.
As a result, U.S. regulators will likely continue to request workpapers and other documents from the auditors of U.S.-listed Chinese companies. Such requests place the companies and their audit firms in a difficult position. If the firms comply with the requests, they risk violating Chinese law and incurring severe sanctions, including potential imprisonment of individual partners. Although U.S. and Chinese regulators are working to address the tension between U.S. and Chinese law, companies can take steps to mitigate their risks until the issue has been resolved.
China’s State Secrets Law defines state secrets as “matters which have a vital bearing on state security and national interests and which are entrusted to a limited number of people for a given period of time.” The law further defines state secrets to include “[o]ther matters that are classified as state secrets by the National Administration for Protection of State Secrets.” Because the definition of state secret is both ambiguous and expansive, it potentially encompasses a broad array of information that is routinely captured in audit documents. Although recent remarks from China’s Ministry of Finance (MOF) clarified that there is no “blanket ban” on disclosure of audit documents relating to Chinese companies, the MOF cautioned that documents containing state secrets must not be disclosed.
Under U.S. law, however, “[a]ny foreign public accounting firm that prepares or furnishes an audit report with respect to any issuer” is subject to the Sarbanes-Oxley Act, as well as the rules promulgated under the act. Section 106 requires foreign accounting firms to produce their audit workpapers to the SEC or the Public Company Accounting Oversight Board (PCAOB) in connection with an investigation by either body. The incongruence in the requirements under U.S. and Chinese law places accounting firms, and their audit clients, in a difficult position. Because China’s State Secrets Law carries criminal exposure, U.S.-registered accounting firms and their foreign affiliates have been reluctant to produce documents to regulators outside of China.
In an effort to address this dilemma, U.S. and Chinese regulators have been working to develop procedures that would grant U.S. regulators access to information necessary to ensure market transparency, while also allowing China to protect sensitive information. On May 24, 2013, the PCAOB announced that it had entered into a Memorandum of Understanding (MOU) on Enforcement Cooperation with the China Securities Regulatory Commission (CRSC). The MOU allows the PCAOB to obtain access to the audit workpapers of China-based audit firms for enforcement purposes. The MOU does not, however, allow the PCAOB to conduct inspections of Chinese auditors, including the Chinese affiliates of the “Big Four” accounting firms.
The PCAOB inspections program is an integral part of its mission to improve audit quality. When we asked about the status of achieving PCAOB inspections of Chinese audit firms, a board member said, “Progress is being made and I am hopeful for a positive outcome in the near future.” If a deal is not reached, it is possible that the PCAOB will deregister Chinese audit firms, which would preclude the firms from auditing or playing a substantial role in the audit of SEC-registered companies.
After the MOU was signed, the CRSC announced a new procedure for screening audit documents for state secrets. Now, when a foreign regulator requests audit documents, accounting firms are required to: (1) screen audit documents and redact or otherwise remove all state secrets or other sensitive information; (2) retain independent law firms to certify that the screening was done properly; and (3) obtain client certification that the accounting firm performed its work properly. After completing the screening process, the accounting firm must submit the documents to the CRSC for review. The CRSC is then responsible for disclosing the documents to the foreign regulator.
In a case involving Deloitte Touche Tohmatsu CPA Ltd. (DTTC), the CRSC’s process seems to have worked. In that case, the SEC issued an administrative subpoena for audit workpapers and other documents concerning DTTC’s audits of a China-based issuer. When DTTC refused to comply with the SEC’s subpoena citing Chinese secrecy laws, the SEC filed a legal action to compel DTTC’s compliance. In early July 2013, almost a year after the SEC requested the CRSC’s assistance in procuring DTTC’s workpapers, the CRSC notified the SEC that it intended to release certain of the workpapers. Shortly thereafter, the CSRC produced scores of documents and provided logs of documents (or portions thereof) that had been withheld on the grounds that they were designated as state secrets under Chinese law. In January 2014, based on the CRSC’s continued cooperation, the SEC agreed to dismiss its action against DTTC.
Despite the successful resolution of the DTTC matter, questions remain as to the CRSC’s willingness to cooperate with SEC investigations. As a result, the SEC has continued to pursue legal action to compel auditors of Chinese issuers to disclose their workpapers. In early 2014, a SEC administrative law judge issued an order suspending the Chinese units of the Big Four firms for their refusal to disclose audit documents of Chinese clients to the SEC. The SEC had sought the audit documents in connection with its investigations of more than 130 Chinese companies that are publicly traded in U.S. markets. The accounting firms refused to produce the requested documents, claiming that they contained state secrets and, therefore, could not be disclosed to foreign parties under Chinese law. The SEC filed an administrative proceeding against the firms, arguing that disclosure of the audit documents was required under U.S. law. The administrative judge agreed with the SEC and barred the firms from leading audits of companies traded in the United States. The accounting firms have appealed the judge’s order to the SEC commissioners and the case is currently pending. If the judge’s ruling is upheld on appeal, the firms will be suspended from practicing in the United States for six months. It would not be surprising if a resolution is achieved while the matter is on appeal. Indeed, recent filings with the SEC state that the parties are negotiating a settlement.
While a complete remedy for the conflicting regulatory requirements remains elusive, U.S.-listed Chinese companies can take certain steps to mitigate their potential exposure. First, companies should execute audit engagement letters that require their audit firms to provide notification upon receipt of a foreign regulator’s request for audit documents. The engagement letter should also specify how the audit firm will respond to such requests. Second, upon learning of such a request, the company should engage competent, outside counsel to review the audit documents for state secrets. Alternatively, outside counsel can review and assess the reasonableness of the auditor’s analysis of whether the documents implicate state secrets. Third, the company should coordinate with the CSRC on the foreign regulator’s request, work with the CSRC on any redactions and obtain authorization to disclose the prescreened documents. Lastly, the company should maintain a record of any information redacted or withheld from foreign regulators on the basis of the State Secrets Law. By taking these steps, the company and its audit firm can persuasively argue that they have complied with the regulator’s request to the fullest extent allowable under Chinese law.
James M. Commons is a partner based in the Firm’s Washington, D.C., office. His practice focuses on white-collar and securities defense, government investigations, corporate internal investigations and complex civil litigation.
Eugene I. Goldman is a partner based in the Firm’s Washington, D.C., office. He is a senior member of the Firm’s White-Collar and Securities Defense Practice Group. He represents U.S. and international clients before the SEC in financial fraud, auditor misconduct, false disclosure, insider trading and other securities enforcement proceedings.
Jared T. Nelson
Internal investigations can be highly risky and exceedingly difficult in China. The threshold problem is that “investigations” are generally the nearly exclusive right of the state, and companies—even companies’ lawyers—are sometimes restricted from carrying out many activities that might overlap with those carved out and reserved solely for the government.
Historically, attempts to operate in this grey area have been harshly penalized. After an explicit ban and crackdown on private investigation agencies in 1993, there were signs that regulation of the services had been loosening more recently, and many investigation firms began to work more openly and to speak out for legalization of their industry. However, starting in 2012 with the imprisonment of four investigators from a global research firm, and continuing with this summer’s sentencing of a British and an American citizen who operated an investigation firm on charges of illegally obtaining personal private information of Chinese citizens (reportedly including household registration records, automobile registrations, real estate information, phone logs and travel records), the government has been sending a clear message that even well-established investigation firms conducting what had come to be viewed as routine work may face steep penalties.
In addition to the general difficulties of conducting an internal investigation or audit with a scope narrow enough to be legal but broad enough to be effective, these projects will almost certainly involve the handling of protected information. During the course of internal audits, personal private information of employees might be obtained, handled or processed. The personal private information of customers or other third parties is also often involved in internal audits. For certain industries and certain types of companies, proper handling of Chinese “state secrets” can be a paramount concern, especially in matters involving China’s state-owned entities.
WHAT CAN COMPANIES DO TO PREPARE NOW?
Developing a proactive strategy for handling digital evidence during a crisis situation is crucial to avoiding legal liability, ensuring that internal audit findings will be admissible in court and successfully protecting the company’s interests. Obtaining appropriate consent, in advance, can be the key to unlocking the value of large-scale data resources that might otherwise be inaccessible. Having carefully planned procedures and protocols for handling information that might be high risk for state secrets is essential to ensuring that, in the pressure of a crisis situation, there are no missteps or violations.
To properly handle employees’ personal private information, the most important thing companies can do proactively is obtain consent to collect and review digital evidence. In China, the key documents for securing this consent are employee handbooks and labor contracts. Both should include clear provisions that prohibit employees from using company e-mail addresses or hardware for personal private information, as well as clear language stating that employees explicitly consent to allowing the company to access all documents, files and any other information stored on company hardware, as well as all e-mails sent from or received on the company’s domain. Yearly training on these policies with signed certificates from all employees adds an additional layer of protection. Using personal private information of customers and third parties is more complex, but comparable forms of consent and careful contract drafting can help shield companies from liability and allow internal audits to proceed when necessary.
Insulating a company from liability related to state secrets requires similar levels of advanced preparation and proactive crisis management planning. First, a company should identify any employees, customers, departments, products or services that might be at high risk for obtaining or handling, even accidentally, state secrets. After any high risk areas have been identified, strict protocols and procedures should be established that isolate these areas during an internal audit to ensure that no state secrets are improperly exposed, handled or transferred out of the country.
WHAT SHOULD COMPANIES DO DURING AN INTERNAL AUDIT?
When an audit is already underway, one of the most valuable things that a company can do to ensure that it handles data properly is to receive help from experienced, local law firms. A “do it yourself” or “learn as you go” approach can result in serious violations arising out of the investigation itself, and companies might actually create new legal exposure in the effort to uncover existing issues. Experienced, PRC-licensed lawyers will advise clients to be as transparent as possible with employees and third parties about data collection, and to obtain specific consent for collection and review wherever possible without undermining the investigation. Seasoned counsel will also be able to guide companies through the complex technical details of accessing and collecting information while still preserving a forensically sound and legally admissible version of the evidence for potential later use during a trial or court proceeding. During the review of the material, strong procedures and protocols must be in place so that protected information is isolated and dealt with appropriately if accidentally handled or disclosed.
Protected information concerns are easy to overlook during the rush of an investigation, but violations can create significant liability for individuals and the company, and may taint the admissibility of any evidence collected for later offensive or defensive use. Early preparation, before an investigation is even being contemplated, is key to limiting liability and ensuring proper access to relevant information for any potential future project. Hiring experienced local law firms during an investigation will help reduce risk exposure and increase the chances of a successful review.
Jared T. Nelson is a foreign counsel for MWE China Law Offices in Shanghai. His practice focuses on antitrust and compliance.
Using Internal Controls to Mitigate FCPA/Corruption Risks in China
Over the past two years, multinational corporations (MNCs) with offices in China have taken notice of the anticorruption initiative President Xi Jinping has been leading. This crackdown has affected not only state-owned enterprises (SOEs) and political officials, but also private industry in China. MNC responses have ranged from increasing the frequency of visits by headquarters-based internal auditors to establishing local compliance departments. An MNC’s response depends on the industry in which it operates and the maturity of its anti-fraud program in China. Regardless of the MNC’s level of sophistication, now is the time to take an in-depth look at the way MNCs are mitigating and addressing fraud risks, particularly Foreign Corrupt Practices Act (FCPA) and corruption risks.
Following are three key internal controls that when properly implemented will strengthen an MNC’s compliance environment in China.
Third Party Due Diligence
The importance of third party due diligence in China cannot be over-emphasized. MNCs should consistently apply a program that takes into account the limited amount of information publically available in China because it’s likely they will not be able to cite these limitations as a defense for conducting inadequate due diligence on third parties.
The third parties that pose the greatest risk to MNCs generally are sales agents, distributors, agents assisting with customs clearance, joint venture partners, marketing event planners and travel agents. This list is ever-evolving, however, and may change as further schemes are exposed in China.
Due diligence on these third parties should take into consideration the third party’s level of government interactions and possible conflicts of interests with employees. If the third party will be selling to SOEs in China, robust review procedures should be performed and documented. In addition to applying these review procedures to new third parties, MNCs should review their existing third parties and assess the level of due diligence that was initially performed when the MNC engaged the third party. For higher risk third parties, routine, recurring diligence is recommended.
Having a strong third party due diligence program will lower the chance of conducting business with unethical entities and satisfy anti-corruption regulations in the United States and certain other countries.
Vetting Marketing Events with Customers
There are significant risks inherent in hosting or sponsoring customer marketing events in China. One of the most prominent risks is the potential that the MNC is over-charged by event organizers, conference centers or hotels, and excess funds are diverted to existing or potential customers as an improper payment. In China, marketing events with customers are consistently used as a means to fund improper payments; therefore, scrutinizing these events is part of a strong governance program.
While evaluating the reasonableness of costs for certain sponsorships is certainly challenging, there are benchmarks that are useful in measuring such costs. The background materials for the event should be scrutinized based on an RMB threshold established by internal audit or compliance. The event planner, hotel or conference center should be able to provide a detailed breakdown of costs prior to the event. For larger events, these materials should be reviewed by multiple in-house parties including marketing, upper management, operations, internal audit and compliance. For those items that appear suspicious, MNCs should consider performing an independent assessment that includes confirming the details of the event and pricing a similar event at the venue. More and more MNCs are also sending an internal audit or compliance employee to the event, or sending an external party independent of the vetting process, to confirm such elements as the number and identities of attendees, the agenda, sponsorship exposure and additional details to confirm that the event complies with the their gift and entertainment policies.
Internal Audit Resources Sitting in China
To be effective in China, internal audit departments must have knowledge of the local business practices. Many MNCs periodically send headquarters-based internal audit teams into China to test certain accounts and review business cycles. This approach does not fully capture China-specific business nuances and risks. If an MNC does not have local internal audit resources to interview Chinese staff, test transactions and review supporting documentation, it should consider engaging a local firm to supplement the visiting internal audit team. If an MNC has an established local internal audit team, it is important for the team to maintain a direct reporting line to internal audit leadership at headquarters. If they do not, local management could have an inappropriately strong influence on the direction and results of local internal audits.
China’s crackdown on corruption has significant momentum. As a result, MNCs are re-assessing their internal controls in China to ensure they are taking the necessary steps to minimize potential liability. By properly implementing the internal controls described here, MNCs will be better able to avoid becoming a victim of the widespread fraud that the crackdown seeks to reduce.
Paul Peterson, CPA, CFE, CIA, is director of Forensic, Investigation, & Dispute Services at Grant Thornton China. He focuses on fraud investigations, global anticorruption, litigation support and consulting services related to anti-fraud programs and controls.
U.S. lawyers are often flat out flabbergasted by the prospect of having to deal with a Chinese government investigation, because Chinese laws are perceived to be ambiguous and their enforcement selective. U.S. lawyers trained to argue their cases in court through a system of discovery that places great emphasis on giving each side ample opportunity to discover the other’s evidence and avoid trial by ambush will find the Chinese system particularly unsettling, and oftentimes, completely incomprehensible. This is not surprising.
To effectively handle a Chinese government investigation requires a radically different mindset and approach. If the U.S. litigation system is a ladder, with each step signaling a different set of rules, the Chinese government investigation system is a network where success depends on creating the most connections among a large number of scattered dots.
However, many of the skills and abilities essential to succeed in a Chinese government investigation are not foreign to U.S. litigators. The challenge lies in adapting to a different way of thinking—a tall task for those without actual experience working and living in China.
Different Levels of Government Investigations
It is axiomatic everywhere that a criminal investigation is much worse for the subject than an administrative one; this is particularly true in China. Not only does a criminal indictment signal the potential for criminal liabilities, but essentially guarantees that the ultimate outcome of the investigation will be unfavorable to everyone charged. In China, authorities are loath to issue a criminal indictment unless they are certain of obtaining a criminal conviction at trial. Therefore, Chinese authorities often use an administrative investigation as a fishing expedition for evidence that can be used in a potential criminal investigation down the road. According to China’s Rules on Transfer of Allegedly Criminal Cases by Administrative Agencies, administrative agencies usually (but not always) defer decisions to their criminal colleagues when there are parallel administrative and criminal investigations into the same subject matter.
An administrative enforcement agency does not typically get a criminal enforcement agency involved unless there is already strong evidence of criminal wrongdoing. Authorities would never risk public embarrassment in a high-profile case.
While the involvement of a criminal enforcement agency does not necessarily spell the end for the investigation target, a criminal indictment likely does. Discovery is stacked in the authorities’ favor. The period of time from the issuance of a formal indictment in China to the rendering of a verdict rarely is more than a month, but criminal enforcement agencies (the local public security agencies or the State Public Security Bureau) usually have up to six months from the start of an investigation to decide whether to bring any criminal charges. Furthermore, government authorities, regardless of whether they are pursuing an administrative investigation or a criminal investigation, are not required to disclose in advance all evidence to be presented at a trial, even on the eve of trial.
Given these practices, the criminal conviction rate following trial in China exceeds 98 percent. With the odds so hopelessly stacked against defendants, it is best to avoid the prospect of a criminal trial all together. In the context of a Chinese criminal investigation, prevention is definitely better than cure.
The Role of Experts
It is widely accepted in U.S. litigation that outcomes often depend largely on the quality of a party’s experts. Trials can boil down to a battle of experts—respected and personable experts who exude an air of competence and impartiality are viewed by jurors with less suspicion than lawyers. The same is true for experts in government investigations in China, but in somewhat different ways.
While experts in U.S. litigation usually may only testify to non-legal matters outside the grasp of lay persons, such restrictions do not exist for experts in Chinese government investigations. Experts cannot only attempt to clarify the meaning of ambiguous laws and regulations at issue, but also advocate to judges for favorable interpretations. Such expert opinions carry much weight with judges and the general public.
Choosing the right experts and maximizing their effectiveness can be a tricky affair. First, choosing the right expert in the right field with the right focus is critical. As in U.S. litigation, Chinese authorities are unlikely to pay much attention to an expert whose expertise is not focused on the specific laws relevant to the investigation. Perhaps counterintuitively, it is often better to retain respected experts who are not the most prominent authorities in their field, because high-profile experts are often unwilling to take an approach that differs from the approach taken by the government. Experts who do not enjoy the same prominence are more likely to argue vigorously on a client’s behalf.
Second, it is imperative for lawyers to establish good rapport with experts. Experts usually make appointments within very busy schedules; if at all possible, it is best to work with their schedules. That includes identifying and retaining experts as soon as you suspect their services might be needed, promptly giving the experts the information they need to render their opinions, addressing schedules several months in advance and accommodating experts’ schedules when conflicts arise.
Third, it is especially important to retain experts early, because their role typically is not solely to testify at trial, but to spread their opinions by publishing articles in appropriate media (newspapers, magazines, academic journals and other places) and giving talks to the appropriate audiences. It often takes months for their work to have the desired impact.
Fourth, it is wise to carefully identify for experts what information is confidential and privileged. China generally does not recognize an equivalent of the U.S. work product doctrine that protects from disclosure certain materials prepared in anticipation of litigation. If an expert discloses certain information, intentionally or unintentionally, there likely will be no way to get such information back under wraps. Consequently, it might be sensible to only disclose to experts information they absolutely need. Strict confidentiality agreements are strongly recommended to help prevent experts from intentionally disclosing confidential information.
Fact Gathering and Dealing with Disgruntled Employees
Obtaining the cooperation of company employees who have the information counsel needs in a government investigation is difficult in any matter, but particularly difficult in China where, in practice, employees’ communications are unlikely to be shielded from disclosure. While China’s authorities have compulsory powers backed by the threat of obstruction of official investigations, the company’s counsel only has authority delegated by the company’s top management (often overseas and far away from China), which might not be enough in a time of crisis. When certain employees already hold a grudge against the company, collecting all the facts and data can be a daunting challenge.
A comprehensive internal data collection effort is necessary at the very beginning of any Chinese government investigation. Experienced lawyers have developed skills for getting necessary information. Instead of making a blanket request to all potentially relevant employees to turn over all relevant information, as might occur in the United States, requests to a smaller group of trusted employees who are likely to be loyal to the company might be a more effective starting point. Well-run companies will have employment contracts and labor agreements that explicitly require the disclosure of company information.
Instead of collecting information under the lawyers’ names, it can sometimes be more effective to direct company IT professionals and managers to lead the collection efforts, reducing alarm among the employees. At times, disgruntled employees demand payment in exchange for information, but the company absolutely cannot violate the law and give in to such demands. Companies should be vigilant about communicating with authorities during investigations, possibly including disclosing adverse information before the information gets to authorities from other sources.
Many western lawyers coming to China for the first time will often find the differences in language, culture and legal systems make China as impenetrable as the Forbidden City. But with China’s GDP on par with the total GDP output of the Middle East, Latin America, the Caribbean and Africa combined, working in China is not a matter of “if” for multinational companies. With its economy slowing in the midst of a difficult transition period, Chinese authorities have placed unprecedented emphasis on corporate compliance. Trusted local counsel having in-depth knowledge of Chinese government investigations as well as western litigation experience can help multinational companies avoid bungling even small or routine investigations and creating greater risks.
Ping An is foreign counsel for MWE China Law Offices in Shanghai, where he focuses his practice on corporate compliance and government investigation issues.
Catching Tigers and Flies: A European View on Compliance in China
Nowadays, when discussing compliance implementation involving investment in China in European headquarters, one is tempted to refer to the Chinese saying: 万事开头难 wàn shì kāi tóu nán, or “All things are difficult before they are easy.”
China’s new anticorruption policy, announced by President Xi Jinping at end of 2012, marks a real change in business practice in China. As soon as the Communist Party of China adopted an eight-point plan in 2012 regulating gifts and invitations to officials, European newspapers began discussing whether this was merely an empty declaration or if it was a significant change in Chinese business culture.
Now, more than a year after President Xi Jinping declared that not only flies, but also tigers would be held accountable—meaning that high-ranked officials are not insulated from the fight against corruption—the effects of the new anticorruption policy are clear. Indeed, as basic examples, some high-end hotels are trying to downgrade to avoid losing business, and many luxury brands are seeing sales in China decline. More notably, arrests and sentences of senior officials are reported quite frequently.
Navigating Different Business Cultures
In Germany, compliance officers are improving their understanding of the Chinese concept of “guanxi,” or the Chinese way of maintaining relationships. While German business tends to be rather settled on an objective level, it is tradition in China to build intense relationships with business partners.
The gift-giving business culture in China is entirely different from that in Europe. Many European operations have concluded that the “zero tolerance” approach to gifts and invitations that makes sense in Europe does not work in Chinese business development. Consequently, compliance programs have been adapted to permit acceptable forms of guanxi, while prohibiting anything designed to improperly influence officials, and the concept of guanxi is now considered when drafting new global anticorruption guidelines and internal gift policies.
European compliance managers struggle daily with China’s guanxi traditions on one hand and expectations of strict anticorruption policies on the other hand. More extravagant forms of guanxi, such as invitations to exclusive events or for travel, have been reduced dramatically, and the adverse consequences to business development are being monitored closely.
What Is Still Allowed?
The most common question European compliance managers face is “What is still allowed?” Unfortunately, there is no “one fits all” answer. The analysis typically begins with differentiating between public officials and private-sector business partners, although that is not without significant challenges. The number of state-owned businesses in China remains very high, and managers in those businesses qualify as state officials under European anticorruption laws. Moreover, China law does not exclude items of value to private sector officials from anticorruption law.
Nevertheless, European companies place greater restrictions on invitations and gifts to state officials than to business partners in the private sector. Modest invitations and gifts of low value are generally considered unproblematic because they are unlikely to have an influence on decisions.
In Germany, the answer to “what is still allowed” is often a simple one: an invitation to a schnitzel restaurant. While the “schnitzel” baseline might lack legal sophistication, in Germany, it is one people can easily grasp. And while schnitzel might not be as popular in China, it likely will be easier to translate than many other legal standards.