Key issues to consider when implementing global compliance programsand conducting investigations to enforce potential rule and regulation violations
Originally appeared in InsideCounsel on March 30, 2015
March 30, 2015
Establishing an effective global compliance program
In recent years, particularly in the aftermath of the global financial crisis, the financial services industry has seen an unprecedented increase in regulatory demands. Amidst the economic recovery that is taking place, regulatory authorities in many countries are in the process of implementing stricter regulations in order to prevent another financial crisis. While these new and comprehensive regulations may provide the financial market with necessary certainty and stability, they also provide financial institutions operating in these markets with new challenges. Confronted with these challenges—not only within the European Union and the United States, but all around the world—financial institutions have begun to realize the growing importance of an effective compliance function in navigating through the maze of regulatory demands.
Within the financial sector, the meaning of the term “compliance” implies adherence to the laws, regulations, rules and standards applicable to the banking services provided in the financial markets. In the United States, it relates to compliance with all standards, not just those related to services. Failure to adhere to those standards can in turn expose the financial institution to various risks, including financial losses, reputational damage or sanctions by regulatory agencies. While initially the supervision of employee transactions and insider trading were the primary focus of the compliance function in Germany, today investor protection is gradually becoming the focus of attention.
In that regard, in order to ensure adherence to the applicable rules and regulations, the compliance function is assigned various responsibilities all over the world. While specific responsibilities differ depending on the country—although increasingly harmonized within the European Union—the following core responsibilities, which have been recognized by the Basel Committee on Banking Supervision, are to be found in some form in most jurisdictions.
First, the compliance function should be entrusted with the identification, assessment and measurement of risks. Second, the compliance function should advise the financial institution, particularly management, on compliance with the applicable rules and regulations and inform them about any changes. Third, the compliance function should be tasked with the education and guidance of the financial institution’s employees. Fourth, the compliance function should monitor compliance and the controls in place and test them for their effectiveness. Fifth, given that the financial institution’s management will be responsible for any infringement of the applicable rules and regulations, the compliance function should also report—on a regular basis—to management regarding the assessed risks, changes and developments in the applicable regulatory and legislative framework, any infringements and corrective measures as well as any other compliance-related matters. In structuring a compliance program that incorporates the aforementioned responsibilities, firms should take into account, on a risk-based approach, the different compliance risks associated with particular tasks.
Today’s compliance function plays four roles: First, compliance continues to serve in its traditional role of protecting the financial institution against potential financial or reputational losses has gradually expanded in today’s complex financial services market. Second, the traditional role has expanded to include an advisory role, namely providing the institution and its employees with legal certainty regarding the applicable rules and regulations. Third, the compliance function plays a marketing role, viz. strengthening the relationship with, and trust of, the consumers as a component of increased fairness and transparency. Fourth, compliance has an innovative function, namely stimulating new practices and procedures within the financial institution.
The compliance function constitutes a vital part of any financial institution, especially multinational credit institutions which engage in cross-border activities and are subject to different legal systems and supervisory authorities. Not only does it ensure adherence to the applicable rules and laws regarding the provision of services and products within the financial markets and thereby help prevent financial and reputational losses, but the compliance function also helps strengthen consumer relations and stimulate innovation by helping the financial institution to navigate through today’s rapidly growing and ever more complex regulatory landscape, be it in the United States with the Dodd-Frank Act, in Germany with the Securities Trading Act or in the European Union with the upcoming revised Markets in Financial Instruments Directive II.
Investigating and enforcing potential violations
An effective compliance program should include a mechanism for investigating and enforcing violations of internal policies and external regulations. Any such policy should have protocols for reviewing trading data, account information and electronic communications; interviewing employees and other potential witnesses; and formulating risk analyses and remediation plans. For multinational financial services firms with offices and affiliates around the world, investigations often take on cross-border dimensions. Such firms and their counsel should consider the following issues when planning and conducting cross-border investigations.
Understanding the legal system and social customs in each country in which a firm is conducting an investigation is critical to avoiding potential liability. U.S. and local law can differ in ways that materially affect an investigation, including the substantive law governing the fraud or misconduct at issue in the investigation; the laws protecting employees and whistleblowers; the degree of freedom a business has to investigate violations without involving local government authorities; and how to collect and use evidence.
A firm conducting an investigation involving the exterritorial application of a U.S. law such as the Foreign Corrupt Practices Act, for instance, should also consider whether the investigation implicates local law and how those laws differ. For example, criminal penalties can be imposed against corporate entities under U.S. law, but other countries’ laws may provide for criminal liability only for natural persons. Such distinctions could create unexpected conflicts and affect a firm’s approach to an investigation.
In the employment context, unlike in the United States, employees in some jurisdictions cannot be terminated or disciplined for failure to cooperate with an employer’s investigation. In addition, some jurisdictions have a very narrow window of time—in some cases, just a few days—after an employer discovers evidence of wrongdoing during which it can use that evidence in support of a termination for good cause.
Firms should also understand that some jurisdictions’ criminal procedure laws can limit, or even forbid, private parties from conducting investigations because such investigations are considered intrusions on the function of the government. Before initiating a cross-border investigation, it is important to identify any local procedural rules or customs that might restrict private internal investigations or require the involvement of local law enforcement.
Multinational firms conducting cross-border investigations often need to access and transfer data back and forth between offices and affiliates in different jurisdictions. But in certain circumstances, that might trigger data protection or privacy laws in regions like Europe, Asia or Latin America. For example, the European Union has adopted data protection laws that protect a broadly-defined category of “personal data” from being “processed” (a broadly defined term) unless the individual whose information is at issue consents, the data is necessary for the performance of a contract with the individual, it is necessary to comply with local legal obligations, or the legitimate interests of the entity collecting the information outweigh the individual’s privacy interests.
Some jurisdictions have also enacted “blocking statutes,” which criminalize the exportation of certain categories of information. For example, Switzerland’s well-known bank secrecy law prohibits banks from disclosing bank account information, and China’s state secrets law imposes severe penalties for disclosing information relating to “state security and national interests,” which could be construed expansively.
Finally, U.S. lawyers routinely rely on the attorney-client privilege to prevent employee interviews and other investigative communications from being disclosed. But the relatively robust attorney-client protections recognized under U.S. law may not apply to investigations in other jurisdictions. Some jurisdictions—China, for example—do not recognize the attorney-client privilege at all. Other jurisdictions may recognize a privilege, but it may not apply to U.S.-licensed lawyers or in-house counsel.
These are only some of the key issues multinational financial services firms should consider when implementing global compliance programs and conducting investigations to enforce potential violations of the applicable rules and regulations. It is important that such firms understand the legal and regulatory framework in the jurisdictions in which they are operating in order to reduce potential risks and strengthen business operations.