New European Parliament Corporate Due Diligence and Corporate Accountability

 

Corporate due diligence and corporate accountability, ending an era of voluntary policing. A new EU mandate places liability on companies unable to assess and mitigate unethical third-party behaviour. New legislation requires companies operating in the EU to ‘identify, address and remedy their impact on human rights and the environment throughout their global value chains.’

Situation Analysis:

  • In 2017, nearly 25 million people categorised as victims of forced labour. International Labour Organization, 2017 report
  • From 2000-2012, nearly 25% of all tropical deforestation was due to illegal agro-conversion for export markets. 2019 study

Global economies have significantly benefited from an increase in cross-border and international business partnerships, which has led to a substantial expansion of the global value chain. Subsequently, more and more companies are being exposed to potential liability by unscrupulous third-party providers in their supply chain pipeline with little respect for business ethics, human rights or the environment.

There is a growing concern worldwide of the many supply chain businesses linked to severe abuses, including exploitative working conditions, modern slavery and child labour, toxic pollution, rampant destruction of rainforests and a general disregard for corporate governance.

For decades, companies have voluntarily monitored supply chain partners for bad behaviour, but this self-policing has limited. But now, the European Union Parliament has presented mandates for EU businesses – under penalties of law – to carry out due diligence to identify, prevent, mitigate and account for actual or potential human rights violations and negative environmental impacts in their operations and supply chain. 

“We live in a world where businesses with the wherewithal can still shift their adverse social and environmental impact to the most vulnerable people and places on the planet.” Lara Ianthe Wolters, Member, European Parliament

The Challenge: You are Liable for the Conduct of Your Partners; Lack of Due Diligence will Get you into Trouble

The legislation requires companies operating in the EU to identify, address and remedy their impact on human rights (including social, trade union and labour rights), the environment (contributing to climate change or deforestation) and good governance (such as corruption and bribery) throughout their value chain.

This is akin to saying that if a company fails to conduct due diligence on a third-party partner that engages in slave labour, pollutes the environment, manipulates the price or violates jurisdictional regulations, that company is essentially complicit in the partnering company’s illegal behaviour. It may be held liable in a court of law.

Aside from legal and monetary penalties, the company further risks a tarnished reputation in the market and a devaluation of its brand.

It’s crucial for businesses utilising global supply chain partners to conduct due diligence and assess the potential risks that a third party may pose to your organisation, particularly when addressing risks associated with environmental damage and human rights violations.

The Solution: Identify Unethical Behaviour and Protect Your Organisation with 3PRM, Corporate Due Diligence and Risk Management

CRI Group™ developed a highly specialised assessment solution for Corporate Due Diligence and Third-Party Risk Management to assist organisations in accurately identifying, preventing, mitigating and addressing actual and potential adverse impacts of affiliating with global partners and complies with all EU mandates.

From enhanced due diligence to identify non-compliance of the regulatory framework and damaging environmental allegations to investigating company (or stakeholder) human rights violations related to labour laws, child labour or human trafficking, CRI Group experts help determine the legal compliance, financial viability, and integrity levels of outside partners and suppliers affiliated with your company’s value chain.

Outcomes

Recent studies have demonstrated a positive correlation between the extent to which companies implement environmental, social and good governance policies, and their overall economic performance, all while contributing to a more stable global marketplace. Such responsible business conduct:

  • Enhances protection for workers
  • Improves access to justice for victims
  • Safeguards the environment
  • Ensures fair products for consumers

Further, apart from general compliance with EU mandates, such organisations enjoy a wealth of intangible benefits, including:

  • Reduced overall liability risks
  • Improved stakeholder protection
  • Lower costs resulting from conflicts
  • Improved company transparency
  • More profound knowledge of the value chain
  • Enhanced reputation in the market 
  • Improved social standards for workers

“The global pandemic has demonstrated that resilient global supply chains that protect both the people and planet will be crucial to companies and economic recovery in the future.” Transparency International EU

CRI Group’s corporate due diligence and accountability solutions can help your organisation comply with a growing list of global regulations and mandates related to human rights and the environment while acting as an integral part of your business decision-making and risk management systems. 

Are you prepared to conduct a due diligence assessment on your global partners? Contact CRI Group to learn more about our Corporate Due Diligence and Accountability solutions and stay one step ahead of the pending EU mandates. We look forward to assisting you.

 

Zafar I. Anjum | MSc, MS, LLM CFE, CIS, MICA, Int. Dip. (Fin. Crime), Int. Dip. (GRC), MBCI, CII Int. Dip. (AML)

Group Chief Executive Officer, Corporate Research and Investigations Limited

e: zanjum@crigroup.com | t:+44 7588 454959

Our enhanced Integrity Due Diligence services will ensure that working with an, i.e. potential trade partner will ultimately achieve your organisation’s strategic and financial goals. To find out more about each level of due diligence, contact CRI Group HERE!

PBSA Annual Conference 2024

Mark Your Calendars for the PBSA Annual Conference 2024 this September in Boston! We are thrilled to announce that Corporate Research and Investigations (CRI Group™) will be proudly sponsoring and exh…
Read More

John Wood Group to Pay $177 Million to Settle Bribery Charges Inherited Through its Merger

John Wood Group Bribery Probe Trace Back to its Merger with Amec Foster Wheeler Plc.

John Wood Group Plc has agreed to pay $177 million to settle the UK led bribery and corruption probe into a British engineering firm it acquired in 2017. The settlement is part of a so-called deferred prosecution agreement with the Serious Fraud Office and the US Department of Justice concerning Amec Foster Wheeler Plc.

The UK agreement is still subject to court approval. As part of the deal, the company can avoid prosecution for three years if it cooperates in the continuing bribery probe. Wood Group’s payment is one of the largest ever obtained in the UK led bribery and corruption case. The biggest was a $1.2 billion settlement with Airbus SE that also involved the US and French authorities.

In 2017, the SFO opened an investigation into Amec’s use of third parties to gain contracts, just weeks after Shareholders approved wood Group’s proposed acquisition. The DOJ said the probe concerned a scheme to pay bribes to officials in Brazil for a $190 million contract to design a gas-to-chemicals complex.

As part of the deal announced, at least $10.1 million will settle charges brought by the US Securities and Exchange Commission. The DOJ said it would get about $18.4 million to resolve its criminal charges in the Brazil bribery probe. Amounts to be paid to the UK and Brazil are yet to be made public.

Wood Group announced that it was close to a settlement. It originally said it expected a deal for $186 million, with about $60 million paid in the first half of 2021 and the rest over three years. The company also agreed to pay $10 million to Scottish authorities earlier this year to settle the case.

“The investigations brought to light unacceptable, albeit historical, behaviour that I condemn in the strongest terms,” Wood Group Chief Executive Officer Robin Watson said in a statement. “Although we inherited these issues through acquisition, we took full responsibility in addressing them, as any responsible business would.”

The company has “cooperated fully with the authorities” and “taken steps to improve further our ethics and compliance program from an already strong foundation,” Watson said. “I’m pleased that, subject to final court approval in the UK, we have been able to resolve these issues and can now look to the future.”

The agreement comes amid criticism of the SFO and its inability to prosecute individuals after securing settlements with companies. Earlier this year, the SFO dropped its probe into former Airbus directors and was dealt a humiliating setback after its trial against two former Serco Group Plc directors fell apart because it failed to disclose evidence.

In May 2021, the SFO opened one of its biggest investigations into suspected fraud and money laundering concerning GFG Alliance and its financing agreements with Greensill Capital. It was after months of intense pressure from lawmakers to investigate Sanjeev Gupta’s empire.

John Wood Group bribery probe.

Source: Financial Crimes News

Join our mailing list and get exclusive industrial insights for subscriber-only!

The Importance of Due Diligence in Merger and Acquisition to Avoid a Similar Incident Happened like in John Wood Group.

Due diligence is understood as the reasonable steps taken to satisfy legal requirements in the conduct of business relations. That allows you to reduce risks – including risks arising from the FCPA (Foreign Corrupt Practices Act) and the UKBA (UK Bribery Act), to make informed decisions and to pursue takeovers or mergers with more confidence.

Unlike other kinds of control (audits, market analysis, etc.), it must be completely independent and rely as little on information provided by the researched subject. The other important difference lies in the methodology: commercial or financial due diligence analyses available information, investigative type provides reliable and pertinent, but raw, information.

Due diligence on potential business partners when adding a new vendor or hiring a new employee is vital to confirm the legitimacy and reduce the risks associated with such professional relationships. Global integrity due diligence investigations provides your business with the critical information it needs to make sound decisions regarding mergers and acquisitions, strategic partnerships, and the selection of vendors, suppliers, and employees.

It will ensure that working with an, i.e. potential trade partner will ultimately achieve your organisation’s strategic and financial goals. CRI Group investigators employ a proven, multi-faceted research approach that involves a global array of databases, courts and public record searches, local contacts, industry and media resources, and in-depth web-based research. Our resources include:

  • International business verification

  • Individual business interest search

  • Personal profile on individual subjects

  • Company profile on corporate entities

  • Historical ownership analysis

  • Identification of subsidiaries & connected parties

  • Global/national criminality & regulatory records checks

  • Politically Exposed Person database

  • International digital media research

  • Company background analysis

  • Industry reputational assessment

  • FCPA, UK Anti-Bribery & corruption risk databases

  • Global terrorism checks

  • Global financial regulatory authorities checks

  • Money laundering risk database

  • Financial reports

  • Asset tracing

  • Country-specific databases that include litigation checks, law enforcement agencies & capital market regulators

DueDiligence360™ from CRI Group™

WHAT DO YOU ACTUALLY KNOW ABOUT THE INTEGRITY OF THE PARTY & THEIR WAY OF DOING BUSINESS? DOES OR DID THIS PARTY ADHERE TO (INTER)NATIONAL REGULATIONS ON ANTI-CORRUPTION & ANTI-BRIBERY? IS IT POSSIBLE THAT THERE IS A LIABILITY RISK?

At CRI Group™, we specialise in Integrity Due Diligence, working as trusted partners to businesses and institutions across the world. Our people work with energy, insight and care to ensure we provide a positive experience to everyone involved – clients, reference providers and candidates.

CRI’s unique identity and vision evolved from our fundamental desire to support our clients and their candidates. Safeguard your business and its integrity with DueDiligence360™.

Our DueDiligence360™ expose vulnerabilities and threats that can cause serious damage to your organisation and can significantly reduce business. CRI Group is trusted by the world’s largest corporations and consultancies – outsource your due diligence to an experienced provider and you will only ever have to look forward, never back. Clients who partner with us benefit from our:

Expertise
CRI Group™ has one of the largest, most experienced and best-trained integrity due diligence teams in the world.

Global scope
Our multi-lingual teams have conducted assignments on thousands of subjects in over 80 countries, and we’re committed to maintaining and constantly evolving our global network.

Flexibility
Our DueDiligence360TM service is flexible and can apply different levels of scrutiny to the subjects of our assignments, according to client needs and the nature of the project.

DueDiligence360™ from CRI Group™

WHAT DO YOU ACTUALLY KNOW ABOUT THE INTEGRITY OF THE PARTY & THEIR WAY OF DOING BUSINESS? DOES OR DID THIS PARTY ADHERE TO (INTER)NATIONAL REGULATIONS ON ANTI-CORRUPTION & ANTI-BRIBERY? IS IT POSSIBLE THAT THERE IS A LIABILITY RISK?

At CRI Group™, we specialise in Integrity Due Diligence, working as trusted partners to businesses and institutions across the world. Our people work with energy, insight and care to ensure we provide a positive experience to everyone involved – clients, reference providers and candidates.

CRI’s unique identity and vision evolved from our fundamental desire to support our clients and their candidates. Safeguard your business and its integrity with DueDiligence360™.

Our DueDiligence360™ expose vulnerabilities and threats that can cause serious damage to your organisation and can significantly reduce business. CRI Group is trusted by the world’s largest corporations and consultancies – outsource your due diligence to an experienced provider and you will only ever have to look forward, never back. Clients who partner with us benefit from our:

Expertise
CRI Group™ has one of the largest, most experienced and best-trained integrity due diligence teams in the world.

Global scope
Our multi-lingual teams have conducted assignments on thousands of subjects in over 80 countries, and we’re committed to maintaining and constantly evolving our global network.

Flexibility
Our DueDiligence360TM service is flexible and can apply different levels of scrutiny to the subjects of our assignments, according to client needs and the nature of the project.

ISO 37001 Solutions for All Industries (Part 3)

In part 1, we discussed how ISO 37001 ABMS can help companies across a wide range of industries, including automotive, aviation and insurance. In part 2, we looked at how pharma and healthcare, property, IT and telecommunications organisations can benefit from Anti-Bribery solutions as well. In this final part, we will explore some aspects of how companies from the financial, oil and energy industries could implement ABAC solutions.

Finance

Bribery and corruption are among the top fraud concerns for all financial organisations. These include banks & financial institutions, real estate lenders, business credit and finance companies, commercial investment corporations, asset-based lenders, debt financing firms, acquisition capital firms and others. Having safeguarding processes in place is required both from a legal and compliance standpoint and from the position of being a trusted, secure financial institution. The financial sector includes new Anti-Money Laundering (AML) rules and legislation, and these regulations are strict and increasingly enforced. As such, remaining in compliance through implementing proper prevention controls is a must.

In one high-profile case, between 2006 and 2013, JPMorgan Chase and its subsidiary, JP Morgan Securities (Asia Pacific) Limited (JPM-APAC) took on about 100 Chinese interns and full-time employees who ended up at the centre of a bribery case spread over two continents and worth hundreds of millions of dollars. In order to win business from members of the Chinese government and state-owned companies, JPM-APAC allegedly targeted their children, offering them high-ranking and well-paid positions in the business in order to curry favour with their parents. JP Morgan fell into trouble for allegedly violating the Foreign Corrupt Practices Act (FCPA), and the DoJ called the scheme ‘bribery by any other name’ – alleging that it had threatened national security. In November 2016, the bank was ordered to pay $264 million to settle the claims against it – $130m to the SEC for violations of the FCPA, $72m to the US Justice Department and $61.9m to the Federal Reserve Board of Governors.

CRI Group™ investigates: Pharma corruption case included CFO

ISO 37001 in Oil, Gas and Energy Industries

The oil and energy sector is a massive portion of the world’s economy, dealing mainly in petroleum – including upstream (exploration, development and production of crude oil or natural gas) and downstream (oil tankers, refiners, retailers and consumers) pipeline. The need to prospect, discover, and realise oil and energy production in various (and often far-flung) locations lends to the vulnerability to fraud – but geographic considerations aren’t the only risk factors.  Perhaps even more impactful is the complexity of business relationships required to operate in the industry – relationships with governments, contractors, regulators, investors/venture partners, equipment suppliers and other parties. Every such interaction and dealing can be considered susceptible to bribery and corruption where cutting corners may be considered profitable or even perceived to be “business as usual.”

An infamous example is the case of Petrobras. In December 2017, the world’s largest builder of offshore rigs agreed to pay $422 million in penalties after entering a guilty plea for bribery charges connected with the Petroleo Brasileiro (Petrobras) scandal. Keppel Offshore & Marine Ltd. made illicit payments to both Petrobras officials and government representatives for more than a decade, between 2001 and 2014 (Reuters, 2017). The sweeping multimillion-dollar bribery scandal that rocked Petrobras led to numerous investor lawsuits and the downfall of disgraced government officials. It also served as the embodiment of the huge risk of bribery and corruption that confronts the entire oil and energy sector. See “Oil and Energy Companies Look to ISO 37001.”

Long-lasting Benefits of Certification of ISO 37001

ISO 37001 provides a strong framework for addressing and isolating risk factors in all industries. The benefits of certification are far-reaching, impacting not just the primary organisation but also influencing contractors, clients, and raising the profile of the company as an ethical entity that is a good trading partner. Even more effective, ABAC™ tailors IS0 37001 to the specific needs of the client.

By achieving ISO 37001:2016 certification, an organisation will ensure that it is implementing a viable anti-bribery management system utilising widely accepted controls and systems. It will also assure management, investors, business associates, personnel and other stakeholders that the organisation is actively pursuing internationally recognised and accepted processes to prevent bribery and corruption. Today, companies cannot afford to be reactive to threats of bribery and corruption. By achieving ISO 37001 Anti-Bribery Management System certification today, an organisation will remain in compliance and better positioned to address risks head-on.

Stay updated 

Stay tuned for Part 2 or follow us on LinkedInFacebook or Twitter for more industry news and insights.

Sign up for risk management, compliance, corporate and background investigations, business intelligence and due diligence related news, solutions, events and publications.

Who is CRI Group?

Based in London, CRI Group™ works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk ManagementEmployee Background ScreeningBusiness IntelligenceDue DiligenceCompliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

 

Tackling Corporate Fraud in the Middle East

Tackling corporate fraud in the middle east has become even more challenging during the pandemic. ICAEW Insights sat down with our founder and chief executive, Zafar Anjum, to discuss the rising levels of corporate fraud in the middle east during the pandemic.

Find out how CR™ is using AI to investigate wrongdoing; from fake degrees and doctored CVs to false insurance claims and bogus bills, our corporate fraud investigators in the Middle East have seen it all. Zafar told ICAEW his firm was busier than ever as the pandemic triggered a rise in white-collar crime cases across the region.

From its base in London, CRI has been helping firms in middle east regions like Qatar, Dubai, Abu Dhabi and Saudi Arabia. Regions where anti-fraud frameworks are still being built out inside the embryonic corporate regulatory regimes that govern the Middle East.

“We’ve seen a lot of insurance fraud claim investigations, fake bills, fake debts and fraudulent certificates designed to cheat insurance companies,” Zafar said. “Covid allowed internal controls to be relaxed; people are working from home, so the usual check and balances are missing.”

Nascent Regulatory Regime

Last year, PwC research found corporate fraud was on the rise across the region, with nearly half of all local companies reporting at least one occurrence in 12 months. Zafar said the lack of counter-corruption model legislation such as the UK Bribery Act 2010 often meant policing the business areas such as the Dubai International Finance Centre (DIFC) fell to private companies as the regulator doesn’t have the resources to cover the scale of the problem. 

“In the Middle East, the issues relating to fraud and corruption are of concern because there isn’t the legislation when compared to developed countries. The definition of fraud and fraudulent activities are different across the Middle East,” he said. 

The DIFC was established in 2004 to create a safe and constant upward regulatory environment for companies to do business. One of its aims was to attract investment from London and Wall Street firms and other corporates from both continents. A regulator was created to monitor the market, and the set-up was replicated for the Abu Dhabi and Qatar financial business districts. 

The economic “free zones” have relied on firms themselves to help shape the regulatory framework, Zafar said, which has created a mixture of frameworks as standards are broadly aligned with the UK or US markets.

“It’s not national-level legislation, which carries its own problems. There have been scandals, and a lot of that centres on fraudulent financial statements, investment scams,” Zafar said. “A prevalent problem is vendor/third-party screening and false claims, especially during the bidding process. Some firms exaggerate their capabilities and are not able to deliver.”

Investor Scams on the Rise

A big part of CRI Group’s work is analysing financial statements, checking backgrounds, and working with compliance teams to root out bad actors. Zafar said investors scams were also on the rise across the UAE; because the country is ripe for development, some fraudsters had found it easy to prey on foreign victims who are drawn to the opportunities but unwilling to carry out proper due diligence. 

The UAE’s family offices are a driving force of industry, and the name carries significant weight regarding deals. “It’s very risky to invest without carrying out the proper checks, and unfortunately, a lot of people come in blind,” Zafar said.

“Fake property claims are rife. It can be individuals who are targeted or small groups of foreign investors. One case involved a handful of US investors who wanted to invest in some economic and humanitarian projects. They wanted to create jobs, other activities, but fell in with people who weren’t with the families they claim to be a part of.”

Family names are often taken by scammers and used to convince investors to part with their cash fairly frequently, Zafar said. Because many people don’t care about due diligence, it can end up costing millions of dollars,” he said. “It’s so hard to recover the money, to catch the fraudster. If the victims don’t have local consultants or experts, it can be hard to trace back and recover the damages.”

An investor group puts its trust — and its funds — in the hands of an outside business partner without considering a due diligence check on the individual.

Eighteen months into the partnership, the individual has succeeded in fleecing the group of more than $6 million and is still at large. Investigators such as CRI™ are increasingly turning to artificial intelligence and machine learning tools to help with screening. Zafar said great strides had been made in tackling corruption and bribery.

Public and Private Investigation Partnerships

Databases of politically exposed individuals, or persons with links to crime, on watchlists or have criminal activity linked to their name or accounts are rapidly being populated for use by regulators and private investigators. 

“We’re trying to prove that there is a role for AI in detecting crime and that it can be a part of the investigative process. Machines will scan publicly available databases, criminal cases and the like, and we can check if firms have been blacklisted by authorities such as the Asian Development Bank, IMF or World Bank, which is really helpful.”

In the past, these checks would have to be carried out by hand, one by one. “It’s hard, almost impossible! Name matches are probably the largest problem in the Middle East.

You cannot find a person with the first name Mohammad or last name Khan; you’ll get billions of matches, so we need to develop a database that builds on this with other information. There isn’t a nationwide electoral database in any Middle East region, so you can see how much work still has to be done.”

Credit history, employment checks and previous addresses are a handful of ways the files can be built out, Zafar said, and his team is working on ways to streamline that process. There was no concept of background screening in 2008 when Zafar’s team started, and despite having come a long way, he said they still encounter fraud on a massive scale. However, they still encounter fraud on a huge scale, he said. 

Alarming Numbers

“Sometimes applicants try to falsely fill the gap in their CV, which is dangerous because we don’t know if they’ve spent time in jail,” he said. “More common red flags are fake degrees and fake previous employment references. We found one in 20 applications for a job had fake degrees, experience letters, or fake references in some regions. It’s a huge number, and some of the universities were prestigious too, which makes it quite alarming.”

Another big area of focus is auditing gifts and donations passed through a company concerning projects carried out. His team works with companies to ensure their anti-bribery controls are as robust as possible, given the tough penalties on offer. 

“It’s a criminal liability for a company, and the directors will be liable if they don’t have the proper anti-bribery procedures in place,” Zadar said. “Accounts and financial teams are critical to making sure firms have proper internal controls.”

CRI is also on a mission to stamp out “box-ticking” compliance, which has traditionally been a problem across the Middle East due to the nascent regulatory framework. “If you’re conducting audits, nothing will happen if this is the way; you’ll never spot the problem,” he said. “The role of accountants, whether internal or external, to shape the controls and make sure they are implemented effectively.”

He said bribery through sales commissions, waste for public service, sexual extortion or sextortion as a form of corruption could be rife in some sectors. It was up to companies to ensure money wasn’t being paid outside official channels to staff. 

“We understand it’s a process for some firms who are not used to doing it this way, but we’re here to help,” he said. “Companies need to establish their compliance documentation and make sure it’s up to the standard. The most important areas are due diligence and anti-bribery policies. This should not be a paper-based box-ticking exercise, it has to be implemented, and every employee must know the company believes in zero-tolerance of corruption.” 

Visit ICAEW’s Fraud hub for related articles and case studies, or to see the original article, click here

 

What’s Law vs Allowed with Pre-employment Screening Around the World:

Pre-employment Screening is a vital yet overlooked function in an organisation. Many organisations scale their businesses globally and into multiple countries simultaneously. The main reason as to why many business may opt to not run prior background screening on their employees is because they are more inclined to believe that the potential employee is telling the truth. Another reason is that businesses mat not be aware of how to run these checks in line with the legal requirements of their country. It is incredibly important to be able stay on top of the different legal requirements of background checks across the globe as it helps to comply with and set standards which can help businesses go further in their career span. So what exactly are the different pre-employment screening measures across the globe? Consider this article a handy set of global guides covering the basics that companies need to know.  

Background Screening

How do you know the candidate you just offered a role to is the ideal candidate? Are you 100% sure you know that everything they’re telling you is the truth? 90%? They showed you a diploma, how do you know it’s not photoshopped? Did you follow the correct laws during your background checks process? Employee Background Checks and Pre-employment Screening are vital to avoid horror stories and taboo tales that occur within HR, your business or even your brand – simply investing in sufficient pre-employment screening can save you time, money and heartbreak.

However handling employment law compliance in-house can be challenging. We are a leading worldwide provider, specialised in local and international employment background screening, including pre-employment screening and post-employment background checks. We have used our experience and knowledge to bring you this article, which covers 61 key jurisdictions mandatory  background checks vs what it is allowed.

At CRI, our Employee Background Checks as well as Pre-employment Screening can help to reduce the risk of hiring an employee who could cause irrevocable damage to the firm, reversing the impact of the time and money invested into the company to brand their products and services. A singular bad hire can cause your organisation a loss of revenue and reputation – all factors which can lead to the failure of a business. Pre-employment Screening checks aid in avoiding such a situation as well as helps businesses gain a competitive edge through hiring competent and qualified people.



 

Pre-employment Screening in Oceania

To summarise, Oceania audits its companies frequently thus allowing for different measures to be taken to ensure compliance in line with legal requirements. The process also relies on the provision of consent from the potential hires. See the breakdown below.

NEW ZEALAND

  • Law: 1) Required in some industries, e.g. childcare; 2) Immigration compliance.
  • Allowed: Criminal, reference and credit reference checks are permissible but are subject to the candidate’s consent.

AUSTRALIA

  • Law: Immigration compliance.
  • Allowed: Permitted with the candidate’s consent and subject to relevant discrimination laws. Offers of employment may be subject to pre-employment screening checks including  criminal record checks or medical examination if necessary to determine fitness for a particular job.

Pre-employment Screening in The Middle East and North Africa (MENA)

Immigration compliance is prevalent in the laws across MENA regarding employee background checks however, in respect to what is allowed in line with the legal guidance varies from country to country. This may be due to the differing laws either covering a broader or slimmer spectrum on the scale for employee background checks. See the breakdown below.

TUNISIA

  • Law:  Every company must require its employees to undergo a medical examination and, in particular, a medical examination relating to the employment. The results of the medical examinations belong to Occupational Medicine. It is obligatory for any company governed by the Labour Code to have an Occupational Medicine service in place, whatever its number of employees.
  • Allowed: Employers may ask employees to provide information relating to criminal records, subject to the employee’s prior consent. There are no legal requirements or restrictions on pre-employment screening measures such as education checks or reference checks. In principle, the CV contains the necessary education and work-related information, and the employer can request a copy of any diplomas or certificates of work or internship.

UNITED ARAB EMIRATES

  • Law: Foreign employees must receive prior approval from the Ministry of Human Resources and Emiratization (MOHRE – formerly, the Ministry of Labour), or relevant free zone authority, and the immigration authorities before they can be hired on local employment contracts. The UAE authorities’ background checking and screening level vary according to an individual’s nationality. As part of this approval process, since January 2016, employers registered with MOHRE are now required to submit a completed offer letter, signed by both parties, using MOHRE’s standard form offer letter. The terms of the employee’s employment contract cannot then differ from the terms of the offer letter.
  • Allowed: Employers are not able to obtain the same level of information from background checks as they can in other jurisdictions, and in most cases, the employees themselves will be required to provide this information.

BAHRAIN

  • Law: Foreign employees must receive prior approval from the LMRA and Ministry of Interior before hiring on local employment contracts. The level of background checking and screening carried out by Bahrain authorities varies according to the nationality and proposed position of an individual.
  • Allowed: Generally, employers cannot obtain the same level of information from background checks and pre-employment screening as they can work in other jurisdictions and, in most cases, the employees themselves are required to provide this information. A Certificate of Good Conduct from the Criminal Investigation Directorate is the most commonly requested document.

SAUDI ARABIA

  • Law: Immigration compliance for all non-GCC employees.
  • Allowed: Criminal and credit reference checks are only permissible for specific roles (e.g., certain finance positions) and are subject to proportionality requirements. Reference and education checks are standard and acceptable with applicant consent.

MOROCCO

  • Law: Immigration compliance. A criminal record check required for certain limited occupations (e.g., solicitors and chartered accountants).
  • Allowed: Identity and personal information checks. Education checks. Prior employment checks.

OMAN

  • Law: Foreign employees must receive prior approval from the Ministry of Manpower and immigration authorities before hiring on local employment contracts. The level of background screening and screening carried out by the authorities varies according to the individual’s nationality.
  • Allowed: Employers may not obtain the same level of information from background checks as they can in other jurisdictions. In most cases, the employees themselves will be required to provide this information.

QATAR

  • Law: Foreign employees must receive prior approval from the Ministry of Labour and Ministry of Interior before hiring on local employment contracts. The Qatar authorities’ level of background screening varies on several factors, including the individuals’ nationality and whether the individual is a local hire or recruited from abroad. Insofar as we are aware, local nationals are not subject to the same level of checks as foreign nationals recruited by a Qatari entity from abroad. In some cases (depending on the nature of the role), as part of the work permit/residence visa process, employees will be required to provide an attested copy of their degree/high school certificates to the Ministry of Labour.
  • Allowed: Generally, you cannot obtain the same level of information from background checks and pre-employment Screening as you can in other jurisdictions – employees themselves will be required to provide this information. For example, Criminal record: the individual can only obtain police checks or Certificates of Good Conduct from the Criminal Evidences and Information Department (CEID). To obtain the Good Conduct Certificate, the individual, if a foreign national, may also be required to obtain police clearance from his home country and provide an attested copy of this policy clearance to the CEID. Employment: There is a provision in the Labour Law for employers to provide all employees with a certificate of service if requested, so candidates should be asked to verify their employment history.

KUWAIT

  • Law: The Kuwait authorities’ level of background checking and pre-employment Screening varies according to the individual’s nationality. However, foreign employees must receive prior approval from the Public Authority for Manpower (PAM) and immigration authorities before hired. 
  • Allowed: Employers can not obtain the same level of information from background checks as they can in other jurisdictions – employees will be required to provide this information themselves.

Pre-employment Screening in Asia

The legislation regarding background checks across Asia are incredibly diverse with some of the ‘allowed’ measures requiring candidates consent in some countries and not in others. There are different protection acts that are in place in each individual country which contributes to its diverse laws and measures. See the breakdown below.

CHINA

  • Law: Immigration compliance.
  • Allowed: Reference and education checks are standard, even without the applicant’s consent. There is no restriction on criminal record checks.

TAIWAN, REPUBLIC OF CHINA

  • Law: Work permit and residency compliance.
  • Allowed: Non-criminal record certificates, reference and education checks are permissible with applicant consent, although some restrictions apply.

JAPAN

  • Law:  Generally not required.
  • Allowed: Criminal background checks are not prohibited but are discouraged by the labour authorities. You need a strong justification for such checks. In addition, conducting a criminal background check in Japan is difficult because records are not publicly available. Reference and education checks may be completed with consent, but third parties who receive such requests do not always cooperate. Some employers require a health check at hiring, but employers should not conduct HIV testing and gene diagnosis unless there is employee consent and a solid and legitimate reason.

VIETNAM

  • Law:  Before hiring foreign employees to work, as an employer you must obtain written approval from the provincial People’s Committee through the Department of Labour, Invalids and Social Affairs (DOLISA). Possessing a valid work permit issued by the provincial labour authorities is a compulsory condition for foreign citizens to work in Vietnam, except where an exemption applies. Legal sanctions for the employer of a foreign citizen without a work permit include fines, and the authorities may even suspend a business’ operations. A foreign citizen working in Vietnam without a work permit risks deportation. 
  • Allowed:  Employers may request that their employees provide information relating to the execution of an employment contract, such as full name, age, gender, residence address, education level, occupational skills, and health conditions. There are no regulations on obligatory pre-hire checks, including pre-hire reference checks, pre-hire criminal checks or pre-hire credit checks, in the Labour Code 2012. However, specific regulations exist in more heavily regulated fields, such as aviation, security and medicines. Questions about an applicant’s past, health and criminal record are generally permissible in Vietnam.

INDIA

  • Law: There is no statutory requirement on an employer to carry out pre-hire background checks, except for employment in specific sectors such as mining, where medical checks are mandatory before employment. In the case of foreign citizens, the visa stamp or sticker in the employee’s passport will include the name of the employer, and the employer will be required to provide an undertaking to the Foreigners Regional Registration Office (FRRO) on behalf of the employee to register the employee with the FRRO. Therefore, the employer should undertake a basic immigration check at a minimum. In addition, considering that termination of employment is not straightforward in India, it is common for employers to verify the professional and educational qualifications of the candidate.
  • Allowed: Background checks for applicants may be conducted as long as they comply with the fundamental right to privacy, which means that applicant/employee consent should be obtained. Establishments usually have a pre-hire background check policy in place for new hires. Background screening is generally done for education qualification verification, previous employment status, address verification, criminal background verification, reference verification and applicable database verification.

MALAYSIA

  • Law:   Immigration compliance for foreign nationals.
  • Allowed: Pre-employment background screening is not regulated, and the practice varies from one industry to other. Employers should obtain the individual’s consent if the pre-hire checks require accessing, collecting or processing the individual’s personal data to ensure compliance with the Personal Data Protection Act 2010.

THAILAND

  • Law:  Visa and work permit compliance. Age of the employee (the employee must not be younger than 15).
  • Allowed: The use, publication or distribution of any information obtained requires consent from the candidate who has given such information. Suppose the information is regarded as personal data under the Personal Data Protection Act BE 2562 (2019) (“PDPA”). In that case, the employer who collects uses and/or discloses such information must notify the purposes of such collection, use and/or disclosure before receiving consent from the data subject-employee. An applicant can be asked to have a medical examination. However it can only be done once a conditional offer of employment has been made. And the candidate’s consent should be obtained. before any criminal or education checks are carried out or employer references are sought, the candidate’s consent should be obtained.

PHILIPPINES

  • Law:  There are no regulatory requirements for pre-hire, subject to compliance with immigration laws for the employment of foreign expatriates.
  • Allowed: the labour law leaves it to the management prerogative of employers to provide for pre-hire checks, including but not limited to a National Statistics Office (NSO)-issued birth certificate, a National Bureau of Investigation (NBI) clearance, a transcript of records for education verification and previous employer references.

SINGAPORE

  • Law: Immigration checks to ensure that the relevant work pass required is obtained for the prospective candidate.
  • Allowed: 1) Offers of employment are often made subject to; a) the prospective candidate having obtained the relevant work pass; and b) the company satisfying the advertising requirements under the Tripartite Fair Consideration Framework and independently determining that the candidate is the best candidate out of all the applicants; 2) Where necessary, the obtaining of satisfactory references and When appropriate, background and criminal record checks; 3) Employers may also require the prospective candidate to undergo a medical examination and produce evidence of qualifications. 4) Pre-hiring checks must comply with Singapore’s Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA). Generally, employers are required to notify applicants of the purposes for which their personal data is being used in connection with the management and termination of employment and obtain their consent where collecting, using or disclosing their personal data. However, relevant exceptions to the PDPA notification and consent requirements include where the information is publicly available and where the data collected is for evaluative purposes (e.g., to evaluate employee suitability for the role) or for investigative purposes. In particular, there is no requirement under the law to ask for personal identification (NRIC) numbers for job applications. However, the employer would be required to know if an employee is holding an NRIC to determine if a work pass is required.

SOUTH KOREA

  • Law:  Immigration checks are generally required.
  • Allowed: Under the Personal Information Protection Act (PIPA), to conduct background checks beyond the scope generally required to enter into an employment agreement, consent must be obtained from the applicant. Separate consent must be obtained if sensitive information such as an employee’s health information or criminal records is checked.

MYANMAR

  • Law: None.
  • Allowed: Employers may request their employees to provide information relating to the execution of an employment contract, such as full name, age, gender, residence address, educational level, occupational skills, and health conditions. Employers may also request a recommendation letter from a local administration office or a previous employer and may request a criminal background check from the relevant township police station when an employee submits an employment application.

Pre-employment Screening in The Americas

Although verification is a recommended procedure across the majority of The America’s, the vast majority of the countries do not require it by law and leading countries such as Turkey and the USA do not have any written legislations in place for these procedures. See the breakdown below.

TURKEY

  • Law: None.
  • Allowed: 1) Pre-hire checks (e.g., criminal and credit reference or reference and education checks) are only permissible with the applicant’s consent. 2) Depending on the position of the employee, pre-hire checks are standard.

VENEZUELA

  • Law: None. However, foreign employees must have a labour (TR-L) visa to work in Venezuela. Therefore, an immigration check is recommended.
  • Allowed: Employers are entitled to use any information about an applicant that is in the public domain, including information available on social media, for verification purposes. Employers may also conduct background checks covering a candidate’s education, family and other information at any stage of the hiring process. This includes asking candidates directly for references or contacting previous employers to check references. Information collected must be relevant to the position being applied for. Employers should avoid the collection of information that may be considered offensive or discriminatory. Protected characteristics from discrimination include sex, race, religion, marital status, pregnancy, political beliefs, sexual preferences, social class, union affiliation, physical disability or criminal background. Specifically, requiring criminal records or a criminal background certificate from candidates and requiring female applicants to undergo medical tests to determine pregnancy are prohibited. HIV testing is permissible when the position applied for involves matters of public health.

USA

  • Law:  None, except in certain regulated industries, which may require fingerprinting, background checks, motor vehicle histories, and/or drug/alcohol screening.
  • Allowed: Laws vary from state to state. Reference and education checks are common. Criminal background and credit checks generally may be performed in accordance with applicable federal, state, and local law, with an increasing number of state and local jurisdictions limiting criminal history questions on applications and permitting such checks only following a conditional job offer. Medical examinations and drug and alcohol screening are generally permissible if conducted post-offer and in accordance with applicable law.

BRAZIL

  • Law:  Immigration compliance, a valid ID and a pre-hire medical examination are required.
  • Allowed: Education, prior employment and basic personal information (proof of identity; and residential address) are accepted in certain circumstances. Criminal checks are limited to particular circumstances.

COLOMBIA

  • Law: Immigration compliance.
  • Allowed: 1) Pre-employment background checks are permitted, and it is common to use specialised companies for these services. All background screening checks can include educational history and professional qualifications, employment history, civil litigation, consumer credit checks, criminal and fiscal records, OFAC/Global Sanctions Lists, a driver’s license check and passport/ID validation, among others; 3) On the initiation of the recruitment process, the applicant must grant express written consent to conduct background checks; 4) Under Colombian law, there are few restrictions on an employer’s right to request substantiating documents and to confirm the information provided by the applicant (e.g., regarding health conditions, pregnancy, drug use, family situations and political tendency).

CHILE

  • Law: None. However, an immigration check recommended ensuring the employee has the right to work legally in Chile.
  • Allowed: In general, employers are permitted to check education and prior employment records. Employers can check financial history, health, drug/alcohol usage, and criminal records in very limited circumstances when such information is directly relevant to the position for which the candidate is considered. No background checks can be based on any status protected by the Chilean anti-discrimination statute, including checks based on union membership or political affiliation.

CANADA

  • Law: 1) All employers should verify that individual employees are legally entitled to work in Canada by obtaining the employee’s Social Insurance Number (SIN), but only after a conditional offer of employment is made. Certain employers may also require criminal records checks through a Canadian Police Information Check (CPIC). In some industries, a more comprehensive check may be required by law (e.g., for persons who work with vulnerable individuals such as children); 2) Criminal records checks should not be done without the prospective employee’s consent and, in any event, it is recommended that a conditional offer of employment be made before a criminal record check is performed; 3) Where the employer requires a criminal record check, the prospective employee may have grounds to claim discrimination if a decision not to hire is based on:
    • A conviction of a provincial offence revealed by check.
    • A criminal offence for which a pardon has been granted or
    • A criminal conviction is unrelated to the individual’s employment.
  • Allowed: Verifying references, past employment, and education is common and permissible, provided that:
    • The applicant has consented and;
  • The employer conducts the verification in a consistent and non-discriminatory manner.
  • Caution must be exercised in undertaking more detailed background checks to ensure that the scope of the detailed background check is not excessive and that proper consent has been obtained in accordance with applicable privacy laws.
    • Credit checks are generally permissible when the candidate’s credit history is relevant to the position (e.g., positions involving handling money or involving financial decision making). Credit checks must be conducted in accordance with applicable consumer protection legislation, which requires that:
    • Consent is obtained from the individual and
  • A proper process is followed when the credit check is undertaken.
    • It is recommended that a conditional offer of employment is made before a credit check is performed.

ARGENTINA

  • Law:  1) Pre-hire medical checks are required pursuant to resolutions issued by the Occupational Risk Superintendence. If an employee does not complete a pre-hire medical check, the employee will be deemed to have begun work in optimal health; therefore, any injuries or diseases that may arise in the future will be deemed to have happened during the employment relationship; 2) Criminal record checks are required for foreign employees to obtain a work visa.
  • Allowed: Where criminal checks are not required for work visa purposes, they are only permissible – and are common in practice – for specific roles (e.g., high-level managerial positions). Reference and educational checks are common and permissible, provided applicant consent was previously obtained.

MEXICO

  • Law:  Immigration compliance.
  • Allowed: 1) Under Mexican law, there are few restrictions on an employer’s right to request substantiating documents and confirm the information provided by the applicant regarding their education, health condition, finances, drug use, family situation and criminal background. Employers have broad flexibility regarding the questions that may be asked during the application process; 2) Criminal background checks are permissible; however, only the employees in question themselves can request such information from the corresponding authority. Credit checks are not common in Mexico as there is no specific procedure established by law for employers to obtain credit information. Pre-employment Screening measures such as reference and education checks are common and permissible with applicant consent.

CZECH REPUBLIC

  • Law: Immigration compliance. Entry health check. Where required by law, criminal record check or pregnancy information (e.g., where a pregnant employee cannot perform certain work).
  • Allowed: 1) Reference and education checks are common and permissible. Criminal records and credit reference checks may be requested if justified by the specific nature of the work performed and subject to the proportionality principle; 2) Subject to the same conditions, the employer may also request information concerning pregnancy, financial and family affairs of the applicant.

HONG KONG, SAR

  • Law:  Immigration compliance.
  • Allowed: Any data collected as a result of pre-employment screening must comply with the Personal Data (Privacy) Ordinance (PDPO), candidates must be expressly informed of collecting, using, and disclosing any personal data related to them by their employer or prospective employer. Asking a candidate to sign a Personal Information Collection Statement will assist an employer in complying with these obligations. A candidate may be asked to undergo a medical examination, but only after the employer has made them a conditional offer of employment. If criminal checks are carried out, an employer must be careful not to dismiss, exclude or display prejudice against the candidate based on any spent conviction – that is, where a person was previously convicted of an offence for which they were not sentenced to imprisonment for more than three months or given a fine of more than HKD10,000. The person has not been convicted of any other offence for at least three years.

INDONESIA

  • Law: legislation is silent thus, there are no requirements or prohibitions on background checks.
  • Allowed: All ethical pre-employment screening measures and background checks.

PERU

  • Law: There are no mandatory pre-employment checks however specific companies that perform high-risk activities (e.g., in the mining industry) must perform occupational medical exams on their candidates. 
  • Allowed: Immigration checks are highly recommended for foreign employees. Employers are permitted to check candidates’ education and prior employment history. Employers may also conduct (i) financial checks for jobs that involve handling money; (ii) drug or alcohol usage checks, but only if the individual has a job where the use of drugs could threaten the safety of others; and (iii) a criminal record affidavit for candidates and criminal records checks after the first interview.

Pre-employment Screening in Africa

This continent allows for criminal records, references and educational background checks to be completed across all countries. The requirement by law focuses heavily on immigration compliance. See the breakdown below.

ANGOLA

  • Law:  Immigration compliance and pre-hire medical examinations.
  • Allowed: Pre-employment screening checks such as reference and education checks are permissible.

MOZAMBIQUE

  • Law: Immigration compliance for foreign employees. Foreign employees must have a valid work permit and a residence permit to work in Mozambique. In general, pre-hire checks are not mandatory, but in some areas of activity (e.g., mining, oil and gas), prior medical examinations are required.
  • Allowed: Reference and education checks are permissible, and candidates may be requested to provide a certificate of criminal records.

NIGERIA

  • Law:  1) Immigration compliance; 2) Medical examination for manual and clerical workers.
  • Allowed: Background checks for education, prior employment and basic personal information such as proof of identity and residential address are accepted in Nigeria. In practice, the prospective employee’s consent is sought before such pre-employment screening checks are carried out.

UGANDA

  • Law: Immigration compliance for all non-nationals.
  • Allowed: Permissible Criminal and credit reference checks are permissible. Reference and education checks and medical examinations are common and permissible.

KENYA

  • Law:  1) Education qualification checks and referee follow-up for hires; 2) Criminal record clearance checks; 3) A locally registered entity to support the application. For an entity that already employs foreign expats, whether the ratio of 1:3-7 in favour of Kenyans is loosely observed.
  • Allowed: The Department of Immigration Services, in conjunction with both the local and international security agencies, can conduct background checks on all applicants.

Pre-employment Screening in Europe

Candidates’ consent is also a vital factor on what is allowed in European countries – a large selection of the countries only allow these checks to be carried out in regards to specific job roles and data handling. Emphasis is largely placed on Identity verification and criminal checks across Europe. See the full breakdown below.

ITALY

  • Law: Immigration compliance.
  • Allowed: Criminal and credit reference checks are only permissible for specific roles (e.g., certain finance positions) and subject to proportionality requirements. Reference and education checks are common and permissible with applicant consent.

SOUTH AFRICA

  • Law:  Immigration compliance.
  • Allowed: It is permissible to carry out background checks. A criminal record check may only be carried out if the candidate provides a copy of their fingerprints. Furthermore, in terms of the Protection of Personal Information Act, 2013 (POPIA), which came into effect on July 1, 2020, consent is required to conduct a criminal record check. The National Credit Act, 2005 prohibits the release of credit reports “unless directed by the instructions of the consumer.” Furthermore, the purposes for which credit reports may be used are limited. They should only be used for considering a candidate for employment in a position that requires trust and honesty and entails the handling of cash or finances. It also provides that the consumer’s consent should be obtained before requesting the credit report for this purpose. A medical check requires the consent of the individual. While consent is not required to conduct other checks such as a check on qualifications, references and employment history, it is advisable to obtain consent. Furthermore, in terms of POPIA, the applicant should be notified about the background checks that will be carried out.

AUSTRIA

  • Law:  Immigration compliance.
  • Allowed: Criminal and credit reference checks are only permissible for specific roles (e.g., certain finance positions) and subject to proportionality requirements. Reference and education checks are common and permissible with applicant consent.

IRELAND

  • Law: Immigration compliance. Criminal record checks only for those who work with children, with vulnerable adults and in security.
  • Allowed: Reference and education checks are common and permissible with applicant consent.

 HUNGARY

  • Law: Immigration compliance is required. Criminal records are also checked concerning certain occupations, such as judges, attorneys, public servants and auditors.
  • Allowed: 1) Apart from the above, a check of criminal records is only allowed if it provides important information with respect to the given position or work to be carried out; 2) Further checks (e.g., education and references) are also permitted, but may only be carried out if aiming to obtain important information to enter into the employment.

DENMARK

  • Law: Employers are responsible for ensuring that all employees have a valid residence and work permit when employing third-country citizens. For any occupations involving work with children under the age of 15, an employer must ask for a record that specifies whether the employee is fit to work with children. The employee must give consent before collecting the record.
  • Allowed: An employer may ask a potential employee to produce a copy of their criminal record if necessary and proportionate to the job. Information on a potential employee’s health may be requested only if this is of significant importance to performing the job in question. Concerning educational background and activities, data from the application may, as a rule, be verified by the employer. It is common in Denmark to issue job references. Applicants may be asked to provide contact data of former employers. Credit checks are allowed for employees in special fiduciary positions and if there is a legitimate purpose for the check.

FINLAND

  • Law: Under the Employer Sanction Directive and the Finnish Employment Contract Act, employers must ensure that non-European Economic Area nationals comply with residency and immigration requirements, or the employer may face fines for non-compliance. Criminal records must be checked when working with children.
  • Allowed: For tasks other than working with children, credit history and criminal records may be checked only in situations where the law requires and follows the procedure stipulated in the law. Medical checks may be used to check employees’ ability to work. Reference and education checks are common and carried out with the applicant’s consent.

FRANCE

  • Law: If the individual to be employed is a foreigner, the employer must check the validity of their work permit. As of January 2017, with some exceptions, employers must set up a preventive and informative medical assessment to take place within three months of the commencement of employment, unless the employee has been subject to such visit during the previous five years.
  • Allowed: Pre-hire checks may be permissible to data privacy laws and if the information is related to the job position. Reference checks are permissible, provided the applicant is informed. A criminal record check is permissible for specific job positions only (e.g., those involving the handling of cash)

GERMANY

  • Law: Immigration compliance. For certain employment positions (e.g., public services, education sector, medical sector and security services), statement of good standing (Führungszeugnis) from the Federal Central Register (Bundeszentralregister).
  • Allowed: Requiring a credit reference check or a statement of good standing is only permissible for roles justifying interest in such information and is subject to proportionality requirements.

PORTUGAL

  • Law: Immigration compliance. For certain roles (e.g., security guards and employees who work with children), a criminal record check certificate. Pre-hire medical examinations.
  • Allowed: Reference and education checks are permissible. The employer may not request a candidate for employment to provide information related to their private life (including criminal record checks), health condition or pregnancy, unless such information is strictly necessary and relevant to evaluate the person’s aptitude for the performance of the employment or when the nature of the professional activity justifies such request, and the reasons for the request are provided, in writing, to the candidate. Tests and medical examinations (other than the legally required pre-hire medical examinations), including drug tests, may only be requested if aimed at the protection and safety of the employee or third parties or when the nature of the activity so requires. The employer must inform the employee in writing of the grounds for the request. Requesting that an employee or applicant submit to a pregnancy test or medical examination is strictly forbidden

SWITZERLAND

  • Law: Immigration compliance. Criminal and credit reference checks for specific roles (e.g., attorneys at law and bank executives).
  • Allowed: Criminal and credit reference checks are only permissible if they are relevant to the proposed work and are subject to proportionality requirements. Reference and education checks are common and permissible with the applicant’s consent.

SWEDEN

  • Law: No pre-hire checks required in general.
  • Allowed: On immigration compliance. References and education checks are common and permissible with applicant consent. Employers may ask for criminal records, and for specific roles (e.g., childcare positions), it is required. Note, however, that criminal records for pre-hire checks normally may not be processed electronically due to data privacy restrictions.

UKRAINE

  • Law: For non-Ukrainian citizens, employers must check for compliance with immigration requirements and obtain work permits (unless the employer or employee falls under a special category, as discussed in the Immigration section below). Employees must provide a valid ID and, except for first-time employment, their labour book. On a case-by-case basis, employers can request employees to provide documents confirming education (speciality, qualification), health status, etc., to confirm compliance with requirements established for a specific profession or position or the work performed. For example: to be employed as an officer responsible for labour protection, an individual shall provide the employer with a certificate that proves the employee’s knowledge in the area of labour protection; or if the job description provides that the employee’s duties will include operation of a vehicle, the employer is entitled to require a driving license.
  • Allowed: An employer cannot require candidates or employees to provide additional documents/information not specifically required by law as a condition precedent to the employment. The ability to conduct any pre-hire or post-hire checks is limited by labour and personal data protection laws. In most cases, checks not expressly required by law are possible only with written consent.

SPAIN

  • Law: Immigration compliance. For certain roles (e.g., security guards), the employee must provide the potential employer with a certificate proving that they do not have a criminal record. These certificates cannot be stored by the employer nor transferred to any other entity.
  • Allowed: Reference and education checks are permissible with the applicant’s consent only. Most companies and institutions prefer to deliver the information directly to the applicant to supply it to the potential new employer directly and personally.

POLAND

  • Law: Immigration compliance: requirement to obtain a work permit for foreigners originating from non-EU and non-European Economic Area (EEA) countries. A statutory list of so-called regulated activities to be performed only by persons holding specific licenses or possessing certain types of education and professional experience. Initial medical examinations to confirm that no health reasons are barring the person’s employment in a certain position. However, there are certain exceptions – for example, where a medical certificate was issued during previous employment in the same position.
  • Allowed: Certain limited types of personal data may be requested from the candidate as specified by the Polish Labour Code and other applicable provisions. These include name and surname, date of birth, contact details, education, professional qualifications and work history. The employer may also request that a candidate provide personal data not listed in the Polish Labour Code; however, additional data processing requires the candidate’s consent. The employer may collect and process sensitive data such as data revealing racial or ethnic origin, political views, religious or ideological beliefs, trade union membership, genetic data, biometric data to uniquely identify a person and data on health, sexuality or sexual orientation only if a candidate provides this at their own initiative. Information on criminal convictions may be requested only if separate statutory provisions require the obligation to provide this information.

SLOVAK REPUBLIC

  • Law: Immigration compliance. Criminal record checks in cases in which integrity is required based on the nature of the work or pursuant to special regulations (e.g., public services). A preventive work-related medical examination is required for the assessment of the medical fitness for the work of a juvenile employee and certain categories of work.
  • Allowed: An employer may request that a previously employed person submit references and a certificate of employment. An employer may request only information relevant to the work to be carried out for an individual applying for their first employment. Reference and education checks are common and permissible with the applicant’s consent.

UK

  • Law: Immigration compliance. For certain limited occupations (e.g., solicitors or chartered accountants), a criminal records check.
  • Allowed: Criminal and credit reference checks are only permissible for specific roles (e.g., certain finance positions) and are subject to proportionality requirements. Reference and education checks are common and permissible with applicant consent.

ROMANIA

  • Law: A request for a medical certificate/check can only be made to ascertain the applicant’s ability to perform the work in question. The employer must meet the cost of the medical check. Immigration compliance also needs to be considered, where relevant.
  • Allowed: Reference checks concerning an applicant’s length of employment and work performed for former employers are common and permissible, although the applicant should be informed in advance. Processing any data regarding criminal records is generally prohibited.

BELGIUM

  • Law: Immigration compliance (work permit and/or residence permit).
  • Allowed: Criminal checks are only permissible under exceptional circumstances for specific roles and subject to proportionality requirements. Reference and education checks are common and permissible with applicant consent.

LUXEMBOURG

  • Law: 1) Immigration compliance; 2) Medical check: When recruiting, an employer must ensure that the employee undergoes a medical check with a practitioner of the occupational health service to which the employer is affiliated. The practitioner will decide if the employee’s health allows him or her to fill the position in question. This medical check is compulsory, irrespective of the nature of the work (i.e., office, industrial or construction work, etc.). In certain cases, the employer must also organise regular medical examinations during employment.
  • Allowed: Reference and education checks are common and permissible with the applicant’s consent. They are compliant with data protection and privacy provisions and linked to the nature of the position. For human resources management and recruitment, the employer may request that an applicant provide a criminal record. In all cases, if the employer makes the decision not to hire the job applicant, the criminal record will have to be immediately destroyed. If the job applicant is hired, the employer will only be entitled to retain the criminal records for one month. 

NORWAY

  • Law: Immigration compliance. For certain occupations (e.g., lawyers, accountants), a certificate of good conduct is required.
  • Allowed: 1) Criminal check is only permissible for specific occupations where there is the legal basis for obtaining a certificate of good conduct; 2) Reference checks and education checks are permissible with the applicant’s consent.

NETHERLANDS

  • Law: Immigration compliance. For certain limited provisions (e.g., judges, lawyers and advocates), an applicant must provide a recent copy proving that they have no criminal record that should prevent them from performing their duty (verklaring omtrent gedrag).
  • Allowed: Reference checks are common and permissible with the applicant’s consent. Other checks are only permissible in limited situations.

RUSSIA

  • Law: Immigration compliance, military compliance (when serving in the military) and in rare situations, a criminal record check.
  • Allowed: Criminal and credit reference checks are are allowed for specific roles (e.g., finance positions and educational institutions) but are subject to proportionality requirements. Reference and education checks are common and permissible with the applicant’s consent.

Wherever you do business, CRI™ can help you find solutions and manage risk concerning your compliance, due diligence and employee background screening (including Pre-employment Screening) challenges and objectives. While this article provides high-level guidance, we encourage you to contact CRI Group™ to perform Background Investigations and due diligence.  





OR





Still have a few questions? Not a problem. Get in contact with one of our experts today to receive tailored advice and a free quote. No matter your end of the globe, CRI™ is equipped to help all.

Q&A on How Corporate Fraud and Corruption Affect Businesses in the UAE 2021

CRI Group™ and its ABAC™ Center of Excellence were featured in Financier Worldwide’s InDepth Feature: Corporate fraud and corruption 2021. In this edition, CRI Group’s CEO Zafar Anjum and ABAC Group’s Scheme Manager Huma Khalid talk about how corporate fraud and corruption affect businesses not only in the UK and UAE, but across the globe, and provide solutions and insights for businesses to become better protected from corporate fraud, bribery and corruption.

Q. To What Extent have you seen a Notable Rise in the Level of Corporate Fraud, Bribery and Corruption Uncovered in the UAE?

A. The United Arab Emirates (UAE) remains the least corrupt country in the Middle East and North Africa region. It was perhaps fitting that the United Nations (UN) held its anti-corruption conference in the UAE just over a year ago. At the conference, delegates drafted anti-corruption resolutions and discussed asset recovery, international cooperation, and other topics in preparation for an upcoming special session of the UN General Assembly against corruption. Of course, there is still much work to be done. Fraud, bribery and money laundering are still problems in the UAE that require a united focus to overcome. Of special concern is the real estate sector, which some have called a haven for stashing and laundering cash. In some cases, these funds are linked to terrorist financing, raising the alarm beyond just the balance sheet for typical financial or corporate fraud.

Q. Have there been any Legal and Regulatory Changes Implemented in the UAE Designed to Combat Fraud and Corruption? What Penalties do Companies Face for Failure to Comply?

A. The recent Anti-Commercial Fraud Law in the UAE strengthened rules around counterfeiting and intellectual property (IP) theft, among other areas. In addition, lawmakers and regulators are applying an anti-fraud focus to other laws. A perfect example is the UAE’s Insolvency Law 2020. The Ministry of Finance announced that penalties will be imposed on those who fraudulently abuse the law. This could include making a fake claim or a sham debt against a debtor or illegally increasing a debt amount. Such offences are punishable by jail time and fines. An awareness campaign by the UAE Banks Federation (UBF), the Central Bank of the UAE (CBUAE), Abu Dhabi Police, and Dubai Police was the first such collaboration in the UAE and it comes as both corporate and consumer fraud have increased. Companies are expected to protect their stakeholders’ investments, and failure to do so can lead to regulatory and legal punishments.

Q. In your Opinion, do Regulators in the UAE have Sufficient Resources to Enforce the law in this area? Are they Making Inroads?

A. There are at least two daunting tasks facing regulators in the UAE at present: detecting and preventing money laundering and stemming the growing threat of cyber crime. While these problems are not unique to the UAE, they do require significant investment and increased investigation and enforcement efforts. Recent reports allege that illicit funds flow through ‘free trade zones’ and into real estate deals, such as luxurious properties in Dubai and other locations. The laws are in place to punish such crimes, but more inroads will need to be made to bring this under control in a country that largely succeeds at fighting fraud in other areas. Cyber crime is also a constant challenge that has been exacerbated by the COVID-19 pandemic. Many fraudsters have sought to take advantage of companies having to transition to different employment models, such as remote working. Fraud fighters are working hard to stay ahead of the curve in this regard.

Q. If a Company Finds itself Subject to a Government Investigation or Dawn Raid, How Should it Respond?

A. If a company finds itself under investigation, one of the first things it must do is mandate down the chain of command that employees cooperate fully with investigators. Any efforts to the contrary may be considered obstruction, and lead to more punishments or a higher likelihood of penalties at the end. In contrast, engaging in a good-faith effort to assist an investigation may weigh in the company’s favour.

Questions will arise, such as: Was this a surprise? What are the facts of the case? How did this occur? Legal counsel must be engaged immediately, but it is also important to speak with compliance officers, risk management, executives and the board in a transparent way to help the company move forward. Communicate a zero-tolerance policy toward fraud, and if employees are proven to have engaged in such behaviour, they should be terminated and prosecuted.

Q. What Role are Whistleblowers Playing in the Fight Against Corporate Fraud and Corruption? How Important is it to Train Staff to Identify and Report Potentially Fraudulent Activity?

A. Some business leaders falsely believe that audits, account reconciliation and other procedures offer the best protection against fraud. They are important functions, but they are not the most effective detection method. Fraud is often uncovered by tips, according to the ACFE’s Report to the Nations on Occupational Fraud and Abuse. Employees are truly the front line of defence for companies, and the first to throw up warning flags about unethical behaviour. The question is whether companies listen to their employees. And is there an easy, anonymous way for employees to submit tips, without fear of retaliation? Companies should educate employees about the red flags of fraud, and then make sure they know they can and should report it.

Q. What Advice can you Offer to Companies on Conducting an Internal Investigation to Follow up on Suspicions of Fraud or Corruption?

A. If the company does not have an experienced team of anti-fraud professionals on staff, it is crucial to enlist the help of an outside firm with experts who specialise in this area. There are mistakes companies make at the beginning of an investigation that can haunt them later. For example, most countries, including the UAE, have laws that govern the proper collecting and handling of evidence. With most evidence in a digital format, following the right protocols is more important than ever. There are also important guidelines for interviewing witnesses and those suspected of fraud which, when disregarded, could lead to a failed investigation. The bottom line is: do not go it alone – get expert professional help. And if criminal conduct is discovered, contact the authorities.

Q. What General Steps can Companies take to Proactively Prevent Corruption and Fraud within their Organisation?

A. Preventing and detecting fraud starts with a company’s employees, so training and communication are key. First, employees must be trained on what constitutes fraud, bribery and corruption, how to recognise it, and how to report it. Second, the company must communicate that fraud will not be tolerated on any level, and those who commit fraud will be terminated and prosecuted if they are found to have broken the law. Companies should also have anti-corruption and anti-fraud controls in place, including an employee code of conduct, regular and surprise audits, and a fraud reporting system available to employees, contractors and even customers. Achieving certification in internationally recognised standards, such as ISO 37001 ABMS, is a good practice too. When it comes to fraud and corruption, an ounce of prevention is worth a pound of cure. Being proactive is truly the only practical option for protecting the business and its assets.

 

Meet HUMA KHALID,  Scheme Manager

Huma Khalid, as scheme manager, is responsible for leading ABAC. Ms Khalid’s responsibilities include planning and overseeing all aspects of the ABAC programme, which include certification and training. Additionally, she oversees the compliance department for the implementation, management and internal audit of CRI Group’s and ABAC compliance programmes

ABAC™ Center of Excellence Limited | t: +44 (0)777 652 4355 | e: huma.k@abacgroup.com

About CRI Group™

CRI GROUP™ works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international risk management, employee background screening, business intelligence, due diligence, compliance solutions and other professional investigative research solutions provider. CRI Group™ has the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Its global presence ensures that no matter how international your operations are, the company has the network needed to provide you with all you need, wherever you happen to be. For more on our Risk Management solutions just check out our brochure:

View Risk Management Solutions Brochure

Corporate Fraud and Corruption: Affect on UK Businesses in the 2021

CRI Group™ and its ABAC Center of Excellence were featured in Financier Worldwide’s InDepth Feature: Corporate fraud and corruption 2021. In this edition, CRI Group’s CEO Zafar Anjum and ABAC’s Scheme Manager Huma Khalid talk about how corporate fraud and corruption affect businesses not only in the UK and UAE, but across the globe, and provide solutions and insights for businesses to become better protected from corporate fraud, bribery and corruption.

Q. To what extent have you seen a notable rise in the level of corporate fraud, bribery and corruption uncovered in the UK?

A. The COVID-19 pandemic has created increased opportunities for fraud worldwide. The UK is not immune, unfortunately, and such a disruptive event as the pandemic increases the likelihood that normal safeguards and risk management controls can be bypassed and subverted. There has been an increase in reported fraud and corruption cases over the past year. A survey of fraud experts by the Association of Certified Fraud Examiners (ACFE) in August 2020 showed that 77 percent were seeing an increase in fraud. Perhaps not surprisingly, cyber fraud is the fastest-growing problem area, but there has also been an uptick in unemployment fraud. This is bad news in the UK, where fraud is our most common crime, costing the country £190bn annually, according to the Royal United Services Institute (RUSI).

Q. Have there been any legal and regulatory changes implemented in the UK designed to combat fraud and corruption? What penalties do companies face for failure to comply?

A. There is proposed legislation, supported by the secretary of state of the UK’s Department of Business, Energy and Industrial Strategy, that would increase accountability for corporations that produce falsified financial statements. This includes a provision that would require company directors to personally sign off on their corporation’s financial statements, under penalty of fines and possible prison time. Under the Sarbanes-Oxley Act in the US, the penalty for falsely certifying such statements is steep: up to 20 years in prison and up to $5m in fines, and the UK is looking at similar measures to step up its fight against fraud and corruption. The UK also recently approved the formation of an audit, reporting and governance authority (ARGA) that should come into force within the next two or three years. Accordingly, the UK is taking a stronger stance against fraud going forward.

Q. In your opinion, do regulators in the UK have sufficient resources to enforce the law in this area? Are they making inroads?

A. Combatting fraud is never straightforward. When looking at progress in detecting and preventing fraud, it sometimes feels like a question of whether the glass is half full or half empty. For example, the Serious Fraud Office (SFO) brought 13 fraud defendants to trial in 2019 and 2020, with a 95 percent fouryear success rate by case. Many of these represent large frauds, and they are meaningful wins, but how many more fraudsters are out there undiscovered? Other bodies, including Her Majesty’s Revenue and Customs (HMRC), among others, also have key roles to play in investigating fraud, but a considerable amount of fraud is still investigated and prosecuted at the local level. It is important for leaders in the UK to know what resources law enforcement have and where they need training and support in the fight against fraud.

Q. If a company finds itself subject to a government investigation or dawn raid, how should it respond?

A. Any investigation, and especially a raid, can be an incredibly stressful time for a company and its employees. The important thing is to not panic – the investigators have a job to do, and the sooner they get to the truth of the situation, the better for everyone. Companies should direct their management and their employees to cooperate fully, while also engaging legal counsel to properly protect the corporation from future litigation. If fraud is detected, it is a criminal matter and the company should make a good faith effort to work with prosecutors and regulators, while making sure to document all control measures and prior steps taken to manage fraud risk. Having a track record of meeting compliance requirements and having proper internal controls in place at the time fraud occurs could have a mitigating effect in terms of potential prosecution and penalties down the road.

Q. What role are whistleblowers playing in the fight against corporate fraud and corruption? How important is it to train staff to identify and report potentially fraudulent activity?

A. Employees are a company’s first line of defence against fraud and corruption. But training them to recognise the red flags of fraud is only half of the process. The company must also implement a reporting system that is anonymous and easy to use, so that employees are encouraged to report any suspicions. Then, the company must follow through and fully investigate any reports that do come in. If it does not, whistleblowers will believe that combatting fraud and corruption is not a corporate priority, and the tips will stop coming in. How important are those tips? According to the ACFE, they are by far the highest detection method for fraud, well above audits and other means. The company should communicate that a whistleblower hotline or online reporting system is available, and that there is a zero-tolerance policy for any type of retaliation against whistleblowers. Over time, the tips will come in.

Q. What advice can you offer to companies on conducting an internal investigation to follow up on suspicions of fraud or corruption?

A. Investigations can be challenging, and they require expertise. For example, there are rules for collecting and handling evidence, including physical evidence and witness statements, that must be followed for such evidence to be admissible in court. There are also laws in the UK dealing with privacy and the rights of the accused. The bottom line is that a company already dealing with a potentially costly and damaging fraud scenario should not risk adding more legal trouble through a faulty investigation. Hire experts who deal with corporate crime and specialise in fraud and corruption cases. Like any other area of expertise, they will have the knowledge and resources to help proceed with an investigation and lead it to the most favourable outcome for your company. If you already have anti-fraud professionals on staff, let them take the lead, but provide outside resources as needed.

Q. What general steps can companies take to proactively prevent corruption and fraud within their organisation?

A. A fraud prevention strategy has many different elements, and the sooner companies implement them, the sooner they can begin to work together in a proactive way to prevent fraud. Mandating employee training, such as ISO 37001 ABMS, having an ethical code of conduct signed by every member of staff, providing regular and surprise audits, and implementing a fraud reporting system are all effective ways to help prevent and detect fraud and corruption. None of these methods is strong enough on its own to properly protect organisations. But together, they can be very effective. It is also important to set a ‘tone at the top’, from ownership, directors and management on down, that fraud will not be tolerated. Anti-fraud controls only work if the company sees them through and thoroughly investigates every report. When fraud is confirmed, any perpetrators should be terminated and potentially prosecuted, sending a message of zerotolerance.

 

Meet HUMA KHALID,  Scheme Manager

Huma Khalid, as scheme manager, is responsible for leading ABAC. Ms Khalid’s responsibilities include planning and overseeing all aspects of the ABAC programme, which include certification and training. Additionally, she oversees the compliance department for the implementation, management and internal audit of CRI Group’s and ABAC compliance programmes

ABAC Center of Excellence Limited | t: +44 (0)777 652 4355 | e: huma.k@abacgroup.com

 

About CRI Group™

Based in London, CRI Group™ works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business IntelligenceDue Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group™ also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI Group™ launched Anti-Bribery Anti-Corruption (ABAC™) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC™ operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC™ for more on ISO Certification and training.

 

Cyber Security: How to Maintain GDPR Compliance?

The European Union’s (EU) General Data Protection Regulation (GDPR) came into force in 2018. The GDPR was a response to massive worldwide data breaches that were undermining the trust and security of private citizens whose personal information was at stake. As this data was exposed by both hackers and, in some cases, simply through poor security measures, governments of the EU felt it was time to create a strong piece of governance to bolster protection. While the initial rollout of GDPR held some uncertainty and unknowns for organisations subject to its guidelines, there is now a much clearer picture of how its standards apply. The punishments for being caught out of compliance can be severe: Violators of the GDPR may be fined up to €20 million or up to 4 percent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

Cybersecurity is a Priority for the Management

Even with extremely high fines and stringent requirements, GDPR violations and data breaches have been skyrocketing across the world. In 2020, the overall increase of fraudulent activities has been detected, based on ACFE’s “Fraud in the Wake of COVID-19: Benchmarking Report”: 77% of survey participants have seen an increase in the overall level of fraud as of August, compared to 68% who had observed an increase in May. Earlier we wrote how the COVID-19 crisis triggered fraudulent activities and what can businesses do to support anti-fraud movements in their organisations and to strengthen their immunity to fraud. However, cyber-attacks are on the rise – the survey by the gov.uk continues to show that cybersecurity breaches are a serious threat to all types of businesses and charities. 39% of businesses and 26% of charities reported having cybersecurity breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).

The study suggests that the risk level is potentially higher than ever under COVID-19 and that businesses are finding it harder to administer cybersecurity measures during the pandemic: 35% of businesses compared to 40% last year are now deploying security monitoring tools. This reduction suggests that these organisations might simply be less aware than before of the breaches and attacks their staff are facing.

However, among those that have identified breaches or attacks, around 27% of businesses experience them at least once a week. The most common by far are phishing attacks (83%, and 79% in charities), followed by impersonation (for 27% and 23%). Based on a survey by the gov.uk, despite COVID-19 stretching many organisation’s cybersecurity teams to their limits, cybersecurity remains a priority for management boards. But it has not necessarily become a higher priority under the pandemic. Three-quarters (77%) of businesses say cybersecurity is a high priority for their directors or senior managers, while seven in ten charities (68%) say this of their trustees.

The Most Notable Data Breaches

In the climate where organisations are putting more emphasis on strengthening their online security systems, there is no shortage of data breaches or GDPR violations. Our experts have noticed and shortlisted a few most notable cases in any order for you to be aware:

1. Booking.com

The very recent case, when travel booking website Booking.com has been hit with a  €475,000 ($560,000) fine after failing to report a data breach within the time period mandated by the GDPR. It happened back in 2018 when telephone scammers targeted 40 employees at various hotels in the United Arab Emirates (UAE). The hackers were able to get login creations for the booking system and to access the personal details of more than 4000 customers who booked hotel rooms via booking.com. The scammers exposed the credit card details of 283 customers, and in 97 cases the CVV code was also compromised. Based on GDPR, the data breach must be reported within 72 hours. Booking.com was late for 22 days (!) to report the breach to the Dutch Data Protection Authority and was issued a fine in April 2021, as reported by Forbes.

2. Twitter

Another company that was late to report the security flaw is Twitter – it was discovered in December 2018 but the social media giant did not report it to Ireland’s Data Protection Commission (DPC) until the following month. As a result, Twitter has been told to pay a €450,000 GDPR fine by Ireland’s data regulator for failing to report a 2018 data breach in the legally required timeframe. The DPC also determined that Twitter failed to adequately document the breach, another requirement under GDPR.

3. Vodafone

The firm that has been warned or fined smaller amounts on at least 50 occasions between January 2018 and February 2020, is in the news again: the Spanish data protection authority has fined Vodafone €8.15 million (approximately £7 million) for aggressive telemarketing tactics and repeated data protection failures. The fine was issued as a result of an investigation that was prompted by hundreds of complaints, with the regulator discovering a system that held up to 4.5 million contact lists purchased from third parties without user consent.

4. Facebook

And another social media giant – Facebook. Ireland’s data protection watchdog is demanding answers from Facebook over the release of records on 533 million people that appeared to stem from the social media site. As reported in April 2021, a spokesman for the Data Protection Commission (DPC) – which regulates Facebook in the European Union – said “a dataset, appearing to be sourced from Facebook, has appeared on a hacking website this weekend for free and contains records of 533 million individuals.”

5. H&M

The Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed. H&M’s GDPR violations involved the internal monitoring of employees. After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers. It has violated the GDPR’s principle of data minimisation — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose.

6. Google

The biggest penalty (€50 million) was issued to Google for its alleged failure to provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and obtain users’ valid consent to process their personal data for ad personalisation purposes. 

COMPLIANCE & ETHICS HOTLINES, REPORT NOW

How to Maintain GDPR Compliance

What can we learn from these case studies? Maintaining GDPR compliance is a complex process, and requires a lot of diligent work. At CRI Group, we recommend looking at it as a part of your risk management strategies, together with your compliance policies and procedures.

To help you with maintaining compliance with GDPR, our integrity due diligence experts created the following top 10 GDPR best practices for any business or entity that deals with collecting, storing or using personal information:

1. Employ a Data Protection Officer (DPO)

It is a GDPR requirement that entities who carry out regular and systematic monitoring of individuals on a large scale, or large-scale processing of certain special categories of data, have an assigned DPO. It is also recommended, however, for all other entities to help ensure data security. While the GDPR does not specifically list the necessary training or qualifications of a DPO, the regulation does require the DPO to have “expert knowledge of data protection law and practices” (Digital Guardian, 2019). Implement thorough background screening processes and make sure they are trained and qualified to be your DPO.

2. Train Your Employees

Ensure that all personnel are aware of the GDPR and your organisation’s commitment to compliance. Make sure that all leaders, and especially key personnel charged with collecting, handling or storing data, understand their responsibilities under GDPR. Make date protection training a regular part of your employee curriculum.

3. Confirm the Legality of Your Data Collection

GDPR requires that you have a legal basis to collect personal data. For most businesses, the following are the most likely to be applicable:

  • The information is necessary to perform a contract between the organisation and the individual;
  • You have a legal obligation to process the data (such as a court order);
  • The organisation has a legitimate interest in collecting and processing the data – in other words, there needs to be a relationship and business reason to collect the date (it cannot be random);
  • The individual has provided direct consent to the processing of the data.

4. Maintain thorough Records

For larger organisations (more than 250 employees), GDPR requires that records of data collection and processing be maintained. Again, this is also a best practice for smaller organisations, as well. It can help establish that the organisation is dutifully complying with the data protection principles in GDPR. Take inventory and make a record of the data you have collected and are storing to date. Create a detailed matrix to understand what types of data you are holding, where/how it is collected, how and where it is held, and whether it is still needed. Based on this information, you can also develop a data-retention policy to govern how long personal data is kept and stored. Keeping data on file longer than needed is a liability, and serves no business purpose.

5. Establish Consent Policies for Data

For some of your records, consent is your lawful basis for holding it. Under GDPR, it is no longer acceptable to assume consent in your collected data, or treat silence as consent. Create clear and unambiguous consent forms for your data collection that demonstrate adherence to GDPR principles. And remember, under GDPR, you must make it a simple process for an individual to withdraw their consent at any time.

6. Perform Due Diligence on Third-Parties

Under GDPR, your organisation is responsible if third-party partners collect, store or manage data for your organisation. You must ensure their compliance with GDPR as if it is your own since they are responsible for your data. This is the time to update your contracts with them to include compliance measures, as needed. It is also important that you review their control systems and their data handling processes. They must be comprehensive and meet all of the GDPR requirements to keep data secure. CRI Group’s third-party risk management experts can help you conduct effective reviews of your partners and their processes.

7. Be Responsive

Under GDPR, your organisation must respond to requests from individuals whose data you have collected and/or are storing. These requests are spelt out as individuals rights in regards to their personal data and they include the following:

  • Right to be informed about what data is collected and why;
  • Right of access to data that has been collected;
  • Right to rectification/correction of inaccurate data;
  • Right to erasure of data (“right to be forgotten”);
  • Right to restrict processing of personal data;
  • Right to data portability;
  • Right to object to use of data; and
  • Right not to be subject to automated decision making, including profiling.

Have a process in place to timely respond to requests and provide data when requested in order to stay in compliance.

8. Have Written Policies in Place

Develop your internal policies in regards to GDPR and how you protect personal data, and communicate them across your organisation. Take special note to spell out policies on data retention, cross-border processing of data, and how you collect and handle data for persons under the age of 16, as GDPR has special requirements in regards to children’s data.

9. Conduct Risk Assessments

GDPR requires Data Protection Impact Assessments in certain cases. These assessments measure your organisation’s ability to protect personal data and risks associated with that protection. If your data processing is considered high-risk, uses new technology, or deals in large-scale processing of data in certain categories, the assessments are required – but for any organisation, they are recommended. Data protection experts at an outside firm like CRI Group™ can help you prepare robust risk assessments and follow-up plans to address their results.

10. Be Prepared for a Breach

A worst-case scenario in data security is a breach that exposes personal information. Under the steps above, your organisation should be well-positioned to prevent or limit any breach to your data security. However, you should always have a contingency plan in place to immediately respond to a breach should it occur. Understand that GDPR requires that the applicable EU data protection supervisory authority be notified within 72 hours of a breach. Gone are the days where a company can announce it weeks or even months after the fact. Be ready to notify the affected individuals that their data has been compromised, so that they can take the appropriate steps to respond.

Organisations don’t like to think about the impact of a data breach – but major cases have pushed governments to act in the public’s interest. Perhaps nowhere is this more true than in the EU, where the GDPR is now the governing policy for organisations that deal with individuals’ personal data. By being proactive with the steps above, your organisation can be better prepared and maintain compliance with the GDPR. Most importantly, you will have the confidence and trust of your consumers through effective best practices in handling and protecting their data. CRI Group’s experts are here to help. Contact us today so that we can walk you through the steps of GDPR compliance. If you have any further questions or interest in implementing compliance solutions, please contact us.

Stay Updated on the Go

Sign up for risk management, compliance, corporate and background investigations, business intelligence and due diligence related news, solutions, events and publications.

Unemployment Insurance Fraud During COVID-19

The Financial Crimes Enforcement Network (FinCEN), a bureau of the United States Department of the Treasury that collects and analyses information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes launched an Advisory on Unemployment Insurance Fraud During the Coronavirus Disease 2019 (COVID-19) Pandemic.

This advisory is aimed “to alert financial institutions to unemployment insurance (UI) fraud observed during the COVID-19 pandemic. Many illicit actors are engaged in fraudulent schemes that exploit vulnerabilities created by the pandemic. This advisory contains descriptions of COVID19-related UI fraud, associated financial red flag indicators, and information on reporting suspicious activity”.

We published recently that COVID-19 continues to affect businesses in a myriad of ways. Organisations are having to adapt quickly to the fast-changing climate of the pandemic, and unfortunately, we’ve recently noticed some business practices of cutting steps in a few internal processes, such as hiring, or lack of risk management controls. It’s a vulnerable time for organisations – earlier we wrote that a crisis can bring out the worst in some people. Fraudsters who prey on people’s fear and confusion tend to waste no time when a global pandemic strikes. COVID-19 is relatively new, yet fraud schemes are multiplied much like the virus itself as criminals look for vulnerabilities among a fearful population. This pandemic also creates risks for employee fraud – CRI Group’s survey revealed that nearly 77 percent of HR professionals accept that there is a risk that employees can initiate fraudulent activity because of the work-from-home arrangement.

But employee fraud might not be the only risk the organisations face today. Earlier this year, we published that some organisations commit fraud themselves and abuse the Coronavirus Job Retention Scheme by engaging in furlough fraud. They do this by accepting taxpayer money designed to help them pay salaries for furloughed workers, who are essentially “deactivated” due to loss of business and quarantine – yet they pressure them to work (or they accept furlough benefits without the employees’ knowledge).

As we can see, a fraudulent activity might happen in a myriad of ways. Let’s dive in what are the red flag indicators of unemployment insurance (UI) fraud as unemployment claims across the globe have surged due to the COVID-19 pandemic.[/vc_column_text][vc_hoverbox image=”8095″ primary_title=”> The Unseen Enemy: Explore Insurance Fraud in-depth with our eBook!” hover_title=”GET YOUR FREE COPY”]DOWNLOAD NOW[/vc_hoverbox]

What are the Red Flags of Unemployment Insurance Fraud?

In the advisory, FinCEN lists the financial red flag indicators to alert financial institutions to fraud schemes targeting UI programs, and to assist them in detecting, preventing, and reporting suspicious transactions related to such fraud. The illicit activity might include employer-employee fraud-related activities, such as creating a fake company with fictitious employees and providing fabricated details such as wages, or conspiracy between the two parties when an employee receives UI payments while the employer continues to pay reduced and/or officially undisclosed salaries. The fraud scheme might also be happening under the ‘misrepresentation of income fraud’ when the applicant fails to provide the correct income/wage details, or even submits an application with stolen or fake identity information.

A similar case happened when the COVID-19 was in a full swing last year: one for-sale ad was published in the black-market specialising in selling stolen accounts and data – it was for access of the stolen UI claim in California that had been approved and offered benefits worth $17,550. This is just one example of the fraudulent activities – “in California, fraud was so pervasive that officials have suspended processing jobless claims for two weeks to put new controls in place and reduce a bulging backlog”. It also resulted in The U.S. Labor Department making fraud detection a priority and allocating $100 million to combat the issue. To support this fight against illicit activities, FinCEN identifies the following red-flag indicators:

  1. Account(s) held at the financial institution receive(s):
  • UI payments from a state other than the state in which the customer reportedly resides or has previously worked;
  • Multiple state UI payments within the same disbursement timeframe;
  • UI payments in the name of a person other than the accountholder, or in the names of multiple unemployment payments recipients;
  • UI payments and regular work-related earnings, via direct deposit or paper checks;
  • Numerous deposits or electronic funds transfers (EFTs) that indicate they are UI payments from one or more states to persons other than the accountholder(s);
  • A higher amount of UI payments in the same timeframe than similarly situated customers received.
  1. The customer withdraws the disbursed UI funds in a lump sum by cashier’s checks, by purchasing a prepaid debit card, or by transferring the funds to out-of-state accounts.
  2. The customer’s UI payments are quickly diverted via wire transfer to foreign accounts, particularly to accounts in countries with weak anti-money laundering controls.
  3. The customer receives or sends UI payments to a peer-to-peer (P2P) application or app. The funds are then wired to an overseas account, or withdrawn using a debit card, in a manner that is inconsistent with the spending patterns of similarly situated customers.
  4. Individuals quickly withdraw disbursed UI funds via online bill payments addressed to an individual(s), as opposed to businesses, as payee(s), with some individual payees receiving multiple online bill paychecks over a short time period.
  5. The IP address associated with logins for an account conducting suspected UI-fraud activities does not map to the general location of stated address in identity documentation for the customer or where the UI payment originated.
  6. Individuals direct UI-related EFTs, or deposit UI checks into suspected shell/front company accounts, which may be indicative of money mules transferring these funds in and out of the accounts.
  7. Multiple accounts receiving UI payments at one or more financial institutions are associated with the same free, web-based email account that may appear in more than one UI application.
  8. A newly opened account, or an account that has been inactive for more than thirty days, starts to receive numerous UI deposits.
  9. After a financial institution suspects UI fraud and requests additional identification documentation to verify the identity(ies) of the customer(s), queried individuals provide documents that are incorrect or forged, which may be an indicator of an account takeover or identity theft. After a financial institution suspects UI fraud and conducts due diligence, it determines that the customer does not have a history of living at, or being associated with, the address to which the UI check or UI debit card is sent, or within the geographical area in which the registered debit card is being used.

Read the full advisory here.

Insurance fraud is something that no company can afford. It is a serious crime that can result in serious consequences for fraudsters who may find their future job prospects impacted, find it harder to obtain insurance and other vital financial services, obtain a criminal conviction and even face the prospect of imprisonment. CRI Group’s insurance fraud investigations cover the full range of insurance fraud cases, from healthcare fraud to disability and even fake death claims. Our experts are trained to look for the tell-tale signs of fraud: they can view claims, medical and hospital records, conduct interviews, examine statements and documents, as well as perform on-site inspections.[/vc_column_text][/vc_column][/vc_row]

Enhanced Risk Management

At CRI Group™, we suggest you consider looking at your overall risk management process, involving not only potential insurance fraud risks during the COVID-19 pandemic, but a broader range of employee, bribery and corruption, compliance risks your organisation might face.

The “Risk Management & ABMS Playbook” provides tools, checklists, case studies, FAQs and other resources to help you lead your organisation into better preparedness and compliance. Our experts share their own plays to help you reduce risk, thereby preventing and detecting more fraud. The first section addresses risk management directly: proper third-party due diligence and critical background screening take centre stage for this game plan. Section two tackles bribery and corruption, with tried-and-true measures you can implement to stay better protected and in compliance with strict laws and regulations.[/vc_column_text][vc_btn title=”GET YOUR FREE COPY NOW” link=”url:https%3A%2F%2Fcrigroup.com%2Fcase-study%2Frisk-management-abms-playbook%2F|target:_blank”][/vc_column][/vc_row]

Speak up – Report illegal and Unethical Behaviour

If you find yourself in an ethical dilemma or suspect inappropriate or illegal conduct, and you feel uncomfortable reporting through normal channels of communication, or wish to raise the issue anonymously, use our Compliance Hotline. This hotline is available to all everyone in a business relationship with CRI Group and ABAC Group. It is an anonymous reporting mechanism that facilitates reporting of possible illegal, unethical, or improper conduct when the normal channels of communication have proven ineffective, or are impractical under the circumstances.[/vc_column_text][vc_btn title=”REPORT NOW” link=”url:https%3A%2F%2Fcrigroup.com%2Fcompliance-ethics-hotlines%2F|target:_blank”][/vc_column][/vc_row][accordion_father][accordion_son title=”Who is CRI Group?” clr=”#1e73be”]Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk ManagementEmployee Background ScreeningBusiness IntelligenceDue DiligenceCompliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

 

ESG: CRI Group™ Environmental Policy

Corporate Research and Investigations Limited “CRI Group™” is a certified member of GBB (Green Business Bureau), seeks excellence in every aspect of our business and is committed to minimising the environmental impacts of our business operations. After extensive new compliance requirements across the ESG (Environmental, social and governance) and working with Green Business Bureau, we are committed to strictly implementing the same commitments we agreed with GBB certification

The CRI Group™ and all directly employed sub-contractors, and agents, agree to comply with the below rules and will continue to ensure compliance. Here is our global Environmental Policy.

Our commitment is to:

  • Continuously improve our environmental performance and integrate recognised environmental management best practices into CRI® Group operations.
  • Reduce our consumption of resources and improve the efficient use of those resources.
  • Measure and take action to reduce the carbon footprint of CRI Group™ activities to meet our published objectives and targets.
  • Purchase qualified electronic equipment globally recognised as the most energy-efficient equipment available.
  • Manage waste generated from our business operations incorporating reduction, re-use and recycling in accordance with the principles of the waste hierarchy
  • Manage CRI® Group business operations to prevent pollution.
  • Give due consideration to environmental issues and energy performance in the acquisition, design, refurbishment, location, and buildings use.
  • Ensure environmental, including climate change, criteria are considered in the procurement of goods and services.
  • Comply as a minimum with all relevant environmental legislation and other environmental requirements to which the firm subscribes.
  • Maintain our certification to ISO 14001 program in 2022 implementation and rigorous.
  • Monitoring and review.

To meet our commitments, we will:

  • Provide CRI® Group’s Executive Board oversight and review of environmental policies and performance and allocate resources for effective direction and implementation.
  • Monitor key objectives and targets for managing our environmental performance at least annually.
  • Use a green web hosting service for our business websites with completely carbon neutral.
  • Communicate internally and externally our environmental policy and performance regularly and encourage feedback.
  • Communicate the importance of environmental issues to our people.
  • Work together with our people, service partners, suppliers, landlords, and agents to promote improved environmental performance.
  • Promote appropriate consideration of sustainability and environmental issues in the services we provide to our clients.
  • Review our environmental policy regularly.

This environmental policy represents our general position on environmental issues and the policies and practices we will apply in conducting our business.

What is ESG?

ESG (Environmental, social and governance) criteria increase interest to companies, their investors and other stakeholders. With growing concern about the ethical status of quoted companies, these standards are the central factors that measure the ethical impact and sustainability of investment in a company. 

In less than 20 years, the ESG movement has grown from a corporate social responsibility initiative launched by the United Nations into a global phenomenon representing more than US$30 trillion in assets under management. According to Juliet Chung and Dave Michaels, “ESG Funds Draw SEC Scrutiny”, Wall Street Journal in the year 2019 alone, a surge of capital totaling US$17.67 billion flowed into ESG-linked products, an almost 525 per cent increase from 2015.

ESG factors cover a wide spectrum of issues that have traditionally been excluded from financial analysis:

Environmental:

  • Climate change
  • Resource depletion
  • Waste and pollution
  • Deforestation

Social:

  • Working conditions, including the use of child labor
  • Local communities
  • Conflict
  • Health and safety
  • Employee relations and diversity

Governance:

  • Executive pay
  • Corruption
  • Political affiliations and donations
  • Board composition, diversity and structure
  • Tax strategy

These factors have increasing financial relevance as global interest in ethical investment grows. 

Meeting the ESG Imperative

Increase your shareholder Engagement with Corporate Governance Solutions with our DueDiligence360™ service and our sister brand ABAC™ ISO certification.

Have confidence in your decisions when selecting your business partners, customers and workforce. Our due diligence reports provide research and insights from financial to legal and reputational standing.

Request a free report sample today!

or

Download our brochure now!

About CRI Group™

Corporate Research and Investigations Limited (CRI Group™) has been safeguarding businesses from fraud, bribery and corruption since 1990. Globally, we are a leading Compliance and Risk Management company licensed and incorporated entity of the Dubai International Financial Center (DIFC) and Qatar Financial Center (QFC). CRI™ protects businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. Based in London, United Kingdom, CRI™ is a global company with experts and resources located in key regional marketplaces across the Asia Pacific, South Asia, the Middle East, North Africa, Europe, North and South America. Our global team can support your organisation anywhere in the world.

In 2016, the company launched the Anti-Bribery Anti-Corruption (ABAC™) Center of Excellence – an independent certification body that helps organisations mitigate internal and external risks by providing a complete suite of Anti-Bribery, Compliance and Risk Management programs.