ISO 37001 Can Help US Organizations Prevent Corruption

First-world countries are not immune to the global problem of corruption. The United States – considered by many as one of the leaders in anti-corruption laws and enforcement – has faced a rash of major corruption scandals over the past 20 years and beyond. In the early 2000s, accounting scandals like Enron and WorldCom rocked the business world and caused major economic losses among investors and other stakeholders. More recently, investigations into alleged violations of the Foreign Corrupt Practices Act (FCPA) often begin with illicit actions taken broad but are traced back to U.S.-based companies right here at home. Iconic companies like Walmart and Microsoft are among the U.S. organizations that have been involved in large settlements with the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) over bribery and corruption charges. These fines, coupled with criminal prosecutions in certain cases, have demonstrated the U.S. government’s aggressive stance toward reducing corruption at home and abroad.

For this reason, and as a matter of good business practice, U.S. organizations should quickly adopt an internationally recognized set of anti-bribery anti-corruption standards. Foremost among such initiatives is ISO 37001:2016 – Anti-Bribery Management Systems standard, providing a comprehensive approach to mitigating the risk of bribery and corruption. Companies will find that ISO 37001 and its essential elements can be tailored to their organization, regardless of the organization size or industry. Among its many features, ISO 37001 promotes implementing an anti-bribery policy, appointing a person to oversee anti-bribery, compliance, training, risk assessments, and conducting due diligence on projects and business associates. Implementing financial controls and instituting reporting and investigation procedures are also key within the ISO 37001 framework.

U.S. Losing Ground on Corruption

The result might be surprising for those who expect the U.S. to score near the top of the most recent Transparency International Corruption Perceptions Index. Canada ranks higher, and the U.S. score of 69 marks a two-point drop from the previous year – earning its worst score in eight years. [1]. “The U.S. faces a wide range of challenges, from threats to its system of checks and balances, and the ever-increasing influence of special interests in government, to the use of anonymous shell companies by criminals, corrupt individuals and even terrorists, to hide illicit activities.” The Americas do not get a glowing review from T.I.: “With an average score of 43 for the fourth consecutive year on the Corruption Perceptions Index (CPI), the Americas region fails to make significant progress in the fight against corruption.”

Transparency International’s frank assessment of the U.S.’s standing among other countries and regions in terms of corruption is useful. It helps dispel the notion held by some that bribery, fraud and other misconduct are primarily “third-world problems” that don’t impact large first-world economies. The fact is, large Western companies that seek to expand into new markets, including underdeveloped regions, are often guilty and liable for the corrupt practices that some employees or contractors might employ to advance that growth. Not only is that a problem in itself for its illegality and the damage often inflicted on economies in those areas, but it also creates serious legal and financial peril for companies that are caught and punished for violating the FCPA (as well as other international laws such as the U.K. Bribery Act).

Bribery Cases Prosecuted in the U.S. 

Among the cases involving U.S. companies that were investigated, prosecuted, and/or resolved in 2019, a few stand out as clear warnings that punishment is catching up to those who commit bribery and collusion. Household names like Microsoft and Walmart make a list, and smaller organisations and even individuals who faced fines and, in some cases, custodial punishments.

Microsoft was fined $23 million in combined criminal and civil penalties after a subsidiary, Microsoft Hungary, was investigated for a bid-rigging and bribery scheme. According to court documents, the alleged violations lasted from 2013 until “at least 2015,” according to court documents. The action was brought by the U.S. Department of Justice (DOJ) and the SEC for the sale of Microsoft software licenses to Hungarian government agencies. Microsoft Hungary executives and other employees were found to have violated the FCPA by falsely representing large “discounts” to close deals with resellers. The SEC also found that Microsoft’s subsidiary in Turkey “provided an excessive discount to an unauthorised third party in a licensing transaction for which Microsoft’s records do not reflect any services provided.” [3]

Walmart has been embroiled for more than 10 years in allegations of making corrupt payments to governments and officials worldwide, according to an agreement the massive corporation reached with the DOJ and SEC. Walmart agreed to pay $282 million to settle charges that violated the FCPA to open new locations in various countries and jurisdictions around the world. In court, Walmart’s Brazilian subsidy pleaded guilty to breaking U.S. federal law. On the whole, allegations include cases in Mexico, China, India and other locations. According to federal investigators, Walmart looked the other way as its subsidiaries on three continents paid millions of dollars, between July 2000 to April 2011, to middlemen in order to help the company obtain permits and other government approvals.

Lesser-known companies also faced scrutiny and, in some cases, prosecution. Juniper Networks, a California-based cybersecurity firm, was ordered by the SEC to pay more than $11.7 for FCPA violations. According to the SEC investigation, some of the sales employees in Juniper’s Russian subsidiary “secretly agreed with third-party distributors to fund leisure trips for customers, including government officials through the use of off-book accounts.” It is notable that Juniper did not explicitly admit nor deny the SEC’s claims in coming to terms for the settlement – but the company agreed to “cease and desist from committing or causing any violations.”

Some significant DOJ and SEC actions targeted individuals. For example, Hawaiian resident Frank James Lyon, 53, was charged and pleaded guilty to conspiracy to violate the anti-bribery provisions of the FCPA, as well as conspiracy to commit federal program fraud, after trying to bribe government officials in the Federal States of Micronesia. Lyon, a Hawaii-based engineering and consulting company owner was sentenced to 30 months in prison, followed by three years of supervised release. “According to admissions made as part of his plea agreement, between 2006 and 2016, Lyon and his co-conspirators paid bribes to foreign officials in the Federated States of Micronesia (FSM) and Hawaii state officials in exchange for those officials’ assisting Lyon’s company in obtaining and retaining contracts valued at more than $10 million. The bribes included, among other things, cash to FSM officials and Hawaii officials, and vehicles, gifts and entertainment for FSM officials.”

The cases above make clear that U.S. corporations and business leaders are vulnerable to bribery and corruption schemes that are often considered endemic in certain other regions of the world. The DOJ, SEC and other regulatory and investigatory bodies are scrutinizing transactions and behaviors, and conduct that runs afoul of provisions in the FCPA are likely to be met with prosecution and fines.

ISO 37001:2016 to Combat Bribery & Corruption

Corruption is a global problem. In the U.S., business and government leaders are urging organizations to take action now to reduce their risk exposure. To implement best practices and better protect themselves, organizations have found ISO 37001:2016 Anti-Bribery Management Systems standard. Issued by the International Organization for Standardization (ISO) in 2016, ISO 37001 helps organizations of all sizes and industries increase and measure their efforts against bribery and corruption. Organizations can use the principles provided by ISO 37001 to implement the highest integrity standards at every level. At its core, ISO 37001 calls for an organization to establish an anti-bribery policy and appoint a person to oversee anti-bribery compliance, training, risk assessments and due diligence on projects and business associates. The organization must also implement robust internal controls and reporting procedures, and investigation processes to help make ISO 37001 truly effective.

ABAC® (Anti-Bribery and Anti-Corruption) Center of Excellence Limited was founded by international security firm CRI® Group to help organisations of all types and industries implement the highest standards of training and Certification. With a team of experts around the world, ABAC® Center of Excellence is composed of certified ethics and compliance professionals, financial and corporate investigators, forensic analysts, certified fraud examiners, qualified auditors, and accountants. Through their training and experience in implementing ISO 37001 standards, ABAC® Center of Excellence’s agents helps clients more effectively prevent bribery and corruption. As an accredited provider of ISO 37001 ABMS, ABAC® Center of Excellence provides Certification and training for various types and industries organizations.

There are many elements of a comprehensive anti-bribery anti-corruption system. ISO 37001 lays these out in detailed guidance. The following are just a few of the elements of bribery that are addressed by ISO 37001:

• Bribery in the public, private and not-for-profit sectors
• Bribery by the organization
• Bribery by the organization’s personnel acting on the organization’s behalf or for its benefit
• Bribery by the organization’s business associates acting on the organization’s behalf or for its benefit
• Bribery of the organization
• Bribery of the organization’s personnel in relation to the organization’s activities
• Bribery of the organization’s business associates in relation to the organization’s activities
• Direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party)

Benefits of ISO 37001:2016 Certification 

ISO 37001:2016 certification is designed to help protect the organization, its assets, and shareholders from bribery and corruption. Because Certification must be completed by a qualified, independent third party, it adds a distinct level of credibility to the organization’s management system. It ensures that the organization is implementing a viable anti-bribery management program using widely accepted controls and systems.

Companies and government organisations can rely on best practices set out by ISO 37001’s standards to reduce the risk of bribery and corruption. The following are some of the ways ISO 37001 helps organisations accomplish this goal:

• Provides needed tools to prevent bribery and mitigate related risks
• Helps an organisation create new and better business partnerships with entities that recognise ISO 37001 certified status, including supply chain manufacturing, joint ventures, pending acquisitions and co-marketing alliances
• Potentially reduces corporate insurance premiums
• Provides customers, stakeholders, employees and partners with confidence in the entity’s business operations and ethics
• Provides a competitive edge over non-certified organisations the organisation’s industry or niche
• Provides acceptable evidence to prosecutors or courts that the organisation has taken reasonable steps to prevent bribery and corruption

ISO 37001 certification should not be considered “legal cover” for all liability issues related to bribery – but it can be a mitigating factor: “Conformity with (ISO 37001) cannot provide assurance that no bribery has occurred or will occur in relation to the organization, as it is not possible to eliminate the risk of bribery,” according to ISO. ISO 37001 certification can be considered an important piece of evidence, however, demonstrating to regulators, prosecutors, and the courts that the organization has taken meaningful action to prevent bribery and corruption.

Costs and Timeframes of ISO 37001:2016 Certification

The time and cost of Certification depend on the size of the organization, as well as the state of its existing anti-bribery management system. If it’s very well developed, the process will be shorter and the organization can showcase it to their stakeholders and third parties. For organizations that don’t already have developed good policies, training and due diligence, the standard provides requirements and guidance on how to achieve it.

Some major corporations are seeking Certification. Microsoft, whose prior compliance issues were highlighted earlier in this paper, is reportedly one of them: Microsoft’s Deputy General Counsel, David Howard, wrote that “Microsoft will seek Certification from an independent and accredited third party to demonstrate that our anti-bribery program satisfies the requirements of the standard. We hope other companies will do the same.”

Conclusion

Regulators and enforcement bodies in the U.S. have prioritized rooting out fraud and other financial crimes. Bribery and corruption are at, or near, the top of this list. Investigations and prosecutions have increased in recent years and will continue to do so. Against this backdrop, it is critical that U.S.-based companies, corporations and government organizations take action now to reduce their risk profile and be better protected from liability. ISO 37001 is a perfect first step – or, for some, a next step – toward increasing that level of protection.

ISO 37001 ABMS provides the training and Certification program that organizations need for accountability and effectiveness. The training process can be tailored based on the size, type, industry or risk level. Bribery and corruption are not exclusive to the third world or developing economies. They are pervasive in Western countries, including the U.S., and they require comprehensive measures to make an impact and lessen their effects. ISO 37001 provides solutions that any organization can implement – not tomorrow, but today. The positives of decreased risk, decreased liability and better financial protection outweigh any negatives of the minimal investment in cost and effort.

CONTACT INFORMATION

Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime) | CRI Group™ Chief Executive Officer

7th Floor, South Quay Building, 77 Marsh Wall, London, E14 9SH United Kingdom

t: +44 207 8681415 | m: +44 7588 454959 | e: zanjum@crigroup.com

References

1. “Corruption Perceptions Index 2019,” Transparency International, 2020 <https://www.transparency.org/cpi2019> (accessed 10 Feb. 2020)
2. “CPI 2019: AMERICAS,” Transparency International, 23 Jan. 2020 <https://www.transparency.org/news/feature/cpi_2019_Americas> (accessed 10 Feb. 2020)
3. Jaclyn Jaeger, “Microsoft to pay $25M in FCPA case,” Compliance Week, 23 July 2019, <https://www.complianceweek.com/anti-corruption/microsoft-to-pay-25m-in-fcpa-case/27446.article > (accessed 10 Feb. 2020)
4. Michael Corkery, “A ‘Sorceress’ in Brazil, a ‘Wink’ in India: Walmart Pleads Guilty After a Decade of Bribes,” The New York Times, 20 June 2019, <https://www.nytimes.com/2019/06/20/business/walmart-bribery-settlement.html > (accessed 10 Feb. 2020)
5. “SEC fines Juniper Networks more than $11.7 million to settle internal control violations,” Reuters, 28 Aug. 2019,< https://www.reuters.com/article/us-usa-sec-fcpa/sec-fines-juniper-networks-more-than-11-7-million-to-settle-internal-control-violations-idUSKCN1VJ2OD > (accessed 11 Feb. 2020).
6. “U.S. Executive Sentenced to Prison for Role in Conspiracy to Violate Foreign Corrupt Practices Act,” U.S. Department of Justice, 14 May 2019,< https://www.justice.gov/opa/pr/us-executive-sentenced-prison-role-conspiracy-violate-foreign-corrupt-practices-act> (accessed 10 Feb. 2020)
7. “ISO 37001:2016 ANTI-BRIBERY MANAGEMENT SYSTEMS — REQUIREMENTS WITH GUIDANCE FOR USE”, www.ISO.org, < https://www.iso.org/standard/65034.html > (accessed 5 Aug. 2019)
8. David Howard, “An update on Microsoft’s approach to compliance,” Microsoft, 7 Mar. 2017, < https://blogs.microsoft.com/on-the-issues/2017/03/07/update-microsofts-approach-compliance/ > (accessed 17 Feb. 2020)

[/accordion_son][/accordion_father][vc_empty_space][/vc_column][/vc_row]

Filed under: Anti-Bribery Anti-Corruption Solution, Compliance Solution, ISO 37001, Resources by admin
No Comments »

BS 7858:2019 playbook: everything you need to know and more!

Times are changing, and the resources required to conduct background searches and investigations have strained businesses worldwide. With a dramatic rise in business liability associated with hiring the wrong individuals and the increase in penalties imposed on companies that extend from C-suites to Boards of Directors, businesses are taking a closer look at the systems, procedures and resources utilised to screen potential job candidates. It is important to know that the BS7858:2012 standard has been replaced with the new BS7858:2019 standard. The British Standards Institutions have released a new edition that has brought the standard up to date and features many changes. BS 7858:2019 employee screening offers you the complete solution now.

In balancing the effectiveness and accuracy of a background screening investigation with the limited time normally allowed to conduct such a search, the onus falls chiefly on the screening firm and its ability to acquire timely information. The Global Community has become one collective hiring pool. Thanks to technology, a top candidate for a high-level position in one corner of the world might hail from a remote province on the opposite side of the globe. This poses a significant problem for organisations looking to acquire the best talent:

• How can you be confident your candidate truly has the skills, credentials, knowledge and experience they claim to possess?
• How can you be certain of that candidate’s integrity, background, and personal history?

BS 7858:2019 Playbook

The premise behind the standard is to safeguard employers from bad or fraudulent hires. The price of a bad hire has far-reaching consequences for any business, including productivity loss, decreased employee morale, risks to employee safety, increased exposure to costly negligent hiring claims, and potentially devastating litigation. Cases of organisations that forego conducting due diligence on a new hire – especially a hire with high-risk exposure – often end badly for those organisations. Due to COVID-19, times are changing, and the resources required to conduct background searches and investigations have strained businesses worldwide. 

At CRI®, we know how important is your background screening to your company’s success and to give you an idea of what is new, we have produced this playbook detailing the differences between the BS7858:2012 standard and the new BS7858:2019 standard.

Let’s Talk!

BS 7858:2019 accredited companies (such as CRI®) highlight to their clients that their security personnel are staff that can be trusted and relied upon to complete a high-quality job. The screening process highlights the level of conduct they have presented in the past. This reassures the safety of the people, goods, and property they have been hired to protect. If you have any further questions or are interested in implementing compliance solutions, please contact us.

Contact CRI® Group to learn more about its 3PRM-Certified™ third-party risk management strategy program and discover an effective and proactive approach to mitigating the risks associated with corruption, bribery, financial crimes and other dangerous risks posed by third-party partnerships.

About CRI® Group

Based in London, CRI® works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI® launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.

Meet our CEO

Zafar I. Anjum is Group Chief Executive Officer of CRI®, a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. Headquartered in London (with a significant presence throughout the region) and licensed by the Dubai International Financial Centre-DIFC, the Qatar Financial Center-QFC, and the Abu Dhabi Global Market-ADGM, CRI® safeguards businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. CRI® maintains offices in UAE, Pakistan, Qatar, Singapore, Malaysia, Brazil, China, the USA, and the United Kingdom.

Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime)

CRI® Group Chief Executive Officer

t: +44 207 8681415 | m: +44 7588 454959 | e: zanjum@crigroup.com

Filed under: All Industries, All Regions, Background Investigation, Compliance Solution, Employee Background Check, Publication, Resources by admin
No Comments »

COVID-19: Fraudsters are preying on fear and confusion

In a time of crisis, we often see the best in people. Even before COVID-19 was officially classified by the World Health Organization (WHO) as a global pandemic, citizens and government leaders were praising the selfless sacrifice of doctors, nurses, first responders and others putting themselves in harm’s way to help treat and limit the spread of the disease. Unfortunately, a crisis can also bring out the worst in some people. Fraudsters who prey on people’s fear and confusion tend to waste no time when a global disaster strikes. COVID-19 is relatively new and still spreading, yet fraud schemes are multiplying like the virus itself as criminals look for vulnerabilities among a fearful population.

Interpol issued a warning on March 13 that fraudsters are “exploiting the fear and uncertainty” around COVID-19 through several different schemes utilizing different approaches. These include telephone fraud, through which “victims receive calls from criminals pretending to be medical officials, claiming a relative has fallen sick with the virus and then requesting payment for their treatment;” and phishing, in which “victims receive emails from criminals pretending to be from health authorities, or legitimate companies, using similar looking websites or email addresses” (Euronews, 2020).

While the public might be surprised to see an uptick in shameless fraud schemes during such a time, investigators are not. Disaster fraud is a common scourge of law enforcement and regulatory bodies everywhere. For example, in 2012, Hurricane Sandy devastated the Caribbean and eventually wreaked havoc upon the U.S. eastern seaboard. More than a hundred individuals in New Jersey alone were prosecuted for filing fraudulent applications for relief funding. Investigators in the southern U.S. launched similar actions after Hurricane Harvey in 2017.

Fraud that preys on the fearful or vulnerable is even more insidious. That’s what investigators are seeing right now as COVID-19 continues to spread. The Food and Drug Administration (FDA) and the Federal Trade Commission (FTC) recently issued warning letters to seven companies for selling fraudulent COVID-19 products. “These products are unapproved drugs that pose significant risks to patient health and violate federal law. The warning letters are the first to be issued by the FDA for unapproved products intended to prevent or treat “Novel Coronavirus Disease 2019″ (COVID-19)” (FDA, 2020). The FDA and FTC are taking this action as part of their response to protecting Americans during the global COVID-19 outbreak.

The FDA and FTC issued warning letters to Vital Silver, Quinessence Aromatherapy Ltd., Xephyr, LLC (doing business as N-Ergetics), GuruNanda, LLC Vivify Holistic Clinic, Herbal Amy LLC, and The Jim Bakker Show. In some cases, colloidal silver was being fraudulently peddled as a successful treatment for preventing and/or curing COVID-19.

An article in New York Magazine provides an insightful look at various herbal and homeopathic “cures” that become a hot commodity at times of widespread illness. As the article points out, useless treatments aren’t simply harmless. They can have a seriously detrimental effect when they replace actual science: “Even without the looming threat of a pandemic, pseudoscientific cures can pose a real threat to the public. No scientific evidence supports the claim that homeopathy has curative properties, for example, and relying on unproven treatments without the assistance of conventional medicine can put a person’s health at risk. Some popular treatments, like colloidal silver, can actually be dangerous if consumed in enough quantities. Nevertheless, alternative medicine is a big market in the U.S. Americans spent $30 billion on alternative medicine in 2012; by the time COVID-19 appeared, people were already primed to trust dubious cures” (New York Magazine, 2020).

So how can the general public avoid frauds and phishing schemes during a crisis? Here are some things to keep in mind:

• Be suspicious of emails that are peddling cures or medical devices. Don’t click links or open attachments.
• When searching for information online, be aware of fake websites impersonating legitimate organisations. Check the web address carefully and don’t provide any personal information.
• Follow the same rule for unsolicited phone calls – under no circumstances should you reveal any personal or financial information.
• If you believe you have fallen for a scheme, contact your bank or credit card provider immediately.

Remember, fraudsters take advantage of a sense of panic among their victims that they have to take action immediately. Anyone (other than a legitimate government or medical official) who tries to pressure you to make a decision, especially a financial one, may try to scam you. Keep a cool head, do your research, and don’t panic. Businesses are not immune to such frauds, either. If you think your business has fallen prey to a scam, contact CRI® Group immediately. Our investigators are standing by to help prevent and detect such schemes.

Let us know if you would like to learn more

If you have any further questions or are interested in implementing compliance solutions, please contact us.

About us…

Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS102000:2013 and BS7858:2019 Certifications is an HRO certified provider and partner with Oracle.

In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organizations. Contact ABAC® for more on ISO Certification and training.

MEET THE CEO

Zafar I. Anjum is Group Chief Executive Officer of CRI® Group (www.crigroup.com), a global supplier of investigative, forensic accounting, business due to diligence and employee background screening services for some of the world’s leading business organizations. Headquartered in London (with a significant presence throughout the region) and licensed by the Dubai International Financial Centre-DIFC, the Qatar Financial Center – QFC, and the Abu Dhabi Global Market-ADGM, CRI® Group safeguard businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. CRI® Group maintains offices in UAE, Pakistan, Qatar, Singapore, Malaysia, Brazil, China, the USA, and the United Kingdom.

Contact CRI® Group to learn more about its 3PRM-Certified™ third-party risk management strategy program and discover an effective and proactive approach to mitigating the risks associated with corruption, bribery, financial crimes and other dangerous risks posed by third-party partnerships.

CONTACT INFORMATION

Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime) | CRI® Group Chief Executive Officer

37th Floor, 1 Canada Square, Canary Wharf, London, E14 5AA United Kingdom

t: +44 207 8681415 | m: +44 7588 454959 | e: zanjum@crigroup.com

Filed under: Background Investigation, COVID-19 Insights, Due Diligence, Employee Background Check, Investigative Solution, Resources, Third-Party Risk Management by admin
No Comments »

Middle East Background Screening: Compliance With Privacy Laws

It’s a fact that some of the most talented and promising job candidates possess the most disturbing pasts. Such deception can lead to a perilous future for an employer. This is the primary reason businesses are strongly advised to conduct background screening investigations before hiring seemingly well-qualified managerial candidates. background screening Privacy Laws Compliance

In every region and jurisdiction in the world, there are different regulations that govern what background screeners can and can’t do in regards to providing pre- and post-employment screening services. The laws in the United States, for example, are not the same as those that affect investigations in the Middle East. The concern over individual privacy and data protection are hot discussion items globally. Companies that engage background screening firms for the Middle East need to make sure those investigators are following all rules and regulations in regards to privacy – or else they might face liability along with the screening provider.

Examples of Privacy Laws in the Middle East

While reputable screening firms in the U.S. comply closely with the Fair Credit Reporting Act to conduct domestic background investigations, foreign investigations are much more complex.

Middle East countries have no prohibitive legislation that governs the employment screening process. At the same time, there is no cooperative legislation and regulation to support background screening services for employee due diligence. However, background screening industry professionals must adhere to strict data protection requirements (such as the GDPR, local Data Protection regimes specifically DIFC Data Protection, ADGM Data Protection and QFC Data Protection regulations) to process consensually based personal information.

In UAE, local police departments provide “Good Conduct Certificates” for employees for immigration purposes, while Dubai International Financial Centre (DIFC) Data Protection standards allow for the processing of sensitive personal information, such as criminal history, with signed consent from the data subject for employee due diligence requirements.

In the United Arab Emirates, data protection laws permit investigators to process sensitive personal information such as criminal history data. As a DIFC-licensed entity, the Corporate Research and Investigations Limited “CRI Group” (as well as other reputable background screening firms) must maintain strict adherence to the region’s Data Protection Law in order to fulfil our ongoing DIFC licensed status. As in the United States, the procurement of personal data in this region – and any subsequent transfer of data outside of the DIFC – may only be attained with the written consent of the individual being investigated.

Reputable screening firms in the Middle East will also comply with regional privacy laws (such as the GDPR) by appointing an internal Data Protection Officer (DPO) whose primary responsibility is to conduct independent audits of the firm’s various information processing operations which handle customer and employee data.  The DPO ensures that personal data is handled in accordance with all relevant data protection provisions covering online and offline data procurement while complying with local and regional regulations pertaining to individual privacy standards.

The Urgent Need for Background Checks

While all guidelines and regulations must be followed, the absolute need for comprehensive background screening in the Middle East cannot be disputed. The region has a labor force of over 150 million individuals serving in all capacities and industries (World Bank, 2019). Those statistics can be quickly put into context when considering that deception in the employment process, such as résumé fraud, is believed to be rampant and widespread: One report estimates that 80 percent of all job applicants intentionally mislead potential employers on their résumé or application (Security, 2017).

Case Study

To help understand the problem, consider this case study: An international company was hiring to fill a position in the Middle East. When they engaged a firm that specialises in pre- and post-employment background screening, the firm’s investigators uncovered disturbing details about an applicant. One of the individual’s previous employers reported that the applicant was hired without any prior experience, was trained for a couple of months, and then terminated due to committing cash embezzlement as well as participating in harassment and workplace violence. A second employment verification revealed his termination, as he caused a financial loss to the company.

In the above example, the background checking company uncovered the deception through comprehensive background screening that went beyond basic database checks and reviews of public records. In the Middle East, background investigations – both for pre- and post-employment screening – often require a “boots on the ground” approach. This can mean conducting much of an investigation literally on foot, travelling to remote regions to interview sources and check documents in person. And, the entire investigation was conducted within all privacy laws and regulations.

Some job candidates will seek an advantage through fraudulent means. The hidden truth might even include criminal behavior. It is important for any organisation to verify information provided by individuals they seek to hire. In the Middle East, this process will often look different than it would in the U.S. By following all local laws and regulations, however, a reputable background check firm will be helping to protect your company – while also safeguarding your future.

Let’s Talk!

If you have any further questions or interest in implementing compliance solutions, please contact us.

About the Author

Zafar Anjum | Group Chief Executive, CRI Group

Anjum is founder and CEO of CRI Group and ABAC Center of Excellence. Having dedicated three decades to the areas of fraud prevention, protective integrity, security, compliance, anti-bribery and anti-corruption, Zafar Anjum is a highly respected professional in his field.

Filed under: Background Investigation, Employee Background Check, Industry Insights, Middle East, Resources by admin
No Comments »

How to demonstrate “Adequate Procedures” in Malaysia?

State of Corruption in Malaysia

While a large part of the political and economic universe still believes that engaging in some form of corruption is the only way to survive and advance, many countries now are taking drastic measures to root out corruption, and Malaysia is rushing to the forefront of that trend. Currently ranked at 51 out of 180 countries on Transparency International’s “Corruption Perception Index” (2019), with a score of 53 (where 0 is perceived to be highly corrupt and 100 is perceived to be very clean), the Malaysian government emerged from the highly publicized 1MDB financial scandal on high alert and with a firm resolve to adopt tough anti-corruption legislation as one of its main priorities.

The result was the empowerment of the Malaysian Anti-Corruption Commission (MACC) and its 2009 Act which addressed corruption on both the political and private sector levels.  The Parliament’s subsequent amendment – Section 17A – was added in 2018, which likened the legislation to the UK Bribery Act but added a “parallel” element of personal criminal liability in corporate bribery cases. And that’s where business organisations need to take notice and take immediate action.

Demonstrating “Adequate Procedures” through ISO 37001 Certification

ISO 37001 Anti-Bribery Management System is an internationally accepted standard that specifies the procedures by which an organisation should implement in preventing bribery while detecting and reporting any bribery incident that occurs. The standard requires organisations to implement these procedures on a reasonable and proportionate basis according to the type and size of the organisation, and the nature and extent of bribery risks faced. It applies to small, medium and large organisations in the public and private sector and can be implemented in any country. Though it will not provide absolute assurance that bribery will completely cease, the standard can help establish that the organisation has in place reasonable, proportionate and adequate anti-bribery procedures.

ABAC® Center of Excellence Limited is fully accredited as a Conformity Assessment Body (Certification Body) to assist your organisation in attaining ISO 37001 certification through a thorough bribery risk assessment and audit covering the entire scope of the standard The audit methodology is evidence-based, meaning any issues raised will be confirmed through adequate evidence that the ABAC® Certification team has discovered during the audit. Auditing techniques take a risk-based approach to examining your organisation’s Anti-Bribery Management System (ABMS), and the ABAC® Certification team will increase the scale of the investigation if they determine that a specific process presents a higher risk side.  Factors such as Impact, Negligence, Minor, Major, and Critical are taken into consideration during the audit.

A separate audit method is a process-based approach where the ABAC® Certification examines the organisation’s processes while considering the interaction between those processes.  Finally, there is a sampling-based audit approach where ABAC® Certification incorporates an appropriate sampling plan utilising samples from different ABMS processes to conclude and support the audit findings and results.

The audit is extremely thorough in its approach, which results in accredited certification for the scope of the ISO 37001 Anti-Bribery Management System.  Because of the standard’s international acceptance and the thoroughness of the audit process, such certification can provide a valuable safeguard in demonstrating an “adequate procedures” compliance defence in cases posing a liability for a company’s failure to prevent bribery. Indeed, from an FCPA perspective, certification may provide tangible evidence that a compliance program was in place at the time of the alleged bribery actions. And from a UK Bribery Act perspective, the certification could provide the company with tangible prima facie evidence presented by an accredited certification body attesting to the establishment and effectiveness of the organisation’s compliance program. Notably, per Section 17A of the Malaysian Anti-Corruption Commission, the Prime Minister’s National Anti-Corruption Plan 2019-2023 has declared ISO 37001 certification a requirement for companies operating in Malaysia.

There is a strong likelihood that ISO 37001 Anti-Bribery Management System will continue to set the pace for a globally recognised “adequate procedures” standard for corporations embroiled in corruption litigation proceedings. But for now, the most powerful “insurance” tool that public and private sector organisations can use in their defence strategy is ISO 37001 ABMS certification.

About CRI Group

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.

Filed under: Anti-Bribery Anti-Corruption Solution, Compliance Solution, CRI News, ISO 37001, Malaysia, Kuala Lumpur, Resources by admin
No Comments »

MACCA’s Corporate Liability Provisions are in place

Malaysia is taking a further step against corruption with its new Corporate Liability Provisions of the Malaysian Anti-Corruption Commission (Amendment) Act 2018. The new provisions go into force this June. The measure has been compared to the UK Bribery Act 2010 and the U.S. Foreign Corrupt Practices Act (FCPA) 1977 (The Star, 2019). Section 17A of the MACC Act 2018 will enable the prosecution of individuals accused of corruption, not only organisations. Under the provisions, an organisation’s “directors, controllers, officers, partners, or managers are deemed to have committed the same offence, which carries a maximum penalty of a fine of not less than 10 times the value of the gratification or RM1 million, whichever is higher, and 20 years’ jail unless the firm is able to prove that it had in place procedures designed to prevent corrupt practices. The provision is modelled after the United Kingdom’s Section 7 of the Bribery Act 2010, which is widely regarded as ‘the toughest anti-corruption legislation in the world’” (New Straits Times, 2019). Perhaps it’s no coincidence that Malaysia improved by six points and jumped 10 places to 51 in Transparency International’s 2019 Corruption Perceptions Index (CPI). The CPI “measures public sector corruption including bribery, diversion of public funds, use of public office for private gain, and nepotism in the civil service” (Free Malaysia Today, 2020).

The change in law and perception meets popular demand in Malaysia, where the 1MDB case became the defining bribery scandal in the region. Malaysia’s state-owned investment fund, 1MDB, was supposed to attract foreign investment. Instead, it “spurred criminal and regulatory investigations around the world that have cast an unflattering spotlight on financial deal-making, election spending and political patronage under former Prime Minister Najib Razak. The figures are mind-boggling: a Malaysian parliamentary committee identified at least $4.2 billion in irregular transactions related to 1MDB. In May, Najib was ousted from power in a general election as the scandal fueled a voter backlash that ended his party’s 61 years of rule. As the investigations continue, Najib faces trial on corruption charges and U.S. prosecutors have implicated at least three senior Goldman Sachs Group Inc. bankers in a multiyear criminal enterprise” (Bloomberg, 2018).

The 1MDB scandal also demonstrated, however, that investigation and enforcement were stepping up in the face of public outrage. The MACC Act 2018 provided regulators with more teeth in the fight against corruption in the country. At ABAC Summit – Kuala Lumpur, organised by CRI Group, Mohd Nur Lokman bin Samingan, Assistant Commissioner at Malaysian Anti-Corruption Commission, said that some of the MACC Act’s provisions are meant “to encourage business and commercial activities being carried out in a corruption-free environment; to encourage all commercial organisations to take adequate measures in order to prevent corruption in their respective organisations; and to promote better corporate governance and legal compliance by requiring corporations to take proactive roles in preventing corruption.”

Demonstrating “adequate procedures” with ISO 37001 certification

Now more than ever it is critical that organisations undergo a program of compliance and demonstrate “adequate procedures” with ISO 37001:2016 Anti-Bribery Management standard certification. ISO 37001 is an established, tried and tested program that provides a comprehensive program for preventing bribery and corruption. It can be tailored to organisations of all sizes and industries, and certification requires the demonstration that processes have been implemented effectively – with follow-up evaluations. The new corporate liability provisions to the MACC Act are an important thing for safeguarding Malaysia’s economy and investments.

It is crucial to trust your anti-bribery and compliance strategies to accredited ISO 37001 certification providers. CRI Group’s ABAC® has recently announced that the United Kingdom Accreditation Service (UKAS) has accredited its ABAC Certification services for administering the ISO 37001:2016 Anti-Bribery Management Systems standard. ABAC® provides ISO 37001:2016 anti-bribery management systems certification for all types of organisations across the globe that implement prescribed measures to prevent, detect and address bribery. Pursuant to this, UKAS accredited ABAC Center of Excellence Limited in the UK, Malaysia and UAE for ISO 37001:2016 Anti-Bribery Management Systems (ABMS) certification in accordance with ISO/IEC 17021-1: 2015 conformity assessment requirements for bodies providing audit and certification of management systems.

Trust ABAC®, your accredited certification provider in Malaysia to comply with requirements of Section 17A of the Malaysian Anti-Corruption Commission Act (MACCA 2018) with confidence. To learn more about how the ABAC Center of Excellence can help tailor an ISO 37001 certification program to your organisation, contact ABAC Center of Excellence Limited today.[/vc_column_text][/vc_column][/vc_row][accordion_father][accordion_son title=”About CRI Group”]Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.[/accordion_son][/accordion_father][/vc_column][/vc_row]

Filed under: Anti-Bribery Anti-Corruption Solution, Compliance Solution, ISO 37001, Resources by admin
No Comments »

Building a Resilient and Defensible Third-Party Risk Management Compliance Program

Third-Party Risk Management Compliance Program:

Does your business have a Third-Party Risk Management (TPRM) Compliance Program? Are you establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business?

It’s highly probable that, at some point, organizations that affiliate with outside providers will eventually have to deal with an operational interruption resulting from third-party related issues and inappropriate conduct. The risks involved in partnering with outsiders hasn’t changed over the centuries. It’s the potential liability that’s been ratcheted up several notches. International borders have been ripped down. Technology has improved the way businesses communicate.

Easy access to data and information enables the media to report on business news before a business can properly respond. And the markets are quick to form opinions based on a 24/7 on-demand news cycle. The result of this increased liability is problematic. Business litigation has skyrocketed. Corporate reputations are constantly being assaulted. Business strategies are forever shifting. Board members are increasingly subjected to intense scrutiny from outside critics, and a highly educated market responds immediately with their pocketbooks.

VIEW 3PRM^TM BROCHURE

Discover How to Demonstrate a Resilient and Defensible Third-party Risk Management Compliance (TPRM) Program with 3PRM™ Services

CRI® Group has a network of local subject specialist operatives across the Middle East, Europe, South American and Asian regions to extend a helping hand and offer enhanced integrity due diligence being pre-emptive measures against:

• Experiencing financial loss when a third-party provider failed.
• Losing customers because of poor-quality service from a third party.
• Exposing breaches to data systems because of poor information security practices by a third party.
• Experiencing supply chain issues due to poor disaster recovery procedures by the third party.
• Being exposed to litigation because of relationships with an outside provider significantly violated contractual terms, potentially resulting in regulatory exposure.

When Working with third-party providers, CRI® Group designed a solution: 3PRM-Certified™. This proactive approach includes Integrity Due Diligence, Enhanced Due Diligence, Anti-Bribery and Anti-Corruption Compliance Solutions (incorporating ISO 37001 Anti-Bribery Management System accredited certification and training) to mitigating the risks involved with third-party affiliations to protect the organization from liability, business interruption and brand damage.

You may also like this article:

WHEN TO CONDUCT THIRD-PARTY SCREENING?

3PRM-Certified™ A Third-party Compliance Verification and Certification Program

As the risk for data breaches and supply chain disruption continues to rise with COVID-19, so does the need for effective third-party risk management (TPRM) programs. Whether you’re a TPRM professional looking for a certification to advance your skillset, or the leader of your organization considering how to better equip your team with the best knowledge and skills, the 3PRM-Certified™ program is an all-in solution.

Our 3PRM™ service is flexible, and we tailor our scope to address an organization’s specific concerns and risk areas. Our extensive solutions include due diligence, employee pre- and post-background screening, business intelligence and compliance, facilitating any decision-making across your business no matter what area or department. Get ahead of any potential problems down the road with suppliers, contractors, and other third-party partners. Contact CRI® Group today and learn more about our third-party due diligence and risk management solutions.

CRI® Group’s exclusive 3PRM-Certified™ solution provides the very best in third-party risk management. Our 3PRM-Certified™ program provides a proactive approach to mitigating risks from third-party affiliations, protecting the organization from liability, brand damage and harm to the business. The 3PRM-Certified™ program includes a focus on the following:

• Providing third-party risk assessments
• Meeting contracting requirements
• Conducting due diligence
• Identifying potential fraud risks
• Providing management oversight

Utilizing a network of trained professionals positioned across five continents, CRI Group’s 3PRM services utilise one of the largest multi-national fraud investigation teams the industry has to offer. The 3PRM-Certified™ program is especially critical when your business is performing pre-merger and acquisition research and pre-IPO due diligence, engages new clients, employs, contracts or retains foreign business partners and requires a consistent and audit-worthy AML and anti-corruption compliance program.

This TRM Strategy program will help organizations establish the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. Third-party relationships are critical in business today and include partnerships with suppliers, distributors, consultants, agents and other contractors. While such affiliations are essential to the success of your organization, the business cannot overestimate the consequences of inadequate due diligence.

VIEW 3PRM^TM BROCHURE

Inadequate Procedure 

December 2013: Over US$2.8 million for failing to have in place appropriate checks and controls to guard against the risk of bribery or corruption when making payments to overseas third parties, breaching the FCA’s principle on management and control. Between 19th February 2009 and 9th May 2012, the organisation received almost $33 million in gross commission from business provided by overseas introducers and paid them over $18 million in return.

Inadequate systems around these payments created an unacceptable risk that overseas introducers could use the payments made for corrupt purposes, including paying bribes to people connected with the insured clients and/or public officials.

Regulatory action is not a US or UK phenomenon alone but is increasingly becoming a global issue. Regulatory thinking around third-party risks in some other jurisdictions is highlighted below:

• Singapore: The Monetary Authority of Singapore (MAS) has stated that it “is particularly interested in material outsourcing which, if disrupted, has the potential to significantly impact an institution’s business operations, reputation or profitability and which may have systemic implications.”
• Australia: The Australian Prudential Regulatory Authority (APRA) aims to ensure that all outsourcing arrangements involving material business activities entered into by a regulated institution are subject to appropriate due diligence, approval, and ongoing monitoring.
• Hong Kong: The Hong Kong Monetary Authority (HKMA) states that institutions “should not enter into, or continue, any outsourcing arrangements [that] may result in their internal control systems or business conduct being compromised or weakened after the activity has been outsourced.” – Source: Deloitte Report

Let’s Talk! If you have any further questions or interest in implementing compliance solutions, please contact us.

About CRI® Group

Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence and other professional Investigative Research solutions provider.

We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification.

ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organizations. Contact ABAC® for more on ISO Certification and training.

Filed under: All Industries, All Regions, Compliance Solution, Resources, Third-Party Risk Management by admin
No Comments »

10 Ways to Maintain GDPR Compliance

In 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) came into force. The GDPR was a response to massive worldwide data breaches that were undermining the trust and security of private citizens whose personal information was at stake. As this data was exposed by both hackers and, in some cases, simply through poor security measures, governments of the EU felt it was time to create a strong piece of governance to bolster protection. While the initial rollout of GDPR held some uncertainty and unknowns for organisations subject to its guidelines, there is now a much clearer picture of how its standards apply. The punishments for being caught out of compliance can be severe: Violators of the GDPR may be fined up to €20 million or up to 4 percent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (European Commission, 2020, GDPR.eu, 2020). At CRI Group, our integrity due diligence experts are trained at helping organisatons achieve and maintain compliance with GDPR. Our leading risk management and compliance agents provide the following top 10 GDPR best practices for any business or entity that deals with collecting, storing or using personal information:

1. Employ a Data Protection Officer (DPO)

It is a GDPR requirement that entities who carry out regular and systematic monitoring of individuals on a large scale, or large-scale processing of certain special categories of data, have an assigned DPO. It is also recommended, however, for all other entities to help ensure data security. While the GDPR does not specifically list the necessary training or qualifications of a DPO, the regulation does require the DPO to have “expert knowledge of data protection law and practices” (Digital Guardian, 2019). Implement thorough background screening processes and make sure they are trained and qualified to be your DPO.

2. Train your employees

Ensure that all personnel are aware of the GDPR and your organisation’s commitment to compliance. Make sure that all leaders, and especially key personnel charged with collecting, handling or storing data, understand their responsibilities under GDPR. Make date protection training a regular part of your employee curriculum.

3. Confirm the legality of your data collection

GDPR requires that you have a legal basis to collect personal data. For most businesses, the following are the most likely to be applicable:

• The information is necessary to perform a contract between the organisation and the individual;
• You have a legal obligation to process the data (such as a court order);
• The organisation has a legitimate interest in collecting and processing the data – in other words, there needs to be a relationship and business reason to collect the date (it cannot be random);
• The individual has provided direct consent to the processing of the data.

4. Maintain thorough records

For larger organisations (more than 250 employees), GDPR requires that records of data collection and processing be maintained. Again, this is also a best practice for smaller organisations, as well. It can help establish that the organisation is dutifully complying with the data protection principles in GDPR. Take inventory and make a record of the data you have collected and are storing to date. Create a detailed matrix to understand what types of data you are holding, where/how it as collected, how and where it is held, and whether it is still needed. Based on this information, you can also develop a data-retention policy to govern how long personal data is kept and stored. Keeping data on file longer than needed is a liability, and serves no business purpose.

5. Establish consent policies for data

For some of your records, consent is your lawful basis for holding it. Under GDPR, it is no longer acceptable to assume consent in your collected data, or treat silence as consent. Create clear and unambiguous consent forms for your data collection that demonstrate adherence to GDPR principles. And remember, under GDPR, you must make it a simple process for an individual to withdraw their consent at any time.

6. Perform due diligence on third-parties

Under GDPR, your organisation is responsible if third-party partners collect, store or manage data for your organisation. You must ensure their compliance with GDPR as if it is your own, since they are responsible for your data. This is the time to update your contracts with them to include compliance measures, as needed. It is also important that you review their control systems and their data handling processes. They must be comprehensive and meet all of the GDPR requirements to keep data secure. CRI Group’s third-party risk management experts can help you conduct effective reviews of your partners and their processes.

7. Be responsive

Under GDPR, your organisation must respond to requests from individuals whose data you have collected and/or are storing. These requests are spelled out as individuals rights in regards to their personal data and they include the following:

• Right to be informed about what data is collected and why;
• Right of access to data that has been collected;
• Right to rectification/correction of inaccurate data;
• Right to erasure of data (“right to be forgotten”);
• Right to restrict processing of personal data;
• Right to data portability;
• Right to object to use of data; and
• Right not to be subject to automated decision making, including profiling.

Have a process in place to timely respond to requests and provide data when requested in order to stay in compliance.

8. Have written policies in place

Develop your internal policies in regards to GDPR and how you protect personal data, and communicate them across your organisation. Take special note to spell out policies on data retention, cross-border processing of date, and how you collect and handle data for persons under the age of 16, as GDPR has special requirements in regards to children’s data.

9. Conduct risk assessments

GDPR requires Data Protection Impact Assessments in certain cases. These assessments measure your organisation’s ability to protect personal data, and risks associated with that protection. If your data processing is considered high-risk, uses new technology, or deals in large-scale processing of data in certain categories, the assessments are required – but in for any organisation, they are recommended. Data protection experts at an outside firm like CRI Group can help you prepare robust risk assessments and follow-up plans to address their results.

10. Be prepared for a breach

A worst-case scenario in data security is a breach that exposes personal information. Under the steps above, your organisation should be well-positioned to prevent or limit any breach to your data security. However, you should always have a contingency plan in place to immediately respond to a breach should it occur. Understand that GDPR requires that the applicable EU data protection supervisory authority be notified within 72 hours of a breach. Gone are the days where a company can announce it weeks or even months after the fact. Be ready to notify the affected individuals that their data has been compromised, so that they can take the appropriate steps to respond.

Organisations don’t like to think about the impact of a data breach – but major cases have pushed governments to act in the public’s interest. Perhaps nowhere is this more true than in the EU, where the GDPR is now the governing policy for organisations that deal with individuals’ personal data. By being proactive with the steps above, your organisation can be better prepared and maintain compliance with the GDPR. Most importantly, you will have the confidence and trust of your consumers through effective best practices in handling and protecting their data. CRI Group’s experts are here to help. Contact us today so that we can walk you through the steps of GDPR compliance.

Let’s Talk!

If you have any further questions or interest in implementing compliance solutions, please contact us.

CRI Group has safeguarded businesses from any risks, providing investigations (i.e. insurance fraud), employee background screening, investigative due diligence, business intelligence,  third-party risk management, forensic accounting, compliance and other professional investigative research services. In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. Contact ABAC® for more on ISO Certification and training.

Filed under: Business Intelligence, Compliance Solution, Resources by admin
No Comments »

Create a zero-tolerance approach to fraud with ISO 37001 ABMS

Zero tolerance to fraud, how ISO 37001 ABMS can help?

Smart business leaders know that “Tone at the Top” is a critical factor in an organisation’s culture. The behaviour and attitudes exhibited by those at the top of the chainset an example for the rest of the staff to follow. This couldn’t be more true when it comes to ethical standards. If a company is lax and tolerant toward unethical behaviour, it creates a confusing message for employees and actually encourages damaging habits.

When a company creates a zero-tolerance environment for fraud and corruption, the opposite is true: employees understand that ethical behaviour is the norm. Anything outside of those bounds will be punished – perhaps with the loss of their job or even prosecution.

Creating a zero-tolerance approach to fraud doesn’t happen overnight. When your organisation enrols in ISO 37001 ABMS training and certification, the program involves your entire team.

The training helps establish an ethical culture by educating your employees on the following:

• What constitutes fraud, corruption, and bribery, and why these are so damaging to business
• How to identify red flags of fraud, corruption and bribery
• The process for reporting fraudulent and unethical acts
• The organisation’s zero-tolerance attitude toward unethical behaviour and willingness to terminate employees for breaches and prosecute unethical acts
• The serious ramifications for committing fraud or bribery, the legal consequences, and the negative impact on one’s career

Employees shouldn’t be expected to follow a code of conduct that they aren’t aware exists. That’s why ISO 37001 ABMS creates a communication plan through which organisation leaders regularly communicate their ethical behaviour expectations to staff.

The anti-fraud and anti-corruption controls established by ISO 37001 ABMS also apply to personnel at all levels of the organisation. When employees see that higher-level executives are subject to the same ethical standards as the individual at the lowest level of the flow chart, they understand that the organisation is serious about its commitment to having an ethical workplace free of fraud, corruption and bribery. That’s Tone at the Top.

Filed under: All Industries, Anti-Bribery Anti-Corruption Solution, Global, Industry Insights, ISO 37001, Resources by admin
No Comments »

Due Diligence: 4 Red Flags of Collusion

One of the many schemes that can cause serious legal and financial consequences is collusion in business. While some business leaders might wonder what separates collusion from other types of fraud and how to identify it, there is a key factor: secrecy. 

Collusion involves at least two parties (sometimes more) who collaborate to deceive others, usually for financial or market gain. Due to its secretive nature, collusion can be difficult to detect and weed out. This poses a serious problem because the consequences of noncompliance for an organisation are often severe.

According to the Wall Street Journal, the U.S. Department of Justice (DOJ) is “preparing to tackle competition issues in several important markets, including alleged price-fixing in the generic-drug industry, rules for music licensing and purported employer collusion that limits options for sought-after workers” (Wall Street Journal, 2020). Indeed, these are the types of schemes that are most often associated with collusion. Price fixing is a global problem found in many different industries, for example. However it’s important to note that collusion is just as common at the local level – for example, where contractors bid to provide goods or services regularly. Sometimes competitors will engage in collusion by making secret arrangements to rotate bids or share bid details to artificially deflate prices.

In one recent case, the branch manager for a U.S.-based insulation contractor pleaded guilty in a scheme to rig bids and commit other forms of fraud on insulation contracts. The DOJ had launched an investigation into the branch manager’s actions from 2011 to 2018, finding that he “conspired with other insulation installation contractors to rig bids and engage in fraud on insulation installation contracts in Connecticut, New York, and Massachusetts. Insulation installation contractors install insulation around pipes and ducts on renovation and new construction projects at universities, hospitals, and other public and private entities. In addition to his guilty plea, DeVoe has agreed to pay restitution” (DOJ, 2020). “Free and open markets are the foundation of a vibrant economy. For years, the defendant illegally coordinated bids on construction projects to enhance his profits, eliminate competition, and ultimately steal from public and private customers,” said Brian C. Turner, Special Agent in Charge of FBI’s New Haven Field Office.

The DOJ noted in its press release that this crime hurt the hospitals, universities and businesses that solicit and pay for the contractor’s services under the expectation that the bidding process is fair and above board, not rigged to benefit a contractor at their expense. The money lost in such schemes (through paying inflated contracts) often represents taxpayer dollars. The fact that collusion, in this case, lasted for at least seven years indicates that tens of thousands of dollars (or more) were likely lost through fraud.

So, what can organisations do to be better protected from collusion schemes – whether from inside their own company or perpetrated against them by outside partners/contractors? While collusion is secretive by its very nature and can be difficult to detect, red flags can indicate that something might be amiss. CRI® Group’s integrity due diligence experts are specially trained to uncover collusion in all its forms, and they describe the following as some of the signs to watch for when dealing with competitive bid contracts:

A high percentage of awards go to the same company

If a single bidder is winning most of the contracts for a particular set of goods or services, there might be something wrong despite several other contractors involved in the bidding. This is especially true if there are any issues or complaints around the bidder, such as poor quality products or services, they are late in delivering on their contracts, etc.

Lowest bidders are not winning awards

Suppose the contracts are consistently going to bidders other than the lowest bidder. In that case, this might warrant further investigation – as most contracts are considered “low bid” and would reasonably go to the lowest bidder. Also, if there is a higher-than-average range or spread between bidders, that could signal that something is off.

There is a high number of late bidders

Late bids can be a sign of collusion if bidders, or an agent at the organisation soliciting bids, are sharing bid information – such as the highest bid (so far) in an award process. This is especially true when the winning bidder is consistently the last one to submit bids. If late bidders are being approved regularly, you need to know why.

Bidders share (or have similar) names, addresses, or other information

This is an obvious red flag. In some cases, bids from two different contractors have been submitted from the same fax machine! This indicates that parties might be colluding in their bid submissions, and you need to look further.

Other countries’ DOJ and enforcement bodies have demonstrated their willingness to detect, investigate, and punish collusion. For the sake of your organisation, it is best to be proactive when it comes to your bidding and contract processes. CRI® Group’s integrity due diligence services can help you identify the above red flags. Our experts also conduct risk assessments to help find weaknesses in your business process and controls that might make your organisation vulnerable to collusion. This holds whether you need the goods or services or are a supplier or contractor submitting bids. The secret crime of collusion causes financial harm through inflated costs, representing a legal and financial liability to your organisation and/or clients. By being attuned to spot red flags, you’ll be more likely to notice the smoke …. before it turns into a fire.

Download our Brochure

Take a proactive stance with the highest integrity due diligence as a part of your essential business strategy. Contact us today to learn more about our full range of services to help your organisation stay protected. Get a FREE QUOTE

About Us

CRI® Group has safeguarded businesses from any risks, providing investigations (i.e. insurance fraud), employee background screening, investigative due diligence, business intelligence,  third-party risk management, forensic accounting, compliance and other professional investigative research services. In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. Contact ABAC® for more on ISO Certification and training.

Filed under: Compliance Solution, Due Diligence, Employee Background Check, Resources by admin
No Comments »