Building a Resilient and Defensible Third-Party Risk Management Compliance Program
Third-Party Risk Management Compliance Program:
Does your business have a Third-Party Risk Management (TPRM) Compliance Program? Are you establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business?
It’s highly probable that, at some point, organizations that affiliate with outside providers will eventually have to deal with an operational interruption resulting from third-party related issues and inappropriate conduct. The risks involved in partnering with outsiders hasn’t changed over the centuries. It’s the potential liability that’s been ratcheted up several notches. International borders have been ripped down. Technology has improved the way businesses communicate.
Easy access to data and information enables the media to report on business news before a business can properly respond. And the markets are quick to form opinions based on a 24/7 on-demand news cycle. The result of this increased liability is problematic. Business litigation has skyrocketed. Corporate reputations are constantly being assaulted. Business strategies are forever shifting. Board members are increasingly subjected to intense scrutiny from outside critics, and a highly educated market responds immediately with their pocketbooks.
Discover How to Demonstrate a Resilient and Defensible Third-party Risk Management Compliance (TPRM) Program with 3PRM™ Services
CRI® Group has a network of local subject specialist operatives across the Middle East, Europe, South American and Asian regions to extend a helping hand and offer enhanced integrity due diligence being pre-emptive measures against:
- Experiencing financial loss when a third-party provider failed.
- Losing customers because of poor-quality service from a third party.
- Exposing breaches to data systems because of poor information security practices by a third party.
- Experiencing supply chain issues due to poor disaster recovery procedures by the third party.
- Being exposed to litigation because of relationships with an outside provider significantly violated contractual terms, potentially resulting in regulatory exposure.
When Working with third-party providers, CRI® Group designed a solution: 3PRM-Certified™. This proactive approach includes Integrity Due Diligence, Enhanced Due Diligence, Anti-Bribery and Anti-Corruption Compliance Solutions (incorporating ISO 37001 Anti-Bribery Management System accredited certification and training) to mitigating the risks involved with third-party affiliations to protect the organization from liability, business interruption and brand damage.
You may also like this article:
WHEN TO CONDUCT THIRD-PARTY SCREENING?
3PRM-Certified™ A Third-party Compliance Verification and Certification Program
As the risk for data breaches and supply chain disruption continues to rise with COVID-19, so does the need for effective third-party risk management (TPRM) programs. Whether you’re a TPRM professional looking for a certification to advance your skillset, or the leader of your organization considering how to better equip your team with the best knowledge and skills, the 3PRM-Certified™ program is an all-in solution.
Our 3PRM™ service is flexible, and we tailor our scope to address an organization’s specific concerns and risk areas. Our extensive solutions include due diligence, employee pre- and post-background screening, business intelligence and compliance, facilitating any decision-making across your business no matter what area or department. Get ahead of any potential problems down the road with suppliers, contractors, and other third-party partners. Contact CRI® today and learn more about our third-party due diligence and risk management solutions.
CRI® Group’s exclusive 3PRM-Certified™ solution provides the very best in third-party risk management. Our 3PRM-Certified™ program provides a proactive approach to mitigating risks from third-party affiliations, protecting the organization from liability, brand damage and harm to the business. The 3PRM-Certified™ program includes a focus on the following:
- Providing third-party risk assessments
- Meeting contracting requirements
- Conducting due diligence
- Identifying potential fraud risks
- Providing management oversight
Utilizing a network of trained professionals positioned across five continents, CRI Group’s 3PRM services utilise one of the largest multi-national fraud investigation teams the industry has to offer. The 3PRM-Certified™ program is especially critical when your business is performing pre-merger and acquisition research and pre-IPO due diligence, engages new clients, employs, contracts or retains foreign business partners and requires a consistent and audit-worthy AML and anti-corruption compliance program.
This TRM Strategy program will help organizations establish the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. Third-party relationships are critical in business today and include partnerships with suppliers, distributors, consultants, agents and other contractors. While such affiliations are essential to the success of your organization, the business cannot overestimate the consequences of inadequate due diligence.
Inadequate Procedure
December 2013: Over US$2.8 million for failing to have in place appropriate checks and controls to guard against the risk of bribery or corruption when making payments to overseas third parties, breaching the FCA’s principle on management and control. Between 19th February 2009 and 9th May 2012, the organisation received almost $33 million in gross commission from business provided by overseas introducers and paid them over $18 million in return.
Inadequate systems around these payments created an unacceptable risk that overseas introducers could use the payments made for corrupt purposes, including paying bribes to people connected with the insured clients and/or public officials.
Regulatory action is not a US or UK phenomenon alone but is increasingly becoming a global issue. Regulatory thinking around third-party risks in some other jurisdictions is highlighted below:
- Singapore: The Monetary Authority of Singapore (MAS) has stated that it “is particularly interested in material outsourcing which, if disrupted, has the potential to significantly impact an institution’s business operations, reputation or profitability and which may have systemic implications.”
- Australia: The Australian Prudential Regulatory Authority (APRA) aims to ensure that all outsourcing arrangements involving material business activities entered into by a regulated institution are subject to appropriate due diligence, approval, and ongoing monitoring.
- Hong Kong: The Hong Kong Monetary Authority (HKMA) states that institutions “should not enter into, or continue, any outsourcing arrangements [that] may result in their internal control systems or business conduct being compromised or weakened after the activity has been outsourced.” – Source: Deloitte Report
Let’s Talk! If you have any further questions or interest in implementing compliance solutions, please contact us.
About CRI®
Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.
In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification.
ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organizations. Contact ABAC® for more on ISO Certification and training.
10 Ways to Maintain GDPR Compliance
In 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) came into force. The GDPR was a response to massive worldwide data breaches that were undermining the trust and security of private citizens whose personal information was at stake. As this data was exposed by both hackers and, in some cases, simply through poor security measures, governments of the EU felt it was time to create a strong piece of governance to bolster protection. While the initial rollout of GDPR held some uncertainty and unknowns for organisations subject to its guidelines, there is now a much clearer picture of how its standards apply. The punishments for being caught out of compliance can be severe: Violators of the GDPR may be fined up to €20 million or up to 4 percent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (European Commission, 2020, GDPR.eu, 2020). At CRI Group, our integrity due diligence experts are trained at helping organisatons achieve and maintain compliance with GDPR. Our leading risk management and compliance agents provide the following top 10 GDPR best practices for any business or entity that deals with collecting, storing or using personal information:
1. Employ a Data Protection Officer (DPO)
It is a GDPR requirement that entities who carry out regular and systematic monitoring of individuals on a large scale, or large-scale processing of certain special categories of data, have an assigned DPO. It is also recommended, however, for all other entities to help ensure data security. While the GDPR does not specifically list the necessary training or qualifications of a DPO, the regulation does require the DPO to have “expert knowledge of data protection law and practices” (Digital Guardian, 2019). Implement thorough background screening processes and make sure they are trained and qualified to be your DPO.
2. Train your employees
Ensure that all personnel are aware of the GDPR and your organisation’s commitment to compliance. Make sure that all leaders, and especially key personnel charged with collecting, handling or storing data, understand their responsibilities under GDPR. Make date protection training a regular part of your employee curriculum.
3. Confirm the legality of your data collection
GDPR requires that you have a legal basis to collect personal data. For most businesses, the following are the most likely to be applicable:
- The information is necessary to perform a contract between the organisation and the individual;
- You have a legal obligation to process the data (such as a court order);
- The organisation has a legitimate interest in collecting and processing the data – in other words, there needs to be a relationship and business reason to collect the date (it cannot be random);
- The individual has provided direct consent to the processing of the data.
4. Maintain thorough records
For larger organisations (more than 250 employees), GDPR requires that records of data collection and processing be maintained. Again, this is also a best practice for smaller organisations, as well. It can help establish that the organisation is dutifully complying with the data protection principles in GDPR. Take inventory and make a record of the data you have collected and are storing to date. Create a detailed matrix to understand what types of data you are holding, where/how it as collected, how and where it is held, and whether it is still needed. Based on this information, you can also develop a data-retention policy to govern how long personal data is kept and stored. Keeping data on file longer than needed is a liability, and serves no business purpose.
5. Establish consent policies for data
For some of your records, consent is your lawful basis for holding it. Under GDPR, it is no longer acceptable to assume consent in your collected data, or treat silence as consent. Create clear and unambiguous consent forms for your data collection that demonstrate adherence to GDPR principles. And remember, under GDPR, you must make it a simple process for an individual to withdraw their consent at any time.
6. Perform due diligence on third-parties
Under GDPR, your organisation is responsible if third-party partners collect, store or manage data for your organisation. You must ensure their compliance with GDPR as if it is your own, since they are responsible for your data. This is the time to update your contracts with them to include compliance measures, as needed. It is also important that you review their control systems and their data handling processes. They must be comprehensive and meet all of the GDPR requirements to keep data secure. CRI Group’s third-party risk management experts can help you conduct effective reviews of your partners and their processes.
7. Be responsive
Under GDPR, your organisation must respond to requests from individuals whose data you have collected and/or are storing. These requests are spelled out as individuals rights in regards to their personal data and they include the following:
- Right to be informed about what data is collected and why;
- Right of access to data that has been collected;
- Right to rectification/correction of inaccurate data;
- Right to erasure of data (“right to be forgotten”);
- Right to restrict processing of personal data;
- Right to data portability;
- Right to object to use of data; and
- Right not to be subject to automated decision making, including profiling.
Have a process in place to timely respond to requests and provide data when requested in order to stay in compliance.
8. Have written policies in place
Develop your internal policies in regards to GDPR and how you protect personal data, and communicate them across your organisation. Take special note to spell out policies on data retention, cross-border processing of date, and how you collect and handle data for persons under the age of 16, as GDPR has special requirements in regards to children’s data.
9. Conduct risk assessments
GDPR requires Data Protection Impact Assessments in certain cases. These assessments measure your organisation’s ability to protect personal data, and risks associated with that protection. If your data processing is considered high-risk, uses new technology, or deals in large-scale processing of data in certain categories, the assessments are required – but in for any organisation, they are recommended. Data protection experts at an outside firm like CRI Group can help you prepare robust risk assessments and follow-up plans to address their results.
10. Be prepared for a breach
A worst-case scenario in data security is a breach that exposes personal information. Under the steps above, your organisation should be well-positioned to prevent or limit any breach to your data security. However, you should always have a contingency plan in place to immediately respond to a breach should it occur. Understand that GDPR requires that the applicable EU data protection supervisory authority be notified within 72 hours of a breach. Gone are the days where a company can announce it weeks or even months after the fact. Be ready to notify the affected individuals that their data has been compromised, so that they can take the appropriate steps to respond.
Organisations don’t like to think about the impact of a data breach – but major cases have pushed governments to act in the public’s interest. Perhaps nowhere is this more true than in the EU, where the GDPR is now the governing policy for organisations that deal with individuals’ personal data. By being proactive with the steps above, your organisation can be better prepared and maintain compliance with the GDPR. Most importantly, you will have the confidence and trust of your consumers through effective best practices in handling and protecting their data. CRI Group’s experts are here to help. Contact us today so that we can walk you through the steps of GDPR compliance.
Let’s Talk!
If you have any further questions or interest in implementing compliance solutions, please contact us.
CRI Group has safeguarded businesses from any risks, providing investigations (i.e. insurance fraud), employee background screening, investigative due diligence, business intelligence, third-party risk management, forensic accounting, compliance and other professional investigative research services. In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. Contact ABAC® for more on ISO Certification and training.
Due Diligence: 4 Red Flags of Collusion
One of the many schemes that can cause serious legal and financial consequences is collusion in business. While some business leaders might wonder what separates collusion from other types of fraud and how to identify it, there is a key factor: secrecy.
Collusion involves at least two parties (sometimes more) who collaborate to deceive others, usually for financial or market gain. Due to its secretive nature, collusion can be difficult to detect and weed out. This poses a serious problem because the consequences of noncompliance for an organisation are often severe.
According to the Wall Street Journal, the U.S. Department of Justice (DOJ) is “preparing to tackle competition issues in several important markets, including alleged price-fixing in the generic-drug industry, rules for music licensing and purported employer collusion that limits options for sought-after workers” (Wall Street Journal, 2020). Indeed, these are the types of schemes that are most often associated with collusion. Price fixing is a global problem found in many different industries, for example. However it’s important to note that collusion is just as common at the local level – for example, where contractors bid to provide goods or services regularly. Sometimes competitors will engage in collusion by making secret arrangements to rotate bids or share bid details to artificially deflate prices.
In one recent case, the branch manager for a U.S.-based insulation contractor pleaded guilty in a scheme to rig bids and commit other forms of fraud on insulation contracts. The DOJ had launched an investigation into the branch manager’s actions from 2011 to 2018, finding that he “conspired with other insulation installation contractors to rig bids and engage in fraud on insulation installation contracts in Connecticut, New York, and Massachusetts. Insulation installation contractors install insulation around pipes and ducts on renovation and new construction projects at universities, hospitals, and other public and private entities. In addition to his guilty plea, DeVoe has agreed to pay restitution” (DOJ, 2020). “Free and open markets are the foundation of a vibrant economy. For years, the defendant illegally coordinated bids on construction projects to enhance his profits, eliminate competition, and ultimately steal from public and private customers,” said Brian C. Turner, Special Agent in Charge of FBI’s New Haven Field Office.
The DOJ noted in its press release that this crime hurt the hospitals, universities and businesses that solicit and pay for the contractor’s services under the expectation that the bidding process is fair and above board, not rigged to benefit a contractor at their expense. The money lost in such schemes (through paying inflated contracts) often represents taxpayer dollars. The fact that collusion, in this case, lasted for at least seven years indicates that tens of thousands of dollars (or more) were likely lost through fraud.
So, what can organisations do to be better protected from collusion schemes – whether from inside their own company or perpetrated against them by outside partners/contractors? While collusion is secretive by its very nature and can be difficult to detect, red flags can indicate that something might be amiss. CRI® Group’s integrity due diligence experts are specially trained to uncover collusion in all its forms, and they describe the following as some of the signs to watch for when dealing with competitive bid contracts:
A high percentage of awards go to the same company
If a single bidder is winning most of the contracts for a particular set of goods or services, there might be something wrong despite several other contractors involved in the bidding. This is especially true if there are any issues or complaints around the bidder, such as poor quality products or services, they are late in delivering on their contracts, etc.
Lowest bidders are not winning awards
Suppose the contracts are consistently going to bidders other than the lowest bidder. In that case, this might warrant further investigation – as most contracts are considered “low bid” and would reasonably go to the lowest bidder. Also, if there is a higher-than-average range or spread between bidders, that could signal that something is off.
There is a high number of late bidders
Late bids can be a sign of collusion if bidders, or an agent at the organisation soliciting bids, are sharing bid information – such as the highest bid (so far) in an award process. This is especially true when the winning bidder is consistently the last one to submit bids. If late bidders are being approved regularly, you need to know why.
Bidders share (or have similar) names, addresses, or other information
This is an obvious red flag. In some cases, bids from two different contractors have been submitted from the same fax machine! This indicates that parties might be colluding in their bid submissions, and you need to look further.
Other countries’ DOJ and enforcement bodies have demonstrated their willingness to detect, investigate, and punish collusion. For the sake of your organisation, it is best to be proactive when it comes to your bidding and contract processes. CRI® Group’s integrity due diligence services can help you identify the above red flags. Our experts also conduct risk assessments to help find weaknesses in your business process and controls that might make your organisation vulnerable to collusion. This holds whether you need the goods or services or are a supplier or contractor submitting bids. The secret crime of collusion causes financial harm through inflated costs, representing a legal and financial liability to your organisation and/or clients. By being attuned to spot red flags, you’ll be more likely to notice the smoke …. before it turns into a fire.
Take a proactive stance with the highest integrity due diligence as a part of your essential business strategy. Contact us today to learn more about our full range of services to help your organisation stay protected. Get a FREE QUOTE
About Us
CRI® Group has safeguarded businesses from any risks, providing investigations (i.e. insurance fraud), employee background screening, investigative due diligence, business intelligence, third-party risk management, forensic accounting, compliance and other professional investigative research services. In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. Contact ABAC® for more on ISO Certification and training.
Stay On Top of Your Employee Data Privacy Compliance Anywhere in the World!
Data Privacy Compliance: Anywhere in the world
Data protection laws protect employees from the misuse of their personal data – employee home addresses and beyond – sensitive data. As an employer, you’ll be trusted to safeguard and protect your employees’ data against a breach, meeting data privacy laws and regulations.
Employers need to develop policies that take a compliant but balanced approach towards their employee data privacy and security. Organizations must implement the appropriate infrastructure, management and workforce to keep data compliant throughout its lifecycle because those accused of violating data privacy rights risk significant hits to the company’s reputation and employees’ trust.
This article covers the most updated laws in personal data in 61 key jurisdictions across the Americas, Asia Pacific, the Middle East, Europe and Africa:
UGANDA: The 2019 Data Protection and Privacy Act, was passed into law to complement the constitutional privacy protections under Article 27 of the Constitution of the Republic of Uganda. The Act itself regulates all personal data collection, processing, use and disclosure. It applies to any person, entity or public body within or outside of Uganda who collects, processes, holds or uses personal data. The Act requires an employer to obtain informed consent before collecting or processing personal data. The Act permits the processing or storage of personal data outside Uganda – if adequate measures are in place.
SOUTH AFRICA: The right to privacy is protected under the 1996 Constitution of the Republic of South Africa. The common law and the Protection of Personal Information Act, 2013 (POPIA), came into effect on 1 July 2020, however is subject to a grace period until 30 June 2021. Case law recognizes that the right to privacy is not absolute and may be limited where it is reasonable and justifiable to do so. Personal information may be processed based on one of the justifications for processing personal data under POPIA. These justifications include consent and where it is necessary for pursuing the legitimate interests of the responsible party or employer, or third party to whom it is disclosed.
NIGERIA: The National Information Technology Development Agency has published Data Protection Guidelines, 2019 which safeguard the rights of natural persons to data privacy
MOZAMBIQUE: The Constitution of the Republic of Mozambique, as well as the recently enacted Electronic Transactions Law (The Law No. 3/2017, of 9 January), prohibits access to databases or to computerised archives, files and records for obtaining information on the personal data of third parties, as well as the transfer of personal data from one computerized file to another that belongs to a distinct service or institution, except in cases provided for by law or by judicial decision. The Labor Law establishes that employers may not require an employee to supply information regarding their private life, except when particular requirements inherent to the nature of the professional activity so require. In addition, employees’ personal data obtained by an employer is subject to a duty of confidentiality. Information where the release of which would violate that employee’s privacy rights may not be given to a third party without the employee’s consent unless it is required by law.
KENYA: The Data Protection Act, 2019 gives effect to Article 31(c) and (d) of the Constitution on the right to privacy. The Act establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data and provides for the rights of data subjects and obligations of data controllers and processors, among others. The Act is modelled along the lines of the EU General Data Protection Regulations (GDPR). The Constitution guarantees the right to privacy. The Computer Misuse and Cyber Crimes Act, 2018 creates various offences, including the right to privacy, concerning computer systems.
KUWAIT: There are no clear laws in Kuwait comparable with those in the US or Europe concerning the handling and transmission of employees’ personal information, nor do any provisions address the cross-border flow of data. However, it is advisable to seek prior written consent to the processing of personal data from the employee to the extent necessary to address the various privacy protections set out in Kuwait law, including the protections set out in the Kuwait Penal Code and the Kuwait Constitution.
ANGOLA: The Data Privacy Law No. 22/11, 17 June, governs Angolan data privacy and determines, in general terms, how to collect, use, disclose, store and give access to “personal information.” There is no specific regulation on employee data privacy.
JAPAN: The receipt, maintenance of and access to personal information relating to an individual is regulated by the Act of Protection of Personal Information. Broadly, upon the collection of such information, the collector must notify the person of the purpose of the use of such information and after that must take necessary and proper measures to prevent leakage, loss or damage of that information, and take other reasonable steps to control the security of the personal information. In addition, the party maintaining such information is required to adopt internal regulations designed to ensure the confidential and secure maintenance of such information as long as it is held. Disclosure of personal information to third parties (parent and affiliated companies are considered third parties) is strictly limited.
INDIA: Employee records and employee access to data The Information Technology Act, 2000 covers data protection and violation of personal privacy. This statute safeguards against certain breaches concerning data from computer systems, prevents unauthorized use of computers and creates liability for damage suffered in the event of unauthorised access, downloading, extraction and copying of data from a computer system or network. It stipulates the penalty for breaches of confidentiality and privacy. The storage, management and handling of sensitive personal data or information belonging to persons located in India is regulated by the Sensitive Information Rules enacted under the Information Technology Act, 2000. The government of India has also released the Personal Data Protection Bill, 2019 (Data Protection Bill), which the Indian government is considering replacing the Sensitive Information Rules. Sensitive personal data or information is defined under the Sensitive Information Rules to include passwords, financial information, physical, psychological and mental health conditions, sexual orientation, medical records and history, and biometric information. Any body corporate receiving any of the above types of information due to either using the services of an individual or employing an individual must comply with the Sensitive Information Rules regarding the processing and storing of such information.
MALAYSIA: Governed by the Personal Data Protection Act 2010 (PDPA), employers must obtain employees’ consent (implied or express). Explicit consent is required if “sensitive personal data” is being collected. Businesses must notify their employees of the nature and purpose of the information being collected, to whom it is being disclosed, and that the employees have the right to access such data. Employee consent is also required before employee personal data is shared with third parties (external payroll service providers). As a result of the PDPA, an employee consent/notice document is required. This document has to be bilingual – in English and Bahasa Malaysia – and is usually a separate document and referenced in the employment contract.
SINGAPORE: Employers are required to notify employees the reason behind the usage of their personal data in connection with the management and termination of employment and/or obtain their consent where collecting, using or disclosing their personal data. However, under the PDPA, an employer is permitted to collect, use and disclose the employees’ personal data for purposes of managing or terminating an employment relationship without the need to seek employee’s consent, so long as the employee has been notified of the purposes of such collection, use and disclosure and/or provides their consent before such collection, use and disclosure. Further, employers may collect, use and disclose personal data without obtaining the employees’ consent or notifying them where it is necessary for evaluative purposes, including determining the suitability or eligibility of an individual to whom the data relates for employment continuance in employment or promotion. Note that employers must seek consent for purposes that are not related to or collect personal data that is not relevant to the management or termination of an employment relationship or that are not relevant for evaluative purposes unless any other exception under the PDPA applies.
THAILAND: The Personal Data Protection Act BE 2562 (2019) (PDPA) was enacted on 28 May 2019 and has full effect from 27 May 2020. The PDPA is the first-ever law relating to personal data protection in Thailand. Essentially, consent is required for the collection, use and/or disclosure of personal data. Under the PDPA, the term ‘personal data is defined as any data pertaining to a person that enables identifying that person, whether directly or indirectly, but specifically excluding data of someone deceased.
MYANMAR: There are no specific regulations or laws. However, according tothe Protecting the Privacy and Security of Citizens (enacted on 8 March 2017), a person is not allowed to do the following without permission of the relevant authorities:
- Request or acquire any private call data, electronic communications data and information from operators or supply such information
- Open, search, seize, destroy or damage any envelope, parcel or correspondence communicated that are the personal affairs of other individuals; and
- Criticize or interfere in the personal affairs and family affairs of any citizen or engage in conduct that may be detrimental to the good name, standing or dignity of an individual Other than the above, there are currently no other laws or regulations on data privacy.
VIETNAM: The Civil Code requires any person to seek an individual’s consent before collecting, storing, using or publishing their personal data. The parties to a contract are not permitted to disclose any information about the private life or personal affairs that they became aware of in the course of entering into and performance of the contract. The 2018 Law on Cyber Security covers any domestic or foreign enterprise that provides services on telecommunications networks, the internet or value-added services in Vietnam’s cyberspace. The law governs the collection, exploitation, analysis, and processing of personal data, data about service users’ relationships, and data generated by them in Vietnam. Under this law, any such data must be stored in Vietnam under the terms stipulated by the government. Any such foreign enterprise must have a branch or representative office in Vietnam.
Indonesia: Law No. 11 of 2008 on Electronic Information and Transactions, as amended, restricts the electronic use of private data without the data subject’s consent. Under Law No. 39/1999 on Human Rights, each individual has the right to their privacy and cannot be subjected to an investigation in relation to personal data without their agreement, except on the order of a court or other legitimate authority under prevailing legislation. A new draft of the Data Privacy Law has been prepared, but it is unclear when it will be introduced.
SOUTH KOREA: Under the PIPA, an employee is entitled to request the employer to allow access to, correct, or delete personal information. The PIPA requires an employer to obtain the consent of the individual employee when his or her personal information is obtained or provided to third parties.
UNITED ARAB EMIRATES: Except for the Dubai International Financial Centre Free Zone, there are no clear laws in the UAE concerning handling and transmitting employees’ personal information, nor are there any provisions addressing the cross-border flow of data. However, it is advisable to seek prior written consent to process personal data from the employee to the extent necessary to address the privacy protections set out in UAE law, including the protections set out in the UAE Penal Code, Cyber Crimes laws and the UAE Constitution.
SAUDIA ARABIA: The transfer of employee data outside of the KSA is not regulated under Saudi law. However, general Sharia principles provide for personal data protection rules. These imply that employers should include provisions in employment contracts where the employee’s consent is required for the employer to use or disclose the employee’s data to third parties, to the extent that such disclosures may be required.
TUNISIA: Under Tunisian law, all people have the right to protect personal data related to their private life, which applies to both automated and non-automated treatment of data. Personal data is defined as information that directly or indirectly permits identifying a physical person, except for data linked to public life or defined as such under the law. In general, any organization planning to use personal data must make a declaration of the data to the National Authority for the Protection of Personal Data. However, there are exceptions for employers using employee data. In addition, express written consent from the data subject is required in most cases.
TURKEY: Employees must be notified of personal data processing. Their prior written consent should be obtained (unless exceptions stipulated under the relevant legislation are present) for such processing and transfer of their personal data. Personal data should be processed: 1) In accordance with the law; 2) In good faith; 3) For definite, clear and legitimate purposes 4) In a relevant and measured manner; 5) Data controllers (i.e., individuals or legal entities that determine the purposes and means of processing personal data – for example, employers) are required to be registered with the Data Controllers Registry.
QATAR: According to law No. 13 of 2016 on Protection of Personal Data Privacy (Data Protection Law), businesses must protect the privacy of personal data or risk fines of up to QAR 5 million. Some of the key features of the new law are: Personal data is defined as data relating to an individual whose identity is determined, or able to be reasonably determined, either through the data or through linking this data with other data The Data Protection Law applies to personal data when it is processed electronically, or when it is accessed or collected or extracted otherwise in preparation for its electronic processing, or when it is processed in a traditional and electronic way together. The processing of personal data will be regulated in a way that bears similarities with existing data protection regulations elsewhere in the world. Particular protection will be provided to certain types of personal data, such as data relevant to children, to physical and mental health and crimes referred to as sensitive personal data.
OMAN: There are no clear laws in Oman comparable to those in the US or Europe concerning the handling and transmitting of employees’ personal information. However, the Electronic Transactions Law, RD 69/2008 (ETL), provides for the protection of personal data and regulates the transfer of personal data outside of Oman. The Cyber Crime Law, Royal Decree no. 12 /2011 (Cyber crime Law), provides an offense to violate the privacy of individuals through technology and prohibits the collection of private data. It is advisable to seek prior written consent from employees to process their personal data to the extent necessary to overcome the various privacy protections set out in the applicable civil and criminal laws.
Bahrain: Personal data privacy is protected under Law No. 30 of 2018 with respect to Personal Data Protection (PDPL). Employees must be notified before employers process personal data. Prior written consent should be obtained (unless exceptions stipulated under the relevant legislation are present) for such processing and transfer of their personal data. Transfers of personal data out of Bahrain is prohibited unless the transfer is made to a country or region that provides sufficient protection to personal data. Those countries have yet to be listed by the Personal Data Protection Authority or published in the Official Gazette.
PERU: During employment, organizations can collect employee personal data. However the processing of the data must be done in accordance with the guiding principles provided by the Peruvian Data Protection Law. And according to Peruvian Data Protection Law, personal data may only be processed and/or transferred with prior consent- consent must be free, informed, express and unequivocal. However, a company does not need the employee’s express consent to OBTAIN personal data (if this information is needed for employment. Still, it must comply with the duty of inform about the processing of personal data.
BRAZIL: The upcoming (September 18, 2021) the new General Data Protection Law (Lei Geral de Proteção de Dados or LGPD) is Brazil’s first comprehensive data protection regulation. It applies to any processing operation carried out by a natural person or a legal entity, of public or private law, irrespective of the means used for the processing, the country in which its headquarters are located or the country where the data is located, provided that:
- The processing operation is carried out in Brazil
- The purpose of the processing activity is aimed at the offering or provision of goods or services or the processing of data of individuals located in Brazil, or
- The personal data was collected in Brazil.
- The LGPD does not contain specific employment provisions, but its provisions cover employment data.
- The monitoring of corporate e-mail and internet use is allowed, but employees should be notified that they cannot expect privacy to use these work tools.
MEXICO: To process personal data, data controllers must provide a privacy notice to employees prior to collecting and processing the personal data. In the case of data transfers, the privacy notice must contain the name of the transferee or the person to whom the information is transferred. All transfers of personal data to domestic or foreign third parties must be per-approved by the data subject (i.e., the employee).
MOROCCO: In accordance with law No 09-08 on data protection, employees must be notified of data processing and their consent is required. Employees should be given the right to have access to and modify/amend their own personal data. Organizations must declare data processing to the National Control Commission for the Protection of Personal Data (Commission Nationale de protection des Données Personnelles).
US: Certain states restrict the use of employees’ social security numbers for any identifying purposes. Medical information must be maintained separately from personnel files and kept confidential. Otherwise, employers are entitled to monitor or search corporate e-mails and internet traffic accessed by employee’s computer systems – on the premise; employees do not have an expectation of privacy in the use of their employer’s computer systems or corporate e-mails (especially with a policy that says so). Jurisdictions vary as to an employer’s ability to search or monitor personal e-mail addresses and websites accessed from an employer’s computer or premises.
VENEZUELA: Although there is no specific regulation regarding data privacy, employers have a general duty to uphold employees’ right to privacy and must observe the data protection principles determined by the Supreme Court (DP Principles). The DP Principles apply to systems, registers or compilations of data that allow the creation of a complete or partial profile of an individual forming part of such system, register or compilation (in this case, an employee, for example). There is no clear outline of what a “complete or partial profile” involves. This means that, in general, employee consent is required to process personal data. Venezuelan case law does not draw a distinction between forms of personal data. Therefore, there are no separate standards for the protection of sensitive data. According to the DP Principles, employers must (i) inform the employee what data has been collected, (ii) inform the employee of the purpose(s) of the collection of their personal data, (iii) inform the employee who will be the final users of the data (i.e., whether any third parties will have access to the data) and (iv) allow the employee to correct any erroneous data or delete any data that may be incomplete, inadequate or excessive in relation to the purpose(s) for which they were gathered (and this must be communicated to any third party who has been given access to the personal data). Venezuelan law also provides for the protection of private communications, and employers have a strict obligation to keep employee health information and records confidential.
COLUMBIA: To process personal data, data controllers must provide a privacy notice to the affected employees before collecting and processing personal data. In the case of data transfers, the privacy notice must contain the name of the transferee or the person to whom the information is transferred. All transfers of personal data to domestic or foreign third parties must be pre-approved by the data subject/employee. Employees have the right to know, update and correct their personal data. This right may be exercised in relation to partial, inaccurate, incomplete, split or deceptive data, and/or data that is prohibited from or not authorized for processing, such as race or ethnic origin, political orientation, religious or philosophical orientation and enrollment to unions or social organisations, among other items considered sensitive information. Employees may revoke the authorisation granted for the processing of their personal data and may request to remove their personal information from the employers or subcontractor’s databases by filing a formal claim, save for information directly related to their employment (e.g., HR core data, recruitment, performance, global compensation learning and training-related data and master data). This possibility is only applicable in the case of wrongful use of the employee’s information.
CHILE: The employer is obliged to maintain the privacy of the information and personal data related to its employees. The right to personal data protection has the status of a constitutional right, and therefore any breach can lead to litigation for impairment of fundamental rights.
ARGENTINA: The Argentine Data Privacy Law No. 25,326 (Ley de Protección de Los Datos Personales or LPDP) protects the personal data stored in files, registers, data banks or other technical storage of data processing, whether public or private, in order to guarantee the right to honour and privacy of the data of individuals, as well as to restrict the access to such information, in accordance with the provisions set out in Article No. 43, the third paragraph of the Argentine National Constitution.
AUSTRALIA: Australia has stringent data privacy obligations. As a general rule, personally identifiable data may only be processed if required for the employment contract’s performance and constitutes an employee record. Certain acts and practices are exempt from applying Australia’s data privacy laws, but strict criteria must be met for an exemption to apply. Employee records are generally exempt, but this exemption will not apply to documents that come into existence prior to the employment relationship (e.g., pre-employment or hire documentation) of any contractors engaged by the business. At the time it collects personal information, the employer is required to provide the individual with a statement setting out the company’s obligations under Australia’s data privacy laws and the individual’s rights. Further restrictions apply to sensitive personal data. Employee records – with the exception of tax file numbers – are not covered by the Australian notifiable data breach regime, which requires notification to the Office of the Australian Information Commissioner (OAIC) and to affected individuals of any data breach that could result in serious harm. However, the OAIC advises that it is good practice for employers to notify employees affected by a data breach so that they may take protective action. The monitoring of individuals and their data is covered by various surveillance legislation in each state or territory. Essentially, surveillance of employees is prohibited in sensitive areas, such as washrooms and change rooms, unless the surveillance device is installed pursuant to a warrant or authorization. Surveillance is permitted in public areas if it conforms with relevant legislation. Specific laws in some states govern the monitoring of an employee’s use of a work computer (i.e., e-mails and internet browsing).
ISRAEL: Employees generally must be notified of the terms of the employer’s personal data processing policy and must consent to it. Registrations in the Databases Register may be required. Special rules apply to data transfer outside Israel. Significant restrictions on monitoring e-mail and Internet use. Monitoring personal e-mail is restricted.
CANADA: Legislative requirements vary by jurisdiction. Where privacy laws apply, personal information must only be collected with consent and may only be used for its purposes. In most jurisdictions, e-mail and internet use may be monitored where notice has been given through clear employer policies.
PHILIPPINES: When an employer collects and processes personal information of its employees, especially sensitive personal information, the employer must comply with applicable guidelines on the adoption of organizational, physical and technical security measures and the registration thereof with the National Privacy Commission. The data subject must have given their consent prior to the collection or as soon as practicable and reasonable. An employer’s collection of personal information from its own employees does not require the employee’s prior written consent, provided the personal information collected and the processes applied to such information are only to the extent necessary for compliance with legal requirements prescribed for an employer-employee relationship.
RUSSIA: In certain cases, employers are required to obtain the prior written consent of their employees in order to process their personal data (e.g., transferring personal data to third parties, including cross-border transfers).
TAIWAN, REPUBLIC OF CHINA: The Personal Data Protection Act governs the collecting, processing, and using employee personal information. The Act has notice and consent requirements that may be applicable to the collection, processing and use of employee information. This applies to the cross-border transmission of the information or any use outside of the norms of a domestic employment relationship. Under amendments to the Employment Service Act that came into force in late 2012, the amount of personal information that an employer may request from an employee or prospective employee has been severely restricted. Prohibited or restricted requests for personal information include physiological information (e.g., medical tests and fingerprints), psychological information (e.g., psychiatric tests and polygraph tests) and personal lifestyle information (e.g., financial records, criminal records, family information/plans and background checks).
CHINA: The Regulations on Employment Services and Employment Management require that an employee’s personal data is kept confidential and not made public without the employee’s consent. The PRC Cyber Security Law imposes new security and data protection obligations on “network operators,” puts restrictions on transfers of data outside China by “key information infrastructure operators”, and introduces new restrictions on critical network and cybersecurity products. The Civil Code strengthens the protection of individuals’ privacy and personal information. It improves the legal definition of personal information and clarifies the connotation, principles, and conditions of handling personal information and strengthens the information security obligations of processors.
HONG KONG, SAR: The PDPO is principally concerned with 6 data protection principles (DPPs). Broadly, these require:
- That personal data is only collected for a lawful purpose, that only personal data that is necessary and not excessive for that purpose is collected and that individuals are informed of certain things before data is collected or used (DPP 1)
- That all reasonably practicable steps are taken to ensure that personal data is accurate and that it is only retained for as long as is necessary to fulfil its purpose (DPP 2)
- That personal data is not, without the prescribed consent of the job applicant or employee, used for a purpose other than the purpose for which it was collected (DPP 3)
- That all reasonably practicable steps are taken to ensure that the personal data is secure and protected against unauthorised or accidental access, processing, erasure or other use (DPP 4)
- That all reasonably practicable steps are taken to ensure that an individual may access information about the data user’s policies and practices in relation to personal data, the kind of personal data about them that is being held and the purposes for which it will be used (DPP 5) and
- With some exceptions, an individual is entitled to request access to all personal data held by a data user and correct that data if it is inaccurate (DPP 6).
There are provisions in the PDPO that restrict the transfer of personal data outside of Hong Kong, but these are not currently in force.
Europe GDPR
The European Union’s (EU) General Data Protection Regulation (GDPR) came into force in 2018. The GDPR was a response to massive worldwide data breaches that were undermining the trust and security of private citizens whose personal information was at stake. As both hackers exposed this data and, in some cases, simply through poor security measures, governments of the EU felt it was time to create a strong piece of governance to bolster protection. While the initial rollout of GDPR held some uncertainty and unknowns for organisations subject to its guidelines, there is now a much clearer picture of how its standards apply. The punishments for being caught out of compliance can be severe: Violators of the GDPR may be fined up to €20 million or up to 4 per cent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
SLOVAK REPUBLIC: Covered by the national data protection laws and GDPR. Processing of personal data is generally unlawful except as listed in relevant legislation or based on the consent of the individual. Special rules apply to data transfers outside the EEA. In general, an employer may collect personal information on an employee related to their qualifications and professional experience and other information relevant to the work carried out by the employee. From May 2018, Slovakia is subject to the GDPR, which introduced significant new obligations and onerous sanctions for employers. In specific cases, Act No. 18/2018 Coll. on Personal Data Protection, as amended, applies.
CZECH REPUBLIC: Generally, employees must be notified of personal data processing (e.g., camera recordings) and, in certain limited cases, give their consent (e.g., for the use of the employee’s personal data for marketing purposes)—significant restrictions on monitoring employees, including e-mail and internet use. The Czech Republic is subject to the General Data Protection Regulation (GDPR). The local law implementing the GDPR was issued in 2019.
BELGIUM: Employees generally must be notified of personal data processing and, in certain cases, give consent. Registrations with the Privacy Commission are required in certain cases. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring e-mail and internet use and use of cameras at the workplace. Since May 2018, Belgium has been subject to the General Data Protection Regulation (GDPR), which has introduced significant new obligations and onerous sanctions for employers.
FINLAND: Employees must usually be notified about personal data processing and give consent to this when necessary. Only necessary data may be processed. Special rules apply to data transfers outside of the EEA. There are significant restrictions on monitoring e-mail and internet use. From May 2018, Finland has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers.
ITALY: Employees generally must be notified of personal data processing and give consent in certain cases. Special rules apply to data transfer outside the European Economic Area (EEA). It is impossible to control or monitor employees remotely with devices unless upon agreement with the works council or authorisation of the Labor Office, except the instruments used by the employee to carry out their work or to detect access or attendance. Since May 2018, Italy has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers.
NORWAY: Notification to the employee is required. An obligation to notify the Data Inspectorate may apply. Significant restrictions on monitoring and control of employees. Special provisions apply for the transmission of data outside the EEA.
SPAIN: Spain is subject to the General Data Protection Regulation of the European Union (GDPR). The Spanish legislation that implements the GDPR is the Organic Law 3/2018 on data protection and guarantee of digital rights (Ley Orgánica 3/2018 de protección de datos y garantía de los derechos digitales). Employees must generally be notified of personal data processing (and, in certain cases, must give consent). Registration of databases with the Spanish Data Protection Commissioner (AEPD) is no longer required. Special rules apply to data transfers, even between companies belonging to the same group. Prior stringent restrictions on international data transfers, monitoring e-mail and internet use in the workplace, and video surveillance at work have been eased and aligned with the GDPR, although significant compliance requirements remain.
Sweden: The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), applicable since 25 May 2018, applies to the processing of employees’ personal data. The employer must ensure that the fundamental requirements for the processing of the employees’ personal data are fulfilled (e.g., personal data must be correct, adequate and relevant in relation to the purposes of the processing and may not be retained for a longer period than is necessary in light of the purposes of the processing); there must be a legal basis for the processing, such as performance of the employment agreement or consent; and the employee must receive adequate information regarding the processing. Special rules apply to data transfers outside the EEA. Sweden has also issued national laws and regulations in addition to the GDPR, including the Swedish Data Protection Act (2018:218) and the Data Protection Ordinance (2018:19) (the DPA). The DPA regulates general aspects of data protection where the GDPR allows (e.g., processing social security numbers and processing data pertaining to criminal offences. The DPA entered into force on 25 May 2018.
SWITZERLAND: In general, employees should be notified of any processing of their personal data – and, in certain cases, give consent. Registrations with the Federal Data Protection Commissioner are required in certain circumstances. Special rules apply to data transfers outside of Switzerland. There are significant restrictions on monitoring e-mail and internet use.
France: The General Data Protection Regulation (GDPR) came into force on 25 May 2018. It applies to any processing of personal data within the EU. The GDPR implements new rights for data subjects, such as the right to access, data erasure, data portability and consent. Data processors/controllers process operations that require regular and systematic monitoring of data subjects on a large scale or special categories of data. A Data Protection Officer (DPO) must be appointed. Data transfers outside of the EU are subject to additional requirements. Significant restriction on monitoring internet and e-mail use even when on company’s IT device.
Germany: Covered by the EU-wide General Data Protection Regulation (Datenschutzgrundverordnung, or GDPR) entered into force in May 2018 and the complementing Federal Data Protection Act. Processing of personal data is generally unlawful except as listed by the Act and the General Data Protection Regulation, a works council agreement or free and individual consent. The appointment of data protection officers is required if more than nine individuals deal with electronically saved personal data. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring e-mail and internet use exist.
HUNGARY: Employers must balance their need to obtain, use, store and disclose information for effective management and business purposes with their employees’ right to privacy. The law distinguishes between “personal data” and “sensitive personal data.” Special rules apply for the transfer of personal data within and outside of the EEA. The National Authority for Data Protection and Freedom of Information is responsible for ensuring compliance and enforcing data protection. Since May 2018, Hungary has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers.
Ireland: Since May 2018, Ireland has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers. GDPR requires employers to identify a legal basis for their processing of personal data, and it is unlikely that a catch-all consent will enable the processing of employee data by an employer. Employers must ensure that they have GDPR-compliant documentation and that they are able to deal with the new rules on subject access requests. There continue to be significant restrictions on monitoring employees, including e-mail and internet use.
Romania: Employees must be informed of personal data processing (and, in certain limited cases, must give consent). Since May 2018, Romania has been subject to the General Data Protection Regulation (GDPR), which introduced significant new obligations and onerous sanctions for employers. Under the GDPR, specific rules apply to any personal data transferred outside the European Economic Area to ensure that appropriate safeguards are provided for the transferred personal data and that enforceable data subject rights and effective legal remedies for data subjects are available. Monitoring of employees, including e-mail and internet use, may be performed under very specific circumstances, provided that the legal provisions which impose restrictions on interference with the protection of private life, data privacy and electronic communications are complied with.
Portugal: Since May 2018, Portugal is subject to the General Data Protection Regulation (GDPR). Under the GDPR (Law no. 58/2019), the local privacy law entered into force on 9 August 2019. Limitations to the use of consent within a working relationship and video surveillance were introduced by this law.
Ukraine: In most cases, the processing of personal data requires the consent of the respective data subject. However, employers are allowed to process an employee’s basic personal data without consent to the extent required to perform the employer’s statutory obligations (e.g., pay salary, perform statutory reporting, etc.). Processing of sensitive data (e.g., health status data, data related to religious beliefs, political views, etc.) is prohibited unless the individual provides explicit consent or there is a statutory ground for processing these categories of data. The processing of sensitive data requires notification to the Ukrainian Parliament Commissioner for Human Rights. Cross-border personal data transfers require documents such as an intercompany agreement on the transfer of data, etc., in addition to the data subject’s consent.
UK: As of the end of the transition period following the UK’s exit from the EU, the UK is subject to the UK GDPR and the Data Protection Act 2018, which impose significant obligations and onerous sanctions for employers. Under this regime, it is extremely difficult for employers to rely on consent to process employee data, and other legitimate grounds generally must be identified.
DENMARK: Employers must comply with the GDPR as of 25 May 2018 and the Danish Data Protection Act. Employees have the right to detailed information about the processing of their data. All information provided must be concise, transparent, easily accessible and in plain language. Employers must provide information on the legal basis for processing and, if the data is sensitive, which of the conditions for processing special categories of personal data on which the employer relies. The notice must also advise the employees of their rights under the GDPR.
Austria: Employees must be generally notified of personal data processing – and, in certain cases, must give consent. Strict rules apply to data transfer outside the EEA. Monitoring employees usually requires an agreement with the work counsel, if any, or an individual agreement with each employee. Since May 2018, Austria has been subject to the GDPR, which has introduced significant new obligations and onerous sanctions for employers.
NETHERLANDS: Employees generally must be notified of personal data processing and give consent in certain cases. Registrations with the Information Commissioner are required. Special rules apply to data transfer outside the EEA. Significant restrictions on monitoring e-mail and internet use. From May 2018, the country is subject to the GDPR, which introduces significant new obligations and onerous sanctions for employers. In general, the GDPR aims to empower individuals (including temporary employees, job applicants, contractors, trainees and other workers) with regard to controlling the use of their personal data and harmonizing the data protection legislation across the EU.
New Zealand: The Privacy Act 2020 controls New Zealand data privacy and determines how employers collect, use, disclose, store and give access to “personal information.”
LUXEMBOURG: The GDPR is in force since 25 May 2018. It has been complemented by a law dated 1 August 2018. Since then, the processing of personal data is no longer subject to prior notification to/authorization from the National Data Protection Commission (Commission Nationale pour la Protection des Données or CNPD). However, the processing of personal data for the purpose of supervising employees in the context of employment relationships may only be carried out by the employer under certain conditions. The employee’s consent does not legitimise the processing of data. Employees and the Staff Delegation/the Labor and Mines Inspectorate (Inspection du Travail et des Mines or ITM) must be notified of any personal data processing. Data subjects have the right to lodge a complaint with the CNPD.
Cybersecurity: how to maintain GDPR compliance?
Even with extremely high fines and stringent requirements, GDPR violations and data breaches have been skyrocketing across the world. In 2020, the overall increase of fraudulent activities has been detected, based on ACFE’s “Fraud in the Wake of COVID-19: Benchmarking Report“: 77% of survey participants have seen an increase in the overall level of fraud as of August, compared to 68% who had observed an increase in May. Earlier, we wrote how the COVID-19 crisis triggered fraudulent activities and what can businesses do to support anti-fraud movements in their organisations and to strengthen their immunity to fraud. However, cyber-attacks are on the rise – the survey by the gov.uk continues to show that cybersecurity breaches are a serious threat to all types of businesses and charities. 39% of businesses and 26% of charities reported having cybersecurity breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%). Find out how to protect your business from cyber breaches and how to maintain GDPR compliance here!
6 challenges for compliance officers in 2020
The job of a compliance officer can be a difficult one. Organisations from large corporations down to small government agencies rely on their compliance officers to keep them within ethical and legal boundaries. They also rely on them to maintain monitoring and reporting requirements, and stay abreast of any changes in the compliance landscape. For professionals in this field, the bad news is that challenges will continue to increase in the near future (as we’ll explain in this article). The good news is that there are trained experts available to work hand-in-hand with organisations’ compliance officers to minimise risk and help them remain in compliance.
The stakes are high, as organisations in both the public and private sectors face new laws and regulations in jurisdictions around the world, along with increasingly strict enforcement and punishments. Investigations of violations can, and often do, lead to heavy fines. In some cases, criminal charges may result – and these can be levied against the organisation, or individuals, or both. Here are some of the biggest challenges facing compliance officers today:
1. Anti-money laundering (AML) regulations
The Panama Papers and other major scandals, including the illicit funding of certain terrorist actions, brought money laundering issues firmly into the spotlight. Many governments have been stirred to action to create stronger measures meant to prevent the illegal funding of criminal or terrorist enterprises. In the European Union, this resulted in the 5th Money Laundering Directive (5MLD), which takes effect in January 2020. 5MLD impacts organisations most directly in how they handle their know-your-customer (KYC) processes.
In the run-up to the 5MLD, there was increased attention on high-risk countries. Clients or transactions engaged in high-risk countries are now subject to enhanced due diligence when performing onboarding checks. Compliance teams need to ensure KYC is not a simple “tick box” exercise during the onboarding phase, and ongoing monitoring processes need to be implemented to manage changes throughout the customer lifecycle.
5MLD requires enhanced due diligence when dealing with high-risk countries. In addition to obtaining evidence of the source of funds and source of wealth, information on beneficial ownership and background to the intended transaction must also be recorded. The EU may also designate a ‘blacklist’ of high-risk countries for money laundering.
2. Conflicts of interest
Risks related to conflicts of interest are significant at every level of the company. Starting with the board of directors, an effective board must be transparent about potential conflict issues and address them on an ongoing basis. Board decisions that either suffer from actual conflicts can risk the board’s adherence to its duties and create real legal risks. Even the appearance of a conflict can raise real issues and transparency becomes even more important in these contexts.
This same level of risk can undermine the integrity of senior management. When senior executives fail to address real and significant conflicts, the integrity and overall leadership trust factor can deteriorate. A compliance executive must be willing to take on these issues, even when it is difficult to confront senior executives.
Within the private equity (PE) industry, conflicts and their adequate disclosure remain problematic. In recent years regulators have made examinations of PE firms and their complex structures top priorities. Most major organisations – and their compliance officers – see outside business activities as a risk.
3. Innovation driving new demands
New innovations are providing increased efficiency in compliance processes, which is a major plus for organisations. Always a double-edged sword, however, technology also creates more issues in data security, not to mention the training and expertise required to master it.
For many ‘non-tech’ professionals such as compliance officers, rapidly changing technology can be a concern, as the importance and integration of technology into the compliance suite continue to evolve. Compliance officers may not need to become technology experts, but they do need to ensure that tech-related risks are addressed within their firm’s framework. Compliance must be aware of rules and regulations from every jurisdiction with authority over the firm’s activities. This is another area where partnering with an outside firm that provides training and technology resources can be a major advantage.
4. Regulatory and political change
Recent years have seen a flurry of new regulations from various governmental bodies and jurisdictions, from the General Data Protection Regulation (GDPR) act to 5MLD. The GDPR, for example, has extraterritorial reach. It also serves as a model for future possible regulations in the critical area of data privacy and cybersecurity.
In Europe, Brexit creates real uncertainty for the UK’s regulators, and the industries that they regulate. But Brexit also impacts EU member states and any organisations doing business within or through the UK. The impact is far-reaching, and regulators face major challenges in responding to profound changes in policy, the legislative framework and the wider economic context.
Politics in the United States and other nations have also seen similar dramatic shifts in governmental control and resultant effects in policy, which can impact regulatory laws and how they are implemented and enforced worldwide. One thing is certain – investigations and legal actions based on violations of the Foreign Corrupt Practices Act (FCPA) continue to increase, and organisations must remain diligent in conducting risk assessments and implementing control measures to remain in compliance.
5. Personal liability
One area of concern sure to grab the attention of any compliance officer is the issue of personal liability. Recent news stories have reported criminal convictions, some leading to prison sentences, of executives, “middle men” and other individuals involved in various scandals. Compliance officers should take heed, as their responsibilities to their company can also extend to their own professional conduct being placed under a microscope. Many compliance professionals are aware of this, as a recent Thomson-Reuters survey found that 60% of them expect personal liability to increase.
New initiatives underline this reality, such as the Senior Managers and Certification Regime (SCMR) in Europe. It places a focus on firms’ senior managers and individual responsibility, and extends to all Financial Conduct Authority (FCA) solo-regulated financial services firms. The FCA itself has been increasing enforcement notices against individuals. We can expect an increase in these types of measures and they will apply to industries beyond those in the financial sector.
6. Ethics and integrity
Today’s business landscape brings an increased emphasis on the culture of an organisation, with an eye toward ethical practices and principles. With growing scrutiny from both regulators and stakeholders, the pressure is on for compliance professionals and their superiors to take broader responsibility for policies, procedures and controls to create a truly ethical business.
The Cambridge Analytica scandal is a notable example of how data misuse has serious brand and societal implications, on top of legal and compliance penalties. The public outrage was so intense that governments were forced to act, calling on Facebook and other involved parties to testify and explain themselves. The market’s reaction was also punishing, with more than $100 billion knocked off Facebook’s share price in days, while Cambridge Analytica went out of business.
In conclusion, AML regulations, conflicts of interest, innovation driving new demands, regulatory and political change, personal liability, and ethics and integrity issues are among the biggest challenges facing today’s compliance professional. This is the time to address solutions. There is expert help and a wealth of resources available, with no better time to leverage them than the present.
Let us know if you would like to learn more! Contact us today and get your FREE QUOTE now!
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
Top 10 Bribery and Corruption Cases of 2019
There is a never-ending stream of news stories documenting bribery and corruption cases around the world. Some of those cases rose to the top of the headlines in 2019. All of the stories help illustrate the need for organisations to have proper controls in place to prevent further bribery and corruption cases popping up. A certification such as ISO 37001 – Anti-Bribery Management Systems standard can provide a comprehensive approach to mitigating bribery and corruption risk. Organisations of all sizes and industries should take steps now to ensure that they don’t end up on a future list of top bribery and corruption cases and scandals.
Here, we count down the stories we’ve chosen as the 10 most eye-popping bribery and corruption cases reported in 2019.
#10 – Juniper Networks
California-based cybersecurity firm Juniper Networks was ordered by the U.S. Securities and Exchange Commission (SEC) to pay more than $11.7 for violations of the Foreign Corrupt Practices Act (FCPA). The SEC alleges that some of the sales employees in Juniper’s Russian subsidiary “secretly agreed with third-party distributors to fund leisure trips for customers, including government officials through the use of off-book accounts.” In the settlement, Juniper did not explicitly admit nor deny the SEC’s claims – but it did agree to “cease and desist from committing or causing any violations”. (Reuters, 2019, SEC, 2019)
#9 – Alstom
Paris-based Alstom came under the attention of the UK Serious Fraud Office (SFO), resulting in a £16.4 million judgment in fines and costs for a corruption scheme. Alstom Network UK Ltd was ordered to make the payment after an SFO investigation revealed a fraudulent contract with an intermediary that was “simply a conduit for bribes”. To hide the corruption, Alstom went so far as to provide fake paperwork and fraudulent compliance checks. Three former Alstom employees were jailed in the case.
The multinational conglomerate, which serves the rail industry in locations worldwide (and formerly included interests in the power industry), has seen trouble at several units in various regions. In 2014, Alstom SA pleaded guilty in the U.S. to violating the Foreign Corrupt Practices Act (FCPA). The company bribed officials in Saudi Arabia, Egypt, Indonesia and the Bahamas, resulting in $772 million in criminal penalties. In 2016, Alstom Power Ltd pleaded guilty in the UK for corruption involving a Lithuanian power project. (WSJ 2019, FCPA Blog, 2019)
#8 – Microsoft
In Hungary, a wholly-owned subsidiary of Microsoft (aptly named Microsoft Hungry) was busted for a bid-rigging and bribery scheme, costing the corporation $25.3 million in combined criminal and civil penalties. The action was brought by the U.S. Department of Justice (DOJ) and the SEC for violations spanning from 2013 until “at least” 2015.
The scandal centered around the sale of Microsoft software licenses to Hungarian government agencies. Microsoft Hungary employees, including executives, were found to have falsely represented steep “discounts” in order to conclude deals with resellers, in violation of the FCPA. The SEC further found Microsoft’s subsidiary in Turkey “provided an excessive discount to an unauthorized third party in a licensing transaction for which Microsoft’s records do not reflect any services provided”.(Compliance Week, 2019)
#7 – KPMG
Big Four accounting firm KPMG found itself in all sorts of embarrassing (and costly) trouble over allegations that some of its former employees used stolen information to alter previous audit work – and cheated on training exams. The firm admitted to the allegations and agreed to pay the SEC $50 million to settle the charges. The case is significant as it marks the largest fine imposed on an auditor by the SEC to date.
“The breadth and seriousness of the misconduct at issue here is, frankly, astonishing”, said Steven Peikin, one of the SEC’s enforcement directors. “This settlement reflects the need to severely punish this sort of wrongdoing while putting in place measures designed to prevent its recurrence”. (Reuters, 2019)
#6 – Samsung Heavy Industries
A subsidiary of Samsung Group, South Korea-based Samsung Heavy Industries Company Ltd. (“SHI”) found itself under investigation for involvement in the Petrobras scandal. Specifically, the company was charged in a scheme to pay millions of dollars in bribes to Petrobras official in return for Petrobras chartering one of SHI’s oil drillships. Petrobras is the Brasilian state-owned energy company caught up in a major, ongoing investigation over widespread corruption.
According to the DOJ, SHI conspired to pay commissions, including some of that money for bribes, to Brasilian intermediaries beginning 2007 and continuing until 2013. The amount topped $20 million. SHI admitted to the charges and entered into a three-year deferred prosecution agreement with the DOJ. As per the agreement, SHI will pay 50 percent of the total penalties to the U.S. and the remaining 50 percent to the Brasilian authorities. (Lexology, 2019)
#5 – Fresenius Medical
Fresenius Medical Care AG & Co. KGaA (based in Bad Homburg, Germany) agreed to pay $231 in penalties for bribing doctors and public health officials in at least 17 countries. Fresenius is the world’s largest provider of dialysis equipment and services. It will make the payments to the DOJ and SEC to settle violations of the FCPA in various countries and continents, including Africa, the Middle East and Europe.
According to the SEC, in some locations, Fresenius failed to train employees or conduct due diligence on agents, and “in many instances, senior management actively engaged in corruption schemes and directed employees to destroy records of the misconduct”. Fresenius paid about $30 million in bribes “using sham consulting contracts, falsifying documents, and funneling bribes through a system of third party intermediaries”. (FCPA Blog, 2019)
#4 – Walmart
Retail giant Walmart is alleged to have engaged in corrupt payments to governments and officials around the world for more than 10 years, according to an agreement reached with the DOJ and SEC. Walmart will pay $282 million to settle the charges that it violated the FCPA in an effort to open new locations in various countries and jurisdictions around the world. Notably, Walmart’s Brasilian subsidy pleaded guilty to breaking U.S. federal law – but allegations included cases in Mexico, China, India and other locations.
Federal regulators said Walmart looked the other way as subsidiaries on three continents paid millions of dollars to middlemen who helped the company obtain permits and other government approvals from July 2000 to April 2011. (The New York Times, 2019)
#3 – TechnipFMC
London-based TechnipFMC was charged with making illicit payments to advance the company’s interests in Iraq and Brasil. The company paid a $296 million settlement to the DOJ for the two bribery schemes. In Tuesday’s enforcement action, the DOJ said the charges against TechnipFMC “arose out of two independent bribery schemes: a scheme by Technip to pay bribes to Brazilian officials and a scheme by FMC to pay bribes to officials in Iraq”.
The SEC alleged that from 2003 until at least 2013, Technip conspired with Singapore-based Keppel Offshore to pay $69 million in bribes, disguised as “commission payments” passed in part to Petrobras – as well as more than $6 million in payments to the Workers’ Party in Brazil and to Workers’ Party officials. In Iraq beginning in 2008 and continuing until at least 2013, FMC bribed at least seven government officials “through a Monaco-based intermediary company”, the DOJ said. (DOJ, 2019)
#2 – Ericsson
Number two on our list is Swedish telecom giant Ericsson. The company paid a blockbuster sum of more than $1 billion (U.S.) to the U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC) for “violating the anti-bribery, books and records, and internal controls provisions of the FCPA.”
According to the DOJ, the corruption scandal spanned 17 years and at least five countries. It involved high-level executives and was geared toward increasing Ericsson’s profits. Ericcson allegedly used slush funds to bribe officials in various countries including China, Vietnam, Indonesia and Kuwait.
In China, for example, Ericsson subsidiaries paid millions in bribes that were ultimately delivered to officials, including about $31.5 million for services that were never performed. (DOJ, 2019)
#1 – Unaoil
And finally, number one on our list: The massive Unaoil scandal continued to make headlines. Four businessmen pleaded guilty in London courts in 2019, admitting that they were involved in paying millions in bribes. According to investigators, the illicit payments were made to officials in nine different countries over a span of 17 years. As part of the scheme, participants were alleged to have engaged in widespread money laundering and attempts to destroy evidence.
It is alleged that two of the key players in the scandal made millions of dollars in bribe payments to government officials in Algeria, Angola, Azerbaijan, the Democratic Republic of Congo, Iran, Iraq, Kazakhstan, Libya and Syria. Fallout continues from the massive Unaoil case, which some have said is the largest bribery scandal in history. The family business from Monaco is alleged to have systematically corrupted the global oil industry, paying our millions of dollars in bribes for big-name companies including Samsung, Rolls-Royce and Halliburton. (The Guardian, 2019, The Age)
Let us know if you would like to learn more about other bribery and corruption cases or our solutions!
If you have any questions or interest in implementing compliance solutions, please contact us.
CRI Group has safeguarded businesses from any risks, providing investigations (i.e. insurance fraud), employee background screening, investigative due diligence, business intelligence, third-party risk management, forensic accounting, compliance and other professional investigative research services. In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. Contact ABAC® for more on ISO Certification and training
ABAC® training held for 2019 International Anti-Corruption Day
“Manage your business risks with confidence” was the tone for CRI® Group’s ABAC® Center of Excellence anti-bribery anti-corruption training event held on International Anti-Corruption Day (Monday, 9 December) in Dubai. Hosted at Dubai Quality Group’s offices at Emarat Atrium Building, “Introductory Seminar on ISO 37001:2016 Anti-Bribery Management System” provided critical insight on how to protect businesses from bribery and corruption risks. Bribery and corruption do more than just damage businesses and detrimentally affect employees – it also affects the world’s economy. For example, it’s estimated that more than US $4 billion was embezzled in one of the world’s biggest corruption schemes, 1MDB, globally. The ABAC seminar provided effective, real-world solutions laid forth by the ISO 37001 Anti-Bribery Management System to give businesses effective controls to mitigate risk.
Takeaways for attendees included a greater understanding of the globalisation of bribery and corruption, and an in-depth look at Middle East case studies. The seminar also provided an understanding of the background of bribery, and the knowledge of ISO 37001 impact, requirements, training, and certification. Another focus was on how to remain in compliance with ISO 37001. Attendees included top-level management personnel and specialists with expertise in various areas, such as compliance and ethics, legal practises and counseling, internal audit, internal controls, finance, risk management, and supply chains. Many in the group were involved in coordinating, developing, implementing and auditing anti-bribery compliance activities internally. Some attendees were involved in assessing their organisation’s internal and external supply chain. The seminar was also streamed live on Dubai Quality Group’s Instagram page.
ISO 37001 training
A company’s own employees are its best protection against corruption. Statistics show that most corruption is detected internally. Give your employees the tools they need to prevent bribery and mitigate related risks. Achieving ISO 37001 Awareness, Internal Auditor, Lead Auditor and/or Lead Implementer training is a proactive way of demonstrating your organisation’s commitment to ethical sustainability. Your employees will be able to recognise any form of corruption, and report it. Our trainers are the best in the business. They’re passionate about sharing their knowledge with you and/or your employees.
ABAC® trusted experts have years of hands-on and business experience – they bring the subject matter to life with relevant and contemporary examples.
Lead Auditor training in Pakistan
Join us for LA training in Pakistan. During this training, you will:
- Understand the operation of an Anti-bribery Management System based on ISO 37001 and its principal processes
- Understand the correlation between ISO 37001 and other standards and regulatory frameworks
- Understand the auditor’s role in planning, leading and following-up on a management system audit in accordance with ISO 19011
- Interpret the requirements of ISO 37001 in the context of an ABMS audit
- Strengthen the personal skills necessary for an auditor to act with due professional care during an audit
Interested?
Our sister brand Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence is an independent certification body established for ISO 37001 Anti-Bribery Management System, providing Introductory, Internal Auditor, Lead Auditor training and ISO ABMS Certification. ABAC’s certification services are accredited by the EIAC for administering the ISO 37001 Anti-Bribery Management Systems standard. ABAC® trusted experts have years of hands-on and business experience – they bring the subject matter to life with relevant and contemporary examples.
CRI® Leads 2019 International Anti-Corruption Day
International Anti-Corruption Day is Monday, 9 December 2019. The campaign was started as a joint venture between the United Nations Development Programme (UNDP) and the United Nations Office on Drugs and Crime (UNODC), and now organisations around the world are united against corruption for this day every year.
United Against Corruption focuses on corruption as one of the biggest obstacles to achieving sustainable development goals. The abuse of entrusted power for private gain can cost people their freedom, health, life and future. Moreover, corruption affects every country, region, and community.
CRI® Group is a strong supporter of International Anti-Corruption Day and an advocate of preventing corruption on all levels. CRI® addresses the corruption problem with thought leadership pieces focused on bribery and corruption in various regions, including South Asia, the Middle East, and the United Kingdom. CRI® Group’s experts also published multiple informative articles worldwide to help educate business and industry leaders, government officials, corporate professionals and the public on topics ranging from corruption, due diligence and employee background investigations. These include CRI® Group’s primary research paper, “How Can Life Sciences Companies Prevent Bribery and Corruption? Is ISO 37001:2016 the Answer?” Zafar Anjum, Group Chief Executive Officer for CRI® Group, was featured in Financier Worldwide’s “Annual Review: Corporate fraud & corruption,” discussing the latest corruption risks and best practises for combating fraud in the Middle East and beyond.
This year, CRI® Group celebrated its 29th anniversary as a global leader in compliance and risk management. The firm cultivates this leadership role in many ways, including hosting anti-fraud, anti-bribery and anti-corruption conferences and summits, and participating in other hosted events, around the world. These include CRI® Group’s own Anti-Bribery Anti-Corruption Summits n Islamabad, Karachi and Kuala Lumpur; and participation in the Malaysian Anti-Corruption Commission (MACC) Seminar Benchmark on Governance, Integrity & Anti-Corruption. At this year’s MACC Seminar, Mr. Anjum presented “Anti-Bribery Management System (ABMS 37001) Case Study and Implementation – UK Experience.” He provided an overview on ISO 37001 Anti-Bribery Management System Accreditation & Certification as an effective and “adequate procedure” for organisations in the region and beyond.
Join us for the ABMS training on 9th December
CRI® Group’s ABAC® Center of Excellence will be hosting an important seminar on Monday during International Anti-Corruption Day. The “Introductory Seminar on ISO 37001:2016 Anti-Bribery Management System” will provide insight on how to protect your business from bribery and corruption risks. Attendees will gain a greater understanding of the globalisation of bribery and corruption; learn case studies in bribery and corruption in the Middle East; understand the background of bribery; gain knowledge of ISO 37001 impact, requirements, training, and certification; and learn how to remain in compliance with ISO 37001. Register today.
Lead Auditor training in Pakistan
This year, ABAC® also presents “ISO 37001 Lead Auditor Training”. This intensive course helps attendees understand the operation of an Anti-bribery Management System based on ISO 37001 and its principal processes. It also focuses on the correlation between ISO 37001 and other standards and regulatory frameworks, and the auditor’s role in planning, leading and following-up on a management system audit in accordance with ISO 19011. Attendees learn to interpret the requirements of ISO 37001 in the context of an ABMS audit. The course also strengthens the personal skills necessary for an auditor to act with due professional care during an audit.
® has guided many clients through ISO 37001 training and certification. Some of the organisations that have successfully completed ISO 37001 certification include global transport company Apex Shipping, global investment firm Mubadala, and technology services company ISS Middle East FZC – just to name a few.
Interested in evaluating your corporate compliance program?
Let ABAC® experts conduct the Highest Ethical Business Assessment (HEBA) survey to evaluate your organisations’ current corporate compliance programs. It’s the best way to find out if your organisation’s compliance program is in the line with worldwide compliance, business ethics, anti-bribery and anti-corruption frameworks.
International Anti-Corruption Day is a great opportunity to participate in a HEBA survey. ABAC® experts will prepare a complimentary gap analysis of your organisation’s compliance program to evaluate if it meets “adequate procedures” requirements under the UK Bribery Act, DOJ’s Evaluation of Corporate Compliance Programs Guidance and Malaysian Anti-Corruption Commission.
Corruption is found in both rich and poor countries, and among organisations of all sizes and industries. It contributes to instability and poverty and is a dominant factor driving fragile countries towards state failure. On International Anti-Corruption Day, CRI Group stands ready to provide solutions to organisations that aim to reduce their risk and prevent more fraud and corruption. Additionally, ABAC® provides training and certification programs to help ensure continued best practices and prevention measures. These are the types of steps that make a real difference.
Awareness is the first step toward combating corruption – but it isn’t the only step. CRI® Group knows that taking concrete action to prevent bribery and corruption is essential in making a real difference. Contact us today and let us help you to fight bribery and corruption.
Middle East corruption: how can ISO 37001 help?
Political and governmental unrest can affect a region’s economy and the integrity of business transactions. The current state of the Middle East exemplifies this phenomenon. While governments in the region are making efforts to curb corruption, political instability and regime changes often undermine these measures. Bad actors understand how to take advantage of such vulnerabilities, leading to increased bribery and corruption across international borders. Recent cases and statistics show that the problem persists in most countries in the region. Against this backdrop, most government officials and private sector business leaders view it as a high priority to reduce bribery and corruption. One of the problems, however, is that some dishonest politicians use supposed anti-corruption efforts as a tool against political enemies. This makes clear that the best approach is for government agencies and businesses themselves to lead from the front. By adopting an internationally recognised set of anti-bribery anti-corruption standards, increased business integrity will result. Organisations that are committed this effort are adopting the ISO 37001 – Anti-Bribery Management Systems standard as a comprehensive approach to mitigating bribery and corruption risk. ISO 37001 and its elements can be tailored to any type of organisation, of any size. The key elements include adopting an anti-bribery policy, appointing a person to oversee anti-bribery compliance, training, risk assessments and due diligence on projects and business associates. ISO 37001 also calls for implementing financial and commercial controls, and instituting reporting and investigation procedures.
Corruption a Major Challenge in the Middle East
The Middle East lags behind several other regions when it comes to bribery and corruption. Even as these elements are on a slight decrease globally, the Transparency International Corruption Perceptions Index shows the troubled state of the Middle East and North Africa. “The Corruption Perceptions Index 2018 presents a grim reality in the Middle East and Northern Africa where, despite some incremental progress by a select few, most countries are failing in the fight against corruption”. Syria, Yemen and Libya are at the bottom (worst) end of the list. There are some bright spots, though. United Arab Emirates (UAE) and Qatar, both countries that have taken strong stances on fraud and corruption, score the highest for the Middle East. Morocco and Egypt showed some improvement. Overall, however, the political instability in the region has created a tumultuous business environment. According to the article: “In many Arab governments, powerful individuals have actively influenced government policies and diverted public funds and state assets for their own self-interest and enrichment at the expense of citizens. This reduces anti-corruption efforts to merely ink on paper, where laws pass, but are rarely enforced or implemented.”
This is underscored by limits and obstacles that corruption throws up in the way of those looking to enact real change. “Across much of the developing world, the corruption of courts and other government institutions threatens the free flow of goods and capital that promotes economic growth. Left unaddressed, such threats can lead to heightened tensions among nations and even outright trade wars. Diplomats operate under constraints that limit how much they can call out international bad actors who violate the rule of law. That’s why the role of outside watchdogs is so important in promoting the Rule of Law and holding nations to the standards of fairness and impartiality they claim to meet,” writes National Review.
Iran: Power Structures Hamper Progress
One country that exemplifies the Middle East difficulties with corruption is Iran. The problem is described by one analyst as “deeply rooted,” and even recognised by the country’s conservative rulers. In such a political structure as Iran’s, a campaign to combat “systemic corruption” is often seen as the lens of political reprisals against rivals. “In autocratic systems, every now and then, a campaign emerges under the banner of fighting corruption. The main reason is to buy legitimacy for the system. During the last years of the rule of the former Shah of Iran, in an attempt to tame the revolution, such a campaign led to the arrest of several prominent political figures, including Amir-Abbas Hoveyda, who served for 13 years as prime minister”.
“While the same impetus could be behind the current move by Raisi, there is strong speculation in Iran that the move also, and more importantly, aims to shape a consensus within the country to accept Raisi’s giant leap towards assuming the leadership of the country after Khamenei’s death”.
While there has been some concern that the corruption crackdown is a cover for prosecuting reformers, some disagree – positing that it depends more on which party is leading the effort. “Corruption in Iran is linked to political power. Therefore, whichever of Iran’s two main political factions—fundamentalist or moderate-reformist—takes over the executive branch, corruption among the members of that faction increases. At the end of former President Mahmoud Ahmadinejad’s term in office, for instance, his first vice president, Mohammad-Reza Rahimi, and his Vice President for Executive Affairs, Hamid Baghaei, were imprisoned for economic corruption and embezzlement. Such corruption reached an all-time high during his tenure in office”. In any case, it’s clear that most observers aren’t convinced that the country’s anti-corruption campaign is to be taken at face-value – yet.
Bribery Cases Exposed in UAE
Two bribery cases demonstrate some common characteristics among such schemes. While both of these instances were uncovered (and prosecuted) in the UAE, they are likely typical for the Middle East region and beyond.
In 2018, an Emirates Post revenue officer was sentenced to prison after being convicted of attempted bribery. The officer solicited a Dh100,000 bribe from a corporate customer. He was in a unique position to attempt the crime, as his duties included collecting and auditing profits for the Emirates Post office in Dubai. The Jordanian revenue officer, 28, collected and audited profits, among other duties, on behalf of Emirates Post office in Dubai. The offender perpetrated the scheme by leveraging fines on a shipping company based in India for supposed postal fee violations. The alleged fine, according to the revenue officer, totaled Dh2.4 million, and he attempted to negotiate a scheme with the client to have the fine reduced to Dh400,000 – in exchange for the Dh100,000 bribe. Instead of paying, the client wisely contacted the police. In a sting operation, the client was fitted with a listening device, and met and paid the bribe – under coordination of the police. As a result, the revenue officer was arrested, and subsequently convicted.
In another case, two Asian residents of UAE were sentenced to three years and one year in jail for giving and accepting a bribe. They were also fined Dh5,000. One of the perpetrators was a government officer. The first defendant, a trader, offered a bribe of Dh900 to the government officer, who works as a customs clearance staff member with the Saqr Port in Ras Al Khaimah. The goal was to ship two containers full of scrap iron out of the UAE without paying taxes or undergoing an inspection. When they were caught, the trader who gave the bribe claimed that it was just a loan, and that he had already paid “over DH50,000 in taxes and charges”. The other defendant (the customs officer) agreed, but the court did not accept their explanation. Both defendants will be deported to their home countries after serving their prison sentences. These types of cases are typical among positions of access, and can happen in any jurisdiction. They exemplify the problem that government agencies and companies alike are trying to reduce and prevent.
‘Relationship Building’ v. Bribery
To some degree, the same problems that plague the Middle East are endemic around the world. Among them, the dilemma of misunderstanding in terms of what constitutes bribery. In nearly all cultures, relationship building is considered an essential part of doing business. Often, business associates consist of numerous friends or even family members. When that is the case, there can be a slippery scale in terms of what is merely a favor or a gift, versus what constitutes bribery or corruption. The Foreign Corrupt Practices Act (FCPA) can provide some guidelines here. A case involving Bank of New York Mellon is instructive. “On 18 August 2015, Bank of New York Mellon (“BNYM”) consented to a Securities and Exchange Commission (“SEC”) Order requiring BNYM to pay $14.8 million to settle charges that it violated the FCPA by providing student internships to family members of foreign government officials affiliated with a Middle Eastern Sovereign Wealth Fund (“SWF”). All parties involved, except BNYM, have been anonymised in the Order so that the nationality of the foreign public officials and the SWF is publicly unknown beyond being described as ‘Middle Eastern’.
“The BNYM internships were given to three people: the son and nephew of one key figure of the SWF and the son of another. The internships were given despite the facts that the interns did not meet the rigorous selection criteria usually applied by BNYM and did not go through the standard (or any) recruitment process before being awarded the internships. In addition, these internships were found by the SEC to be more valuable than those offered to the regular applicants, who had endured the competitive admissions process against strict entry requirements. For example, rotation between business units was arranged, which is not an opportunity afforded to regular interns.”
“Emails between BNYM employees clearly demonstrate that the motivation behind the favour to the foreign officials was to influence the latter’s decision-making in the interests of BNYM. There can be no doubt that this was bribery in action – the BNYM employees expected to retain and gain business from the foreign officials in return for offering their relatives valuable internships to which they would not otherwise have had access”.
The case clearly describes what could be considered a “gray area” compared to some of the more extreme realities of bribery and corruption. One study of the Middle East and North Africa in 2016 suggested that people felt the need to bribe officials for basic services. “About 30 percent of those polled said that they had to access basic public services by bribing officials. If that figure holds across the entire MENA region, that would mean that about 50 million people, the majority of whom are poor, feel they must pay bribes in order to have access to basic public services. In five countries, the rich reported being far less likely to have to pay a bribe: 63 percent of poor Sudanese citizens versus 38 percent of wealthy ones, for example, and 23 percent versus 12 percent, respectively, in Algeria”.
ISO 37001:2016 to Combat Bribery & Corruption
Corruption certainly isn’t exclusively a Middle Eastern problem. Organisations around the world are taking action to reduce risk. They’ve found the structure and process they need in ISO 37001. ISO 37001 was issued by the International Organization for Standardization (ISO) in 2016 to help organisations worldwide increase and measure their efforts against bribery and corruption. Through ISO 37001 ABMS, organisations can implement standards at every level. These measures include adopting an anti-bribery policy and appointing a person to oversee anti-bribery compliance, training, risk assessments and due diligence on projects and business associates. It’s also critical that the organisation implement financial and commercial controls, along with reporting procedures and investigation processes.
CRI Group founded ABAC® (Anti-Bribery and Anti-Corruption) Center of Excellence to help organisations of all types and industries implement ISO 37001 certification and/or training. ABAC® has a team of experts around the world that include certified ethics and compliance professionals, financial and corporate investigators, forensic analysts, certified fraud examiners, qualified auditors, and accountants. They are trained and experienced in the implementation of ISO 37001’s key elements, helping clients more effectively prevent bribery and corruption. ABAC Certification is an accredited provider of ISO 37001 ABMS, and it provides certification and training for organisations of various types and industries.
There are requirements and guidance that the ISO 37001 standard prescribes for a comprehensive anti-bribery management system. The following bribery elements are addressed by ISO 37001 in relation to the organisation’s business processes and activities:
- Bribery in the public, private and not-for-profit sectors
- Bribery by the organisation
- Bribery by the organisation’s personnel acting on the organisation’s behalf or for its benefit
- Bribery by the organisation’s business associates acting on the organisation’s behalf or for its benefit
- Bribery of the organisation
- Bribery of the organisation’s personnel in relation to the organisation’s activities
- Bribery of the organisation’s business associates in relation to the organisation’s activities
- Direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party)
Government organisations and companies can reduce the risk of bribery through ISO 37001’s best practices for anti-bribery and anti-corruption. The following are just a few of the ways ISO 37001 helps accomplish this goal:
- Provide needed tools to prevent bribery and mitigate related risks
- Help an organisation create new and better business partnerships with entities that recognise ISO 37001 certified status, including supply chain manufacturing, joint ventures, pending acquisitions and co-marketing alliances
- Potentially reduce corporate insurance premiums
- Provide customers, stakeholders, employees and partners with confidence in the entity’s business operations and ethics
- Provide a competitive edge over non-certified organisations the organisation’s industry or niche
- Provide acceptable evidence to prosecutors or courts that the organisation has taken reasonable steps to prevent bribery and corruption
It is important to note that “Conformity with (ISO 37001) cannot provide assurance that no bribery has occurred or will occur in relation to the organisation, as it is not possible to completely eliminate the risk of bribery”, according to ISO. The certification is potentially an important piece of evidence, however, that shows regulators, prosecutors, and the courts that the organisation has taken meaningful action to prevent bribery and corruption.
Conclusion
All is not lost. Some Middle Eastern countries, like the United Arab Emirates, have made a commitment and continue to demonstrate positive strides toward combating corruption. UAE has expanded its laws, broadened the definitions of what is considered bribery and corruption, and increased punishments. But the country is largely an outlier in a region that is struggling under the weight of instability and corruption.
In this type of environment, both government organisations and the businesses they serve (and regulate) need ISO 37001. The sooner organisations implement the comprehensive measures prescribed by ISO 37001, the calmer the seas will be for international trade, business agreements and mergers, acquisitions and other positive elements of economic growth.
An established standard like ISO 37001 ABMS can help organisations address bribery and corruption through implementing best practices in a program of training and certification. While following the curriculum, the training process can easily be tailored to the organisation based on its size, type, industry or risk level. Bribery and corruption are pervasive problems that won’t be solved overnight. It will take a concerted effort by all major players in the region to make positive strides and reduce risk factors. ISO 37001 provides a blueprint for making those changes. Twenty or thirty years ago, organisations were mostly on their own went it came to developing an anti-corruption strategy. Today, there is a tried-and-true path forward. Committing to it is the first step toward making real progress in the Middle East.
Sources
- “Middle East & North Africa: Corruption Continues As Institutions And Political Rights Weaken,” Transparency International, 29 Jan. 2019,
< https://www.transparency.org/news/feature/regional-analysis-MENA> (accessed 25 Oct. 2019)
- John Fund, “Cleaning Up Corruption Is a Key to Middle East Stability,” National Review, 23 October 2019,
<https://www.nationalreview.com/corner/cleaning-up-corruption-is-a-key-to-middle-east-stability/> (accessed 25 Oct. 2019) OECD, The rationale for fighting corruption. 2014
- Shahir Shahidsaless, “Iran’s conservatives are saying it: Corruption is ‘systemic’”, Middle East Eye, 7 Oct. 2019,
<https://www.middleeasteye.net/opinion/whats-behind-irans-crackdown-corruption> (accessed 25 Oct. 2019)
- Jalil Bayat, “Iran’s Goals In The Fight Against Economic Corruption,” Lobe Log, 18 Oct. 2019,
<https://lobelog.com/irans-goals-in-the-fight-against-economic-corruption/> (accessed 25 Oct. 2019)
- Salam Al Amir, “Emirates Post worker jailed for seeking Dh100k bribe from customer”, The National, 31 Oct. 2018,
< https://www.thenational.ae/uae/emirates-post-worker-jailed-for-seeking-dh100k-bribe-from-customer-1.786526> (accessed 10 Nov. 2019)
- Ahmed Sheeban, “Government officer jailed for accepting Dh900 bribe in UAE”, Khaleej Times, 13 April 2019,
< https://www.khaleejtimes.com/nation/ras-al-khaimah/government-officer-jailed-for-accepting-dh900-bribe-in-uae> (accessed 10 Nov. 2019)
- Andrew Hudson, “Middle East meets West: Where is the line between relationship-building and bribery?,” Al Tamimi 7 Co., September 2015,
< https://www.tamimi.com/law-update-articles/middle-east-meets-west-where-is-the-line-between-relationship-building-and-bribery/> (accessed 25 Oct. 2019)
- Ben Thompson, “Bribery worsening in the Middle East and North Africa, citizens say,” CSM, 3 May 2016,
< https://www.csmonitor.com/World/Global-News/2016/0503/Bribery-worsening-in-the-Middle-East-and-North-Africa-citizens-say> (accessed 25 Oct. 2019)
- “ISO 37001:2016 ANTI-BRIBERY MANAGEMENT SYSTEMS — REQUIREMENTS WITH GUIDANCE FOR USE”, www.ISO.org,
< https://www.iso.org/standard/65034.html > (accessed 5 Aug. 2019)
- Adam Vause, Zara Merali, “The UAE’s fight against bribery and corruption,” DLA Piper, 16 July 2019,
< https://www.dlapiper.com/en/dubai/insights/publications/2019/07/the-uaes-fight-against-bribery-and-corruption/> (accessed 25 Oct. 2019)
25 Benefits of ISO 37001:2016 ABMS Certification
How to fight bribery and corruption?
Bribery and corruption are a dent on the image of any company. It is an unwanted and unsightly reflection that can be not only be mitigated but prevented in the organisation. The negative representation might result in a loss of trust among customers, affiliates and business patrons. In addition, the lack of internal anti-bribery controls and procedures has been one of the key reasons for deficiency in productivity inside global organisations. ISO 37001 ABMS
To combat these adverse effects, a strong standard is needed where governance, risk management and compliance (GRC) procedures are at the heart of the system. ISO launched ISO 37001:2016 ABMS standard – a global benchmark in the Anti-Bribery Management System (ABMS) which detects, protects and addresses the issues of bribery and corruption in the corporation. It is an assurance of employing the highest ethical standards and harnessing transparency even in the most complex business activities.
What is ISO 37001:2016 ABMS certification?
ISO 37001:2016 ABMS certification demonstrates organisation’s commitment to upholding the best practices in the corporate world. Being a framework that measures, identifies and controls the level of transparent commercial performance combined with international guidelines, it is applicable for all kinds, sizes and natures of organisations By adopting the ISO 37001:2016 ABMS certification, companies, subsidiaries and other affiliates are able to shield themselves from the dent that can tarnish their reputation and decrease their proficiency in the industry.
Through the implementation of ISO 37001:2016 certification, your organisation can cultivate a better anti-bribery and ethics culture along with the trust within the establishment. By adopting the ISO 37001:2016 certification, organisations will be able to combine the GRC strategies with the ISO system across all departmental units in a transparent and operative manner. Built with a set of globally accepted requirements, the ISO 37001:2016 certification is compliant with global, regional and local anti-bribery regulations worldwide, which increases the multi-level integrity of the association.
What are the benefits of ISO 37001:2016 ABMS Certification?
ISO 37001:2016 ABMS certification includes audit assessment procedures, to utilise the application and maintenance of a robust anti-bribery program. Being an all-encompassing standard that is integrated with other management systems, the ISO 37001:2016 ABMS certification provides several benefits:
- Competitive advantage over other organisations
- Greater awareness on the output of bribery
- Enhanced aptitude for the prevention of corruption
- Expansion of business opportunities
- Continual improvement of services and products
- Enhancement of the organisation’s reputation
- Facilitation of efficient management operations
- Apt demonstration of legal compliance and assurance
- Reduction in structural and miscellaneous costs
- Escalation of organisational assets
- Better implementation of compliance programs
- Precise execution of significant measures
- Increase in business efficiency and effectivity
- Superior trust and transparency
- Reduction of malpractice and other hazards
- Protection of resources and other capitals
- Easy integration to existing management systems
- Appropriate utilisation as a due diligence evidence
- Accurate evaluation of organisation’s position
- Recognition and deterrence of immediate threats
- Placement of adequate procedures to combat risks
- Timely observation and development of controls
- Execution of feasible anti-bribery procedures
- Practice of internationally recognised processes
- Establishment of ethical global practices
How can your organisation attain ISO 37001: 2016 ABMS certification?
With the list of returns that ISO 37001:2016 ABMS certification holds, its value is undeniable. The cost and benefits of not adopting a viable Anti-Bribery Management System are far greater than the cost of its implementation. Dedicate your time, energy and capital towards your organisation’s growth and progress. By engaging with a qualified, trained and independent third-party certification body, your company is securing its future against losses and gaining a surplus of rewards. The Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence is looking forward to connecting with you and steering your organisation towards the espousal of ISO 37001:2016 ABMS certification. Provide your company with the credibility to go beyond and reach its envisioned destination. For more information, please feel free to contact our team and visit our website www.ABACgroup.com.
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
اتصل بنا
المقر الرئيسي: +44 7588 454959
المحلي: +971 800 274552
:البريد الإلكتروني info@crigroup.com
المقر الرئيسي: 454959 7588 44
المحلي: 274552 800 971
:البريد الإلكتروني info@crigroup.com
الاشتراك في النشرة الإخبارية