GDPR: A 21st Century approach to Compliance
Ever since its conception, GDPR has caused a strong stir in the legal and compliance world. The new law builds on the previous data protection legislation but at the same time provides more resilient protections for consumers, and more privacy considerations for organisations involved in the processing of personal data. The new EU General Data Protection Regulation (GDPR) in Europe, adopted in 2016, will be applicable starting on May 25, 2018. GDPR comes with significant changes compared to the Data Protection Directive 95/46/EC involving operational changes in organisations.
To say that GDPR is an extension of the previous law will also not be true. It is an add on but a game changer as well in the field of legal and compliance. It has been dubbed as the most important change in data privacy laws in 20 years, leaving the compliance world in a bit of an abyss due to it ever evolving nuance and uncertain nature of applicability. Each country needs to have their own Data protection (outside EU) as stringent and controlled as the EU’s GDPR.
Personal data
So, what exactly does GDPR apply to? GDPR applies to personal data and personal sensitive data. If you are offering goods or services to EU citizens inside or outside the EU GDPR will apply. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier, can include for e.g. an IP address which can amount to ‘personal data’. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most of the organisations, keeping HR records, employment checks, customer lists, or contact details etc, the change to the definition should make little practical difference. So one can assume that in case an individual or organisation hold information that falls within the scope of the Data Protection Act, it will also fall within the scope of the GDPR. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Sensitive personal data
It is important to note that the GDPR refers to sensitive personal data as “special categories of personal data” as stated in Article 9. These categories are broadly the same as those in the DPA, but there are some minor changes. For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing. All kinds of background screening and due diligence fall under it.
Controller and Processor
Another main guide to get ready for GDPR includes first determining whether your organisation processes personal data as a “data controller” or “data processor” The GDPR applies to ‘controllers’ and ‘processors’(Article 19-23). A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. Incase of a processor, the GDPR places specific legal obligations on you as a processor for example, the requirement to maintain records of personal data and processing activities. There is the result of bearing the onus legal liability if processor is found responsible for a breach.
However, controllers are not relieved of their obligations where a processor is involved as the GDPR places further obligations on controllers to ensure its contracts with processors comply with the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Consent
In furtherance of understanding GDPR it is important to know the requirement of Consent under the GDPR (Article 32) must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must be verifiable, and individuals generally have more rights where you as a person or organisation rely on consent to process their data.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing” under the DPA.It is important that you determine your lawful basis for processing personal data and document this.
Data protection officer
This becomes more of an issue under the GDPR because your lawful basis for processing influences individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted. Data protection officer (DPO) is the person responsible for GDPR compliance. As per article 35 the DPO will be required by an organisation to be hired depending on the size and processing of large volume of special category of data by an organisation. This person will operate independently of the organisation. The principles of accountability and transparency have previously been implicit requirements of data protection law, however the GDPR’s emphasis elevates their significance.
Ultimately, the aim of these measures should be to minimise the risk of breaches and uphold the protection of personal data. The background investigation companies such as CRI Group offering various screening services and conducting fraud examinations, pre- as well as post-employment screening through “EmploySmart”, “3PRM” due diligence investigation services and third-party checks will need to incorporate GDPR in their system for adequate accountability, transparency and governance in the organisation.
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
FCPA Corporate Enforcement Policy is out
On November 29, 2017, Deputy Attorney General Rod Rosenstein revealed the implementation of the FCPA Corporate Enforcement Policy (“Enforcement Policy”), which endeavours to supplemental reassure voluntary disclosure of FCPA violations by companies. The Enforcement Policy attempts to elucidate certain viewpoints of the FCPA Pilot Program launched by the Fraud Section in April 2016 and removes its “pilot” status by incorporating the general framework for credit for voluntary disclosure of FCPA violations into the United States Attorney’s Manual (USAM). For more information, please read the USAM insert below:
9-47.120 – FCPA Corporate Enforcement Policy
I. Credit for Voluntary Self-Disclosure, Full Cooperation, and Timely and Appropriate Remediation in FCPA Matters
Due to the unique issues presented in FCPA matters, including their inherently international character and other factors, the FCPA Corporate Enforcement Policy is aimed at providing additional benefits to companies based on their corporate behaviour once they learn of misconduct. When a company has voluntarily self-disclosed misconduct in an FCPA matter, fully cooperated, and timely and appropriately remediated, all in accordance with the standards set forth below, there will be a presumption that the company will receive a declination absent aggravating circumstances involving the seriousness of the offence or the nature of the offender. Aggravating circumstances that may warrant a criminal resolution include, but are not limited to, involvement by executive management of the company in the misconduct; a significant profit to the company from the misconduct; pervasiveness of the misconduct within the company; and criminal recidivism.
If a criminal resolution is warranted for a company that has voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated, the Fraud Section:
- Will accord, or recommend to a sentencing court, a 50% reduction off of the low end of the U.S. Sentencing Guidelines (U.S.S.G.) fine range, except in the case of a criminal recidivist; and
- Generally will not require appointment of a monitor if a company has, at the time of resolution, implemented an effective compliance program.
To qualify for the FCPA Corporate Enforcement Policy, the company is required to pay all disgorgement, forfeiture, and/or restitution resulting from the misconduct at issue.
II. Limited Credit for Full Cooperation and Timely and Appropriate Remediation in FCPA Matters Without Voluntary Self-Disclosure
If a company did not voluntarily disclose its misconduct to the Department of Justice (the Department) in accordance with the standards set forth above, but later fully cooperated and timely and appropriately remediated in accordance with the standards set forth above, the company will receive, or the Department will recommend to a sentencing court, up to a 25% reduction off of the low end of the U.S.S.G. fine range.
III. Definitions
a. Voluntary Self-Disclosure in FCPA Matters
In evaluating self-disclosure, the Department will make a careful assessment of the circumstances of the disclosure. The Department will require the following items for a company to receive credit for voluntary self-disclosure of wrongdoing:
- The voluntary disclosure qualifies under U.S.S.G. § 8C2.5(g)(1) as occurring “prior to an imminent threat of disclosure or government investigation”;
- The company discloses the conduct to the Department “within a reasonably prompt time after becoming aware of the offence,” with the burden being on the company to demonstrate timeliness; and
- The company discloses all relevant facts known to it, including all relevant facts about all individuals involved in the violation of law.
b. Full Cooperation in FCPA Matters
In addition to the provisions contained in the Principles of Federal Prosecution of Business Organizations, see USAM 9-28.000, the following items will be required for a company to receive credit for full cooperation for purposes of USAM 9-47-120(1) (beyond the credit available under the U.S.S.G.):
- As set forth in USAM § 9-28.720, disclosure on a timely basis of all facts relevant to the wrongdoing at issue, including: all relevant facts gathered during a company’s independent investigation; attribution of facts to specific sources where such attribution does not violate the attorney-client privilege, rather than a general narrative of the facts; timely updates on a company’s internal investigation, including but not limited to rolling disclosures of information; all facts related to involvement in the criminal activity by the company’s officers, employees, or agents; and all facts known or that become known to the company regarding potential criminal conduct by all third-party companies (including their officers, employees, or agents);
- Proactive cooperation, rather than reactive; that is, the company must timely disclose facts that are relevant to the investigation, even when not specifically asked to do so, and, where the company is or should be aware of opportunities for the Department to obtain relevant evidence not in the company’s possession and not otherwise known to the Department, it must identify those opportunities to the Department;
- Timely preservation, collection, and disclosure of relevant documents and information relating to their provenance, including (a) disclosure of overseas documents, the locations in which such documents were found, and who found the documents, (b) facilitation of third-party production of documents, and (c) where requested and appropriate, provision of translations of relevant documents in foreign languages;
Note: Where a company claims that disclosure of overseas documents is prohibited due to data privacy, blocking statutes, or other reasons related to foreign law, the company bears the burden of establishing the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents;
- Where requested, de-confliction of witness interviews and other investigative steps that a company intends to take as part of its internal investigation with steps that the Department intends to take as part of its investigation; and
- Where requested, making available for interviews by the Department those company officers and employees who possess relevant information; this includes, where appropriate and possible, officers, employees, and agents located overseas as well as former officers and employees (subject to the individuals’ Fifth Amendment rights), and, where possible, the facilitation of third-party production of witnesses.
c. Timely and Appropriate Remediation in FCPA Matters
The following items will be required for a company to receive full credit for timely and appropriate remediation for purposes of USAM 9-47-120(1) (beyond the credit available under the U.S.S.G.):
- Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;
- Implementation of an effective compliance and ethics program, the criteria for which will be periodically updated and which may vary based on the size and resources of the organisation, but may include:
- The company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated;
- The resources the company has dedicated to compliance;
- The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
- The authority and independence of the compliance function and the availability of compliance expertise to the board;
- The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment;
- The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors;
- The auditing of the compliance program to assure its effectiveness; and
- The reporting structure of any compliance personnel employed or contracted by the company.
- Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred;
- Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications; and
- Any additional steps that demonstrate recognition of the seriousness of the company’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.
IV. Comment
Cooperation Credit: Cooperation comes in many forms. Once the threshold requirements set out at USAM § 9-28.700 have been met, the Department will assess the scope, quantity, quality, and timing of cooperation based on the circumstances of each case when assessing how to evaluate a company’s cooperation under the FCPA Corporate Enforcement Policy.
“De-confliction” is one factor that the Department may consider in determining the credit that a company will receive for cooperation. The Department’s requests to defer investigative steps, such as the interview of company employees or third parties, will be made for a limited period of time and will be narrowly tailored to a legitimate investigative purpose (e.g., to prevent the impeding of a specified aspect of the Department’s investigation). Once the justification dissipates, the Department will notify the company that the Department is lifting its request.
Where a company asserts that its financial condition impairs its ability to cooperate more fully, the company will bear the burden to provide factual support for such an assertion. The Department will closely evaluate the validity of any such claim and will take the impediment into consideration in assessing whether the company has fully cooperated.
As set forth in USAM 9-28.720, eligibility for full cooperation credit is not predicated upon waiver of the attorney-client privilege or work product protection, and none of the requirements above require such waiver. Nothing herein alters that policy, which remains in full force and effect. Furthermore, not all companies will satisfy all the components of full cooperation for purposes of USAM 9-47.120(2) and (3)(b), either because they decide to cooperate only later in an investigation or they timely decide to cooperate but fail to meet all of the criteria listed above. In general, such companies will be eligible for some cooperation credit if they meet the criteria of USAM § 9-28.700, but the credit generally will be markedly less than for full cooperation, depending on the extent to which the cooperation was lacking.
Remediation: In order for a company to receive full credit for remediation and avail itself of the benefits of the FCPA Corporate Enforcement Policy, the company must have effectively remediated at the time of the resolution.
The requirement that a company pay all disgorgement, forfeiture, and/or restitution resulting from the misconduct at issue may be satisfied by a parallel resolution with a relevant regulator (e.g., the United States Securities and Exchange Commission).
Public Release: A declination pursuant to the FCPA Corporate Enforcement Policy is a case that would have been prosecuted or criminally resolved except for the company’s voluntary disclosure, full cooperation, remediation, and payment of disgorgement, forfeiture, and/or restitution. If a case would have been declined in the absence of such circumstances, it is not a declination pursuant to this Policy. Declinations awarded under the FCPA Corporate Enforcement Policy will be made public.
Source: https://www.justice.gov/
CRI® celebrates Fraud Week 2021
2021 International Fraud Awareness Week (also called “Fraud Week”) kicked off on Sunday and is in full swing. CRI® Group is a proud supporter of this critical initiative every year, and we encourage business leaders to take this time to consider all of their fraud prevention measures, including anti-fraud training for employees.
Does your organization have a training program addressing fraud, bribery and corruption? And, if so, how robust is your training? How often is it administered? And how do you know it’s working?
These are important questions, especially because we know most fraud is discovered internally through employee tips. A recent case study is a perfect illustration of that.
Case study: Conflicts of interest
A major pharmaceutical company’s security department received a conflict of interest complaints that reportedly involved a range of employees, from sales personnel to the chief financial officer (CFO). The company engaged CRI® Group to conduct an integrity due diligence and conflict of interest investigation to uncover senior employees’ unethical practices, including bribery and corruption.
CRI® Group’s investigators quickly launched a risk assessment of the company’s third-party relationships, including interviews with identified vendors and suppliers to help ascertain the engagement process and associated risks.
Investigators found one of the vendors used letterhead that lacked a physical address, and the only contact information listed was a single cell phone number. Site visits, background checks and interviews helped determine that the suspicious vendor was not a company at all – but a single person, and he was none other than the brother-in-law of the client company’s CFO. Worse still was that this obvious fraud was being conducted right under the noses of the company’s procurement and finance professionals.
CRI® Group investigators discovered that the individual’s residence was being utilized as a warehouse to help facilitate the fraud. Comprehensive litigation records check with local and regional courts found that the subject was previously convicted in federal court and spent three years in prison for the charges of selling counterfeit products, physician samples and expired medicines; further regulatory checks found that his pharmacist license had been cancelled.
The fraud had continued for five years. However, the one thing that saved the company from further financial harm was that employees had stepped forward to report unethical behavior. If not for their action, the fraud could have continued indefinitely.
Fraud Week reminds us that awareness is any organization’s first line of defense against fraud and corruption, as properly trained employees will have a better opportunity to recognize the red flags of fraud and better understand their organization’s zero-tolerance policy toward such behavior.
Some key things to remember:
- Anti-fraud training should be mandatory: this includes managers and executives, who should also receive special training regarding their position of responsibility.
- Anti-fraud training should be an element of new employee orientation: after that, it should be provided to all employees annually, if not more frequently.
- Training might be presented live (in-class), on video or online in an interactive format: the live class is preferred, as it allows questions and personal engagement. However, some employees work remotely in today’s business world, and an online format may be more feasible.
Fraud is everybody’s problem, and it cannot be prevented and detected if employees aren’t provided with the information they need to combat it. Providing a robust anti-fraud training program increases your company’s protection from fraud and unethical behavior risks. An ounce of prevention is worth more than a pound of cure.
Anti-Bribery and Anti-corruption Training
Our sister brand ABAC® Center of Excellence, provides employee training. Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence is an independent certification body that provides education and certification services for individuals and organisations on a wide range of disciplines and ISO standards, including ISO 31000:2018 Risk Management- Guidelines, ISO 37000:2021 Governance of Organisations, ISO 37002:2021 Whistleblowing Management System, ISO 37301:2021 (formerly ISO 19600) Compliance Management system, Anti-Money Laundering (AML) and ISO 37001:2016 Anti-Bribery Management Systems.
Learn more about how CRI® Group and the ABAC Center of Excellence can help you have a well-trained workforce serving as your front line of defence against fraud, bribery and corruption.
About us…
Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body that provides education and certification services for individuals and organisations on a wide range of disciplines and ISO standards, including ISO 31000:2018 Risk Management- Guidelines; ISO 37000:2021 Governance of Organisations; ISO 37002:2021 Whistleblowing Management System; ISO 37301:2021 (formerly ISO 19600) Compliance Management system (CMS); Anti-Money Laundering (AML); and ISO 37001:2016 Anti-Bribery Management Systems ABMS. ABAC® offers a complete suite of solutions designed to help organisations mitigate the internal and external risks associated with operating in multi-jurisdiction and multi-cultural environments while assisting in developing frameworks for strategic compliance programs. Contact ABAC® for more on ISO Certification and training.
Saudi Arabia corruption sweep signals a major shift
The news broke across Saudi Arabia and the world like a bombshell: a wide-ranging corruption sweep across the country had netted 11 princes, four sitting cabinet members and a dozen former government ministers. Among those detained included billionaire Saudi Prince Alwaleed Bin Talal. Saudi Arabia corruption sweep signals a major shift
Within days, the surprise action was being hailed as a possible “sea change” in the Middle East and beyond, signalling that an entire country had grown fed up with fraud and unethical conduct and suggesting the possibility that others might do the same.
A cost of doing business?
In many countries, bribes, collusion, backdoor deals and other forms of corruption are still considered a part of “business-as-usual.” Many organisation leaders who condone or even play along with such conduct worry that the implementation of strong anti-corruption laws and reforms might have a chilling effect on business.
Saudi Arabia sees it the opposite. According to an article in the Middle East Monitor, “Saudi: Anti-corruption drive will help boost development”, the Saudi Cabinet says that cracking down on corruption “will boost sustainable development in the Kingdom.”
Anti-fraud experts agree. When laws are enforced as intended and corrupt behaviour is punished, business and competition is allowed to thrive in an economic system as intended. The only ones who lose are unethical business leaders who seek to bend the rules to gain an unfair advantage.
Paving the way for better business
According to a CNBC article, “Billionaire Saudi Prince Alwaleed Bin Talal arrested in corruption crackdown”, the crackdown was deemed necessary for the future of business in Saudi Arabia:
The anti-corruption sweep is taking place against a backdrop of reform in Saudi Arabia, and the impending launch of an initial public offering for state-owned oil giant Saudi Aramco next year. The IPO is expected to be the largest in history, and Aramco is widely expected to dual-list shares on an international exchange.
Saudi Arabia’s Finance Ministry, for its part, said Sunday that the kingdom’s decision to set up an anti-corruption committee and detain prominent figures enhanced confidence in the rule of law, Al Arabiya television reported.
The decisions preserve Saudi Arabia’s investment climate, the Saudi-owned television channel said.
The news from Saudi Arabia underscores how critical it is for any organisation to get its integrity due diligence and compliance measures in proper order and create a zero-tolerance environment for corruption and fraud. A proactive way to do that is to engage CRI Certification, a special program administered by CRI Group and its ABAC Center of Excellence.
ISO 37001:2016 for your organisation
CRI Certification’s ISO 37001:2016 certifies that your organisation has implemented reasonable and proportionate measures to prevent bribery. These measures involve top-level leadership, training, bribery risk assessment, third-party risk management, integrity due diligence, financial and commercial controls, reporting, audit and investigation.
The 3PRM-Qualified™ training and 3PRM-Certified™ certification process for ISO 37001:2016 helps your company address bribery in all its forms, including:
- In the public, private and not-for-profit sectors
- By the organisation
- By the organisation’s personnel acting on the organisation’s behalf or for its benefit
- By the organisation’s business associates acting on the organisation’s behalf or for its benefit
- Of the organisation
- Of the organisation’s personnel in relation to the organisation’s activities
- Of the organisation’s business associates in relation to the organisation’s activities
- Direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party)
ISO 37001:2016 takes into account a compendium of international best-practices, enabling your organisations to apply and implement uniform anti-bribery measures irrespective of the various countries in which they operate.
Contact CRI Group and learn more about how ABAC Certification can help your company today.
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
Pakistan’s 1st ever Anti-Bribery Summit is a success
Last Thursday, 26 October, the region’s leading anti-fraud professionals gathered in Karachi, Pakistan, for CRI® Group’s Pakistan’s 1st ever Anti-Bribery Summit. CRI® Group took the initiative to organise the first Anti-Bribery Summit in Pakistan with the goal to redefine the anti-bribery culture within organisations in the country.
The Anti-Bribery Summit couldn’t have come at a more critical time, or have been held in a more relevant location – Pakistan is on the front lines of a struggle between those who wilfully engage in bribery and corruption, and those who endeavour to put a stop to it. But the problem of corruption is worldwide, affecting government, military and public sector organisations.
“The international nature of business today means that many companies operating in Pakistan and nearby countries are doing business across foreign borders, and in such cases find themselves subject to laws and regulations that aim to limit corruption and bribery on a global scale,” said Zafar Anjum, Chief Group Executive, CRI® Group. “That is why our Anti-Bribery Summit 2017 included sessions on compliance for the most significant international laws and regulations.”
The Anti-Bribery Summit 2017 included sessions on compliance for the most significant international laws and regulations, including a Q&A session with an expert on the Foreign Corrupt Practices Act.
Attendees also learned about compliance pitfalls, and how to engage in proper third party due diligence to keep their organisations safe from unethical partners that could hurt the organisation’s reputation and bottom line.
“It was good to see international speakers from UN and OECD on the practices being used and available standards for comparing our policies and procedures,” said Riaz Nazarali Chunara, Director, State Bank Of Pakistan.
Experts share their message
The Anti-Bribery Summit brought together some of the greatest minds in the fight against corruption, with a lineup of expert speakers that shared their experiences, knowledge and best practices with an attentive audience .
Keynote speakers included Drago Kos, Chair of the OECD Working Group on Bribery in International Business Transactions and Co-Chair of the Defence Corruption Monitoring Committee in Ukraine and adviser to the Kosovo Anti-Corruption Agency (see an exclusive video interview with Drago Kos about the Summit); Jouhaida Hanano, Criminal Justice Advisor – Sub-Programme II, UNODC Pakistan; Shehzad Yousuf, Chief Internal Auditor at PTCL; Tariq Hussain, Former Director / HOD Securities & Exchange Commission of Pakistan (SECP) – Supervision and Enforcement and Company Law Division; Ali Anwer Adil, Head of Internal Audit, Fraud Management and Revenue Assurance at Zong; and Ghulam Farooq, Director at The National Accountability Bureau.
“(It was) a wonderful conference on anti-bribery held by CRI® Group,” said Muhammad Nauman Ahmed, Head of Compliance at PEL. Ahmed said the “most amazing part” was that “OECD Anti-Bribery chairman Mr. Drago Kos and Director NAB, Sindh attended the conference.”
“SECP representatives were also present,” Ahmed said, calling it a “great event” for learning about the most current practices to counter bribery in Pakistan.
Featuring keynote addresses, Q&A sessions, trainings and a panel discussion, the Anti-Bribery Summit addressed topics critical to any organisation leader or executive in the region including anti-bribery compliance issues, strategies, the FCPA and UK Bribery Act, the corporate culture in Pakistan, conducting proper risk management and due diligence.
“It was a really good event, very well organized and an excellent learning experience,” said Yousuf Ali, Executive Manager, Assurance, EY Ford Rhodes. “My team and I at Ernst & Young thoroughly enjoyed it. Especially the presentation from Mr Shehzad Yousuf.”
“We are looking forward to other such events,” Ali said.
CRI® Group thanks all of the attendees, speakers and everyone involved in making the Anti-Bribery 2017 an unmatched success!
ISO 37001:2016 Anti-Bribery Management System certification is offered under CRI® Group’s ABAC® Centre of Excellence, an independent certification body established for Anti-Bribery Management System training and certification, ISO 37301 Compliance Management Systems and Risk Management System certification. The program will be tailored to your organisation’s needs and requirements. For assistance in developing and implementing a fraud prevention strategy, contact ABAC® today or get a FREE QUOTE now!
Who is CRI® Group?
Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
In 2016, CRI® Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
Employee Screening Process
How do you know the candidate you just offered a role to is ideal? Are you 100% sure you know that everything they’re telling you is the truth? 90%? They showed you a diploma; how do you know it’s not photoshopped? Did you follow the correct laws during your background check process? Background checks and necessary screenings are vital to avoid horror stories and taboo tales within HR, your business or even your brand – simply investing in proper employee screening can save you time, money and heartbreak. A complete employee screening process will result in fewer applications with serious discrepancies – it increases the quality of new hires due to an improved applicant pool and selection process. EmploySmart™ provides full in-depth background screening services for employees and candidates at all levels, from senior executives to shop-floor employees.
How Well Do You Know The People You Invest In?
CRI® Group has developed EmploySmart™, a robust new pre-employment background screening service to avoid negligent hiring liabilities. Ensure a safe work environment for all. EmploySmart™ can be tailored into specific screening packages to meet the requirements of each specific position within your company. We are a leading worldwide provider specialised in local and international employment background screening, including pre-employment and post-employment background checks.
Pre-employment checks/background checks/screening benefits:
- Reduce turnover & training costs
- Gain a competitive edge through the hiring of better people
- Increase productivity – help your employees be more productive, knowing that everyone employed by your company has been screened.
- Set your company apart & win more business
- Reduce employee-related problems
- Protect company reputation/brand & customer relations
- Comply with mandates created by state or federal law for certain industries
- Increase retention
- Reduce negligent hiring claims
- Avoid violence in the workplace (threats of violence & actual violence)
- Reduce theft & espionage
- Avoid lawsuits & the costs associated with the defence.
- Avoid loss of goodwill.
Pre-employment checks/background checks, what are they?
These checks are essentially an investigation into a person’s character – inside and outside their professional lives. Some checks you probably already carry out in-house, such as candidate’s qualifications (documents provided), work history (with a reference check), right to work in the country and even a quick social media presence scan. However, we provide a full in-depth background screening service for candidates and employees at all levels – from senior executives through to shop-floor employees:
- Address Verification (Physical Verification)
- Identity Verification
- Previous Employment Verification
- Education & Credential Verification
- Local Language Media Check
- Credit Verification & Financial History (where publicly available)
- Compliance & Regulatory Check
- Civil Litigation Record Check
- Bankruptcy Record Check
- International Criminal Record Check
- Integrity Due diligence… and more.
When should I conduct pre-employment checks?
Our pre-employment screening services will help you avoid adding potential fraudsters and other bad actors to your staff. These checks can be implemented before or after a job offer (with each having its pros and cons).
How to collect references, and what to ask?
Because it is impossible to know how your candidate will work daily from just one interview, you will need references. References are a great way to find out whether your candidates are suitable for the role or will fit with your company culture. A primary reference check asks for:
- Employment dates
- Employment main responsibilities
- Attendance record
- Any disciplinary actions against them
- Any reasons why they shouldn’t be employed
These references will help you back up their CV – however, many candidates tend to exaggerate or misrepresent themselves. Our EmploySmart™ team goes beyond to get a fuller picture for you:
- Greatest strengths?
- Are they suitable for the role they’ve applied for?
- Would they rehire the candidate?
- Suitable management style?
- Do they have any leadership skills?
- Situations in which they have excelled at?
Some companies have policies of not giving references and just providing necessary employment details, while others direct you towards HR, but the EmploySmart™ team is persistent.
What specific legal requirement should I ask?
You will need to check if they have the right to work in the region you are recruiting for. You are subject to statutory penalties if you employ foreign nationals who don’t have the correct visas. You will need to request criminal records checks depending on the role you are recruiting. Such roles with children or vulnerable people are highly regulated – and all of these differ from country to country.
CRI Group™ carries the burden of knowing the laws, so we can assist you with staying compliant and helping you to make the best decisions for your company’s needs. We have established an interdisciplinary team of experts in employment law, best practices and data protection. We can manage your employment background screenings across borders for you! Country by country, we have documented the different approaches to employment screening, ensuring we operate in harmony with local culture and within the limitations of local legislation.
With extensive local language capabilities, flexible working patterns and time zone intelligent workflow, we provide a comprehensive and fully compliant global screening service.
At CRI Group™, we specialise in employment screening, working as trusted partners to HR and recruiting managers of corporations and institutions worldwide. Our people work with energy, insight and care to ensure we provide a positive experience to everyone involved – clients, reference providers and candidates.
CRI Group™’s unique identity and vision evolved from our fundamental desire to support our clients and candidates. We have a passion for Screening and a simple belief in setting new standards. These qualities fuel our commitment to excellence and drive our culture.
Our EmploySmart™ background screening services expose vulnerabilities and threats within your organisation and can significantly reduce business and financial crime, fraud and malpractice within your workplace. Our experienced EmploySmart™ Team can safeguard your data security and your business integrity while you can focus on human conversations and interactions. Together, your organisation can deliver outstanding screening experiences.
We provide a host of professional services to HR managers representing significant corporations worldwide. Employees should be screened regularly to reveal any new information relevant to the business. That’s why our background investigations services also include:
- Employee monitoring and risk management
- Data protection compliance
- Employee testing and confidentiality
- Employee risk management
- Post-employment background checks
CRI Group™ is trusted by the world’s largest corporations and consultancies – outsource your employee due diligence to an experienced provider, and you will only ever have to look forward, never back.
BS 7858:2019 Screening: extra security level for your business and employees
CRI Group™ is trusted by the world’s largest corporations and consultancies – outsource your employee due diligence to an experienced provider, and you will only ever have to look forward, never back.
Get answers to frequently asked questions about background checks/screening cost, guidelines, check references etc. This eBook of compiled list of background screening related questions taken as a whole is the perfect primer for any HR professional, business leader and company looking to avoid employee background screening risks. It provides the tools and knowledge needed to make the right decisions.
Working with CRI Group™, you get:
- Extensive global coverage, with expertise in domestic and international Screening; one of the largest, most experienced and best-trained integrity due diligence teams in the world
- Our team of more than 50 full-time analysts is spread across Europe, the Middle East, Asia, and North and South America and is fully equipped with the local knowledge to serve your needs globally.
- The ability to manage multiple background checks online
- Quick turnaround times
- Our solutions are easily customisable and flexible, and we will tailor our scope to address your concerns and risk areas, saving you time and money.
- High-quality searches, backed by numerous checks and quality controls
- We have a flat structure which means that you will have direct access to senior staff members throughout the due diligence process.
- Our multi-lingual teams have conducted assignments on thousands of subjects in over 80 countries, and we’re committed to maintaining and constantly evolving our global network.
- Our extensive solutions include due diligence, employee pre and post background screening, business intelligence and compliance, and facilitating any decision-making across your business, no matter what area or department.
Who is CRI Group™?
Based in London, CRI Group™ works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013 and BS 7858:2012 Certifications, and is an HRO certified provider and partner with Oracle.
Components of ISO 31000:2018
ISO 31000:2018 Components
Managing risk is a critical part of the success of any organization. That’s why ISO (International Organization for Standardization) developed the 31000 Risk Management Standard. Issued in 2009, the standard helps address operational continuity, and also confidence and reassurance in your organization’s economic resilience, professional reputation and environmental and safety outcomes. Best of all, ISO 31000 can be tailored to your organization to help achieve the best results.
1. Principles
The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives. Principles include the requirement for the risk management initiative to be (1) customized; (2) inclusive; (3) structured and comprehensive; (4) integrated; and (5) dynamic.
2. Framework
The purpose of the risk management framework is to assist with integrating risk management into all activities and functions. The effectiveness of risk management will depend on integration into governance and all other activities of the organization, including decision-making.
> At CRI Group we are working on new ISO 31000 Awareness training course. Show your interest and sign up for more updates HERE!
2.1. Leadership and commitment, including:
- Aligning risk management with the strategy, objectives and culture of the organization;
- Issuing a statement or policy that establishes a RM approach, plan or course of action;
- Making necessary resources available for managing risk; and
- Establishing the amount and type of risk that may or may not be taken (risk appetite).
2.2. Integration, including:
- Determining management accountability and oversight roles and responsibilities; and
- Ensuring risk management is part of, and not separate from, all aspects of the organization.
2.3. Design, including:
- Understanding the organization and its internal and external context;
- Articulating risk management commitment and allocating resources; and
- Establishing communication and consultation arrangements.
2.4. Implementation, including:
- Developing an appropriate implementation plan including deadlines;
- Identifying where, when and how different types of decisions are made, and by whom; and
- Modifying the applicable decision-making processes where necessary.
2.5. Evaluation, including:
- Measuring framework performance against its purpose, implementation and behaviors; and
- Determining whether it remains suitable to support achievement of objectives.
2.6. Improvement, including:
- Continually monitoring and adapting the framework to address external and internal changes;
- Taking actions to improve the value of risk management; and
- Improving the suitability, adequacy and effectiveness of the RM framework.
3. Process
The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.
3.1. Communication and consultation, including:
- Bringing different areas of expertise together for each step of the RM process;
- Ensuring different views are considered when defining risk criteria and evaluating risks;
- Providing sufficient information to facilitate risk oversight and decision-making; and
- Building a sense of inclusiveness and ownership among those affected by risk.
3.2. Scope, context and criteria, including:
- Defining the purpose and scope of risk management activities;
- Identifying the external and internal context for the organization;
- Defining risk criteria by specifying the acceptable amount and type of risk; and
- Defining criteria to evaluate the significance of risk and to support decision-making;
3.3. Risk assessment, including:
- Risk identification to find, recognize and describe risks that might help or prevent achievement of objectives and the variety of tangible or intangible consequences;
- Risk analysis of the nature and characteristics of risk, including the level of risk, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness; and
- Risk evaluation to support decisions by comparing the results of the risk analysis with the established risk criteria to determine the significance of risk.
4. Risk treatment, including:
- Selecting the most appropriate risk treatment option(s); and
- Designing risk treatment plans specifying how the treatment options will be implemented.
5. Monitoring and review, including:
- Improving the quality and effectiveness of process design, implementation and outcomes;
- Monitoring the RM process and its outcomes, with responsibilities clearly defined;
- Planning, gathering and analyzing information, recording results and providing feedback; and
- Incorporating the results in performance management, measurement and reporting activities.
6. Recording and reporting, including:
- Communicating risk management activities and outcomes across the organization;
- Providing information for decision-making;
- Improving risk management activities; and
- Providing risk information and interacting with stakeholders.
Getting Started with ISO 31000 Risk Management?
ISO 31000 is an international standard issued in 2009 by ISO (International Organization for Standardization). All types and sizes of organizations face internal and external factors that directly impact whether an organization can achieve their objectives or not. ISO 31000:2018 serves as a guide for the design, implementation and maintenance of risk management, ISO 31000:2018 describes a systematic and logical process, during which organizations manage risk by identifying it, analyzing it, and then make a determination as to mitigating the risk treatment in a way that is consistent with their risk appetite. An organization can implement risk management across the entire company, and it can do so at any time. Our newly published “ISO 31000 Risk Management: A guide to identify, analyse and mitigate risk” playbook covers everything you need to know about ISO 31000:2018; here’s a quick rundown of the playbook structure:
- What is ISO 31000?
- Why is this Standard a good idea?
- What are the benefits for my business?
- Principles of ISO 31000:2018
- ISO 31000 framework
- Why was it revised?
- What are the main differences?
- Key Clauses of 31000:2018
- Who is the standard for?
- The process
- The link between 31000:20180 and other standards
- Importance of risk management leadership
- 31000:2018 and continuous improvement
- How do we get started?
> Risk management is a full-time, ongoing endeavor for organizations in today’s business world, and it poses constant challenges. The first part of reducing risk is having a strategy, and taking action. So DOWNLOAD your free playbook now!
Speak Up – Report Any Illegal, Unethical, or Improper Behavior
Ethics and Compliance Hotline is an anonymous reporting mechanism that facilitates reporting of possible illegal, unethical, or improper conduct when the normal channels of communication have proven ineffective, or are impractical under the circumstances. At CRI Group, we are committed to having an open dialogue on ethical dilemmas regardless.
We would like to introduce a new Ethics & Compliance Hotline. This hotline is available to all employees, as well as clients, contractors, vendors and others in a business relationship with CRI Group and ABAC Group. If you find yourself in an ethical dilemma or suspect inappropriate or illegal conduct, and you feel uncomfortable reporting through normal channels of communication, or wish to raise the issue anonymously, use CRI Group’s Compliance Hotline in below mentioned ways or provide us with your complaint online on the form below. The Compliance Hotline is a secure and confidential reporting channel managed by an independent provider. When reporting a concern in good faith, you will be protected by CRI Group’s Non-Retaliation Policy.
About CRI Group
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organizations. Contact ABAC® for more on ISO Certification and training.
TAKE A PART OF THIS SURVEY
Your opinion matters! Participate in the background screening survey now and let us know how COVID-19 and WFH have affected your business. ANSWER THE SURVEY
Data breach is a security disaster
The latest massive data breach might be the most serious yet. Equifax Inc, a U.S.-based consumer credit reporting agency, announced this month that it had fallen victim to a cybersecurity breach that exposed the personal data of more than $143 million consumers.
The stunning revelation has caused enormous concern across the U.S. and the world. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. To make things worse, it collects more than enough data to make identity thieves salivate: Equifax has personal data from consumers that includes full names, Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers.
The implications go beyond the 143 million people who must now closely monitor their credit indefinitely for any signs of identity theft. It also has possible criminal ramifications, as USA Today reports that some executives at the company are being investigated for allegedly unloading stock before the breach was announced (see “Feds reportedly investigate Equifax executives’ stock sales”).
How can this happen? How can a company responsible for safeguarding the most critical personal information imaginable find itself admitting to such a massive security failure? Unfortunately, it’s not uncommon for organisations to fall victim to those who would steal data. While it may be on a smaller scale than Equifax, it happens around the world regularly.
That is why CRI® Group has a team of trained corporate security & resilience experts who are focused on protecting such valuable information on every level. After all, it’s too late after a breach has occurred. An organisation can face criminal and civil penalties, not to mention the loss of trust and reputation among all of its stakeholders. A data breach tells consumers that you cannot protect their data and thus are not to be trusted with their business.
CRI® Group’s corporate due diligence services experts ask the hard questions, especially for any organisation conducting business on a global level. For example:
How do you manage the risks to digital and physical assets? CRI® Group can put measures that provide layers of cybersecurity resilience to thwart hackers and those trying to steal your data.
How quickly can we respond to a serious business crisis? CRI® Group’s corporate due diligence services can help you detect breach attempts before they succeed and have a chance to damage your business.
Can the organisation rely on our third-party business partners to maintain appropriate levels of control? One of your biggest risks is what happens outside of your organisation. Our third party risk management and due diligence services can help detect weaknesses among your partners and alert you to risk areas.
The team at CRI® Group can help you road map these risks and have sufficient action plans to deal with unforeseen threats to your business. Some risk factors cannot be completely avoided. But with the proper response plans in place, we can help bolster your corporate security and resilience and help you protect your stakeholders’ valuable data. Learn more.
Who is CRI® Group?
Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
AML and Pakistan compliance failures
Pakistan’s biggest lender, Habib Bank Ltd, faces compliance failures. Habib Bank is in trouble with the New York State Department of Financial Services (DFS). The DFS is the governing body that regulates financial services and products (including those subject to the New York insurance, banking and financial services laws). According to media reports, the DFS is seeking to impose a fine of up to $630 million for “grave” compliance failures. The accusation relates to anti-money laundering rules and sanctions at Habib Bank’s single U.S. branch.
A Reuter’s article from August 28 reports that such a penalty would be “the largest-ever faced by a Pakistani financial institution.” The DFS said in a filing that HBL’s compliance was “dangerously weak” and that “serious and persistent” failings found at its New York branch appeared to affect the entire Habib banking enterprise, posing “grave risks” to the banking system.
In response, HBL said that it would fight the DFS over the proposed fine.
Nausheen Ahmad, the bank’s company secretary, said in a statement on Monday that DFS did not recognise “the significant progress that HBL has made at its branch in New York” and that the bank would vigorously contest the proposed fine in U.S. courts.
Anti-money laundering (AML) efforts by the DFS and other regulatory bodies worldwide are serious business. Multinational organisations, and especially financial institutions, must employ the toughest AML compliance controls and standards to avoid the risk of even appearing to run afoul of AML laws.
That’s why CRI® Group advises clients to have robust AML controls in place, especially when dealing in business overseas and entering into any new partnerships or mergers.
To have insufficient controls and be charged with engaging in money laundering can have any of the following negative consequences:
- Damaged corporate reputations and brand devaluation
- Eroding employee morale
- Potential consumer boycotts
- Negative investor perceptions
- Possible legal action
- Fines and potential jail terms for directors
CRI® Group’s Investigative Due Diligence services provide the specialised intelligence needed by global financial institutions and multinational corporations to guarantee complete compliance with anti-money laundering (AML) regulations and legislation involving trans-national implications.
Contact CRI® Group today and learn more about how your organisation can remain in full compliance with all applicable AML laws and regulations, giving you, your partners and your clients the confidence of knowing that the organisation, and its reputation, are protected from the negative consequences of money laundering.
Who is CRI® Group?
Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
Fraud: Ripple effects of the Hurricane Harvey
As Hurricane Harvey devastates the Texas coast and the U.S. megacity of Houston, however its ripple effects go beyond as investigators will be on high alert for another type of threat: fraud.
Disaster fraud is nothing new. Law enforcement, prosecutors and other legal authorities in eight different countries are still dealing with cases from 2012’s Hurricane Sandy, which devastated the Caribbean and eventually wreaked havoc upon the U.S. eastern seaboard. In New Jersey, new indictments reported just last month indicate how long these investigations can take, and how lengthy the process can be.
And that’s just for those who get caught.
According NJ.com in New Jersey, five more individuals face charges for filing fraudulent applications for relief funding, bringing the tally there to 100. As the article reports:
The latest group filed claims for homes they said were primary residences when they were not, the state Attorney General’s Office said.
Most state and federal relief programs are only available to those whose primary residences were damaged by the storm.
But there are other risks as well. Relief organizations have been charged with misappropriating funding meant as direct aid for disaster victims. Materials and supplies earmarked for disaster areas are sometimes horded, sold or otherwise used contrary to their purpose. And sham “charities” can pop up overnight, soliciting cash donations under the pretence of relief, while that money actually lines someone’s pockets.
Now, as another disaster unfolds, CRI Group offers some guidelines for individuals, corporations and non-profit organisations to follow as they seek to provide aid.
Research the charity
Disasters unfold quickly, but some quick checking online can help establish whether a charity or non-profit aid group is legit. Make sure it is tax exempt and rated by an external evaluation site, like GiveWell or Charity Navigator.
Look out for “new” charities
If a charity or non-profit aid group has no history, very little trail on the Internet, no registration with the government nor any testimonials online, it might be fake or fraudulent. It’s better to give your donation to an established, charitable organisation.
Be suspicious of solicitations
Social media posts, mass or spam emails, all requesting quick cash donations could be red flags of fraud. Look for inaccurate or incomplete information about the disaster, the location, and the charity itself. Double check the credibility of the charity and don’t donate through an email link – instead, visit the organisation’s website directly. After doing so, if you’re comfortable that it is a legitimate group, consider making your donation.
When disaster strikes, people need help. The generosity of others can mean the difference between life and death for those who are suffering. But we must always be cognisant of the fact that fraudsters are opportunists. Any situation that creates urgency and chaos is a scenario they will seek to exploit.
As with all other business matters, conducting due diligence investigation will help cut down on disaster fraud – and provide you with the peace of mind that your contribution is going where it can do the most good.
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening,
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
اتصل بنا
المقر الرئيسي: +44 7588 454959
المحلي: +971 800 274552
:البريد الإلكتروني info@crigroup.com
المقر الرئيسي: 454959 7588 44
المحلي: 274552 800 971
:البريد الإلكتروني info@crigroup.com
الاشتراك في النشرة الإخبارية