Record penalties for violations of U.S. regulations governing international conduct and transactions illustrate the risk of costly enforcement actions facing multinational companies. Yet, many multinational companies lack adequate risk assessment and management systems to address these growing risks.
To help, we have designed a twelve-step program that most multinational companies should consider when designing and implementing international regulatory risk management procedures and internal controls. These are sharing our twelve-step program across two publications. This post shares the steps to identify and assess international regulatory risk, while our next post will provide the remaining steps to implement risk-mitigation measures to address identified areas of concern.
Taken together, these two articles provide a twelve-step program to identify, mitigate, and manage international regulatory risk. By carefully working through these twelve steps, most multinational organizations should be able to implement the kinds of compliance that U.S. regulators consider compliance best practices for multinational corporations, including in the newly emphasized area of supply chain due diligence and compliance.
Step 1: Secure Buy-In at the Top
Many multinational companies looking to implement an international regulatory compliance program start by drafting written compliance policies. But long before it comes time to draft the policies, a well-thought-out compliance strategy will look to the underpinnings that make compliance effective, including consistent management support for compliance initiatives.
Although the phrase “tone at the top” encapsulates management support, respect for compliance should flow down from the CEO to personnel at all levels. Senior management must ensure employees know that compliance has full support at the top, and that compliance receives the resources to function properly.
Senior management must set a strong example. Leaders should make clear that compliance rules apply across the entire organization, starting with senior personnel. Strong compliance requires leaders to adopt a consistent practice of investigating credible red flags and a willingness to walk away from business that requires stepping too close to the risk threshold. By demonstrating a commitment to these values in words and action, senior management will establish respect for compliance throughout the company.
Step 2: Perform a Risk Assessment
Assessing risk is especially important for multinational corporations because international operations implicate additional compliance responsibilities without negating any of the responsibilities found under local law. Companies operating multinational also tend to be larger, which means successful compliance requires the development of thoughtful procedures. These procedures must take into account common logistical difficulties, such as coordinating compliance standards and training across disparate divisions and affiliates, training employees with cultural and language differences, and addressing potential skepticism of the application of U.S. laws to conduct in foreign jurisdictions.
A good starting point for multinational companies to assess risk is to survey business units that represent areas of high regulatory risk:
- An anti-corruption survey should ask questions including whether the company agents or stakeholders routinely deal with state-owned companies, whether they frequently interact with government regulators, whether foreign agents or officials receive entertainment on behalf of the company, and whether the company does significant business in countries with known connections to corruption or labor abuses, and whether the company does significant business in the United Kingdom (which may implicate the UK Bribery Act).
- For export controls, the relevant topics to explore include whether the organization deals with controlled items or controlled technologies; whether the company deals with items on the U.S. Munitions List (USML) or modifies commercial items for military use or to meet military specifications; whether the company has recently conducted a classification review; the degree to which foreign nationals may potentially access to controlled technical data; whether the organization sells products that rely on encryption; and whether there are sales to known diversion points (the Middle East, Mexico, Pakistan, and so forth).
- For economic sanctions, relevant topics to cover include whether there are sales by foreign subsidiaries to sanctioned countries or Specially Designated Nationals (SDNs, which are persons under OFAC restrictions and licensing requirements), whether sales are made to known diversion points, and whether the organization, as a whole, maintains adequate screening for SDNs, or persons who have been sanctioned under U.S. law as being off limits for business transactions and financial dealings).
- For import operations, a customs risk assessment should pull an ACE (Automated Commercial Environment) report to determine the pattern of imports to identify high-risk imports such as those potentially subject to antidumping or countervailing duties, imports from China, or imports from Free Trade Agreement countries. Questions to ask include whether the importer has an updated Classification Index, regularly conducts post-entry checks, effectively uses post-summary corrections and protests against liquidation to correct any import errors, and properly oversees customs brokers and freight forwarders.
- Finally, an anti-boycott risk assessment should examine the extent of dealings with Middle Eastern countries and with firms operating in the region.
A comprehensive risk assessment should consider both risks on the sell side (sales to customers, through distributors, and so forth) and on the input side (supply chain). If your organization has not audited its supply chain recently, it should consider mapping its supply chain and identifying supply chain risk points. Once the supply chain is a fully known commodity, your organization can consider various ways to improve diligence and compliance measures, including through updated legal provisions, flow-down conditions, enhanced due diligence on high-risk suppliers, and potentially even audits and compliance checks. These measure should address key sub-suppliers, particularly those that operate in high-risk countries at heightened regulatory risk for forced labor and human trafficking. Any imports from China should automatically be considered high risk due to considerations arising under the Uyghur Forced Labor Prevention Act (the UFLPA), which imposes special requirements for goods that wholly or partially incorporate goods from the Xinjiang Autonomous Region, as well as special tariff programs, such as the Section 301 duties.
Once the risk assessment is complete, the results should be distilled into a company-wide risk profile to guide strategy and the allocation of compliance resources.
Step 3: Survey Current Controls
Step 3 involves surveying current compliance procedures and internal controls to see if its compliance measures and internal controls line up with the risk profile. Questions to ask include:
- Does the plan reflect all circumstances that may put the organization at risk of a violation? Is the plan based on a current and realistic risk assessment? Is the plan consistent with the company’s current business and risk profile? Have recent acquisitions been taken into account in assessing the company’s risk profile?
- Does the program include compliance policies covering all major areas of regulatory risk? (A typical multinational organization should implement core policies in 18–22 areas.) Does the program cover all aspects of the business that operate or sell overseas? Does it cover vendors, suppliers, and sub-suppliers?
- Does the plan contain internal controls and procedures designed to buttress the compliance? Does the company offer regular training that is tailored to these internal controls and procedures, to the relevant personnel?
- Does the plan compare well with codes of ethics and compliance policies used by comparable businesses in the industry and in the countries where the firm operates?
Ascertaining whether the program covers outside actors who may expose the organization to the risk of a regulatory violation also is key. The U.S. government considers all affiliates, joint ventures, agents, distributors, subcontractors, and other third parties to be extensions of the organization. The same principles of responsibility are increasingly implicated in the management of the supply chain, right down to the last sub-supplier. In light of the recent emphasis on supply chain due diligence, the survey should carefully evaluate whether the organization has sufficient legal provisions, due diligence, and compliance measures in place to minimize the risk arising from an international supply chain.
Step 4: Identify Available Resources
Compliance is an exercise in identifying, minimizing, and managing risk. Appropriate risk management requires matching compliance promises and expectations to the available resources, and vice versa.
After the compliance procedures are identified and catalogued, the critical next step is to implement the plan so that it operates effectively. The company should take measure to ensure the organization has not fallen into the classic compliance trap of stating compliance goals without putting in place the resources and meaningful procedures to achieve them. This means that once your organization’s risks and necessary compliance measures and implementing internal controls are identified, the company should develop a realistic plan for funding the compliance program. For example, if the company plan requires due diligence of foreign agents but does not fund the diligence and does not assign responsibility for conducting the diligence internally and put a person in charge of following through on the compliance commitment, the result is a compliance failure.
In the international realm, common areas of lagging compliance include:
- Anti-corruption. Promises of systematic due diligence for vetting agents, distributors, joint ventures, and other third-party entities; adequate oversight of the activities of third-party intermediaries; resources to conduct compliance audits; adequate training of overseas actors; and failure to adequately fund compliance commitments.
- Economic Sanctions. Resources for systematically checking the SDN and other blocked lists; allocating adequate resources to “know your customer” diligence; adequate training of overseas actors; and failure to reflect new rules regarding coverage of the activities within the supply chain or sourcing of goods abroad.
- Export Controls. Inadequate classification of controlled items and technical data; failure to implement secure systems to safeguard controlled technical data and ensure that access is limited to authorized persons; failure to implement “know your customer” guidelines for end-use and end-user controls; failure to account for potential diversion risks; failure to check the OFAC SDN, the Bureau of Security SDN List, and other blocked-person lists.
- Anti-boycott. Resources for reviewing contracts, purchase orders, letters of credit, certificates of origin, bills of lading, and other commercial documents; procedures for reporting boycott-related requests.
- Customs. Resources for conducting regular oversight of customs brokers and freight forwarders, classifying goods accurately, and correctly determining the correct country of origin; resources and procedures for conducting regular post-entry checks and conducting customs audits; resources for providing customs brokers with timely information and for responding to Customs inquiries.
- Supply Chain. Resources for mapping out the supply chain; resources for conducting regular, risk-based due diligence and compliance audits; resources for conducting training where needed for high-risk suppliers and sub-suppliers.
To avoid these and other promise-resource mismatches, you should, with a clear and open mind, compare your organization’s identified risk profile with the inventory of current policies and internal controls to determine whether there are any gaps between the two. Once such gaps are identified, you can, using normal risk-based principles, determine the best way to remedy the resource misallocation, whether by reallocating existing compliance resources, finding new sources of funding, or adjusting the compliance procedures.
Step 5: Assess Local Oversight
One of the key compliance considerations for companies that operate in multiple countries is how the organization oversees compliance outside the United States. The state of compliance, as envisioned at corporate headquarters, and the actual state of compliance, as implemented in the field, often diverge.
While compliance initiatives can originate from a central legal or compliance department, implementation and oversight require additional on-the-ground attention from local compliance liaisons. Managing full compliance centrally can be difficult. Compliance sometimes falls behind other company demands (conducting training, monitoring red flags, conducting investigations, and so forth). Engaging local personnel in the process yields good results as they often have a better understanding of the regional or local environment and culture. By grounding compliance efforts in agents close to operations, local personnel are empowered to identify and monitor red flags where they arise and, in the language utilized onsite
Most organizations have good options for compliance liaisons. Relevant local actors who can be harnessed for compliance oversight include divisional or regional HR personnel, in-house attorneys, and auditors. Essential to the quality of a local compliance liaison is that the compliance liaison be someone who is independent of business pressures, who has the respect of local personnel, and who has the institutional authority and independence to follow up on potential compliance lapses, regardless of who is involved.