Plans to mitigate sources of investigatory risk and respond when an investigation does occur must change according to the risk profile of the business. Between novel technologies, evolving sensibilities and seismic shifts within industry, regulators and investigatory bodies are changing focus regularly. So too are business attitudes toward risk changing.

Generally speaking, when asked how the risk profile of their business has changed over the past five years, 53% of in-house counsel said it had at least somewhat increased. When asked to look ahead at the next five years, 26% felt that the risk profile of their business would significantly increase over the next five years, with 61% feeling that there would be at least a slight increase in their business’ risk profile.

When looking at changing risk profiles, data breaches are a good example: it wasn’t so long ago that the range of companies that rely on the collection and use of data was limited. Now, data has pervaded nearly every aspect of commerce. Retail stores that may historically have collected very little personal data now capture all manner of information at the point of sale for loyalty programmes, not to mention the continued recission of relatively anonymous brick-and-mortar buying in favour of online shopping.

To go back further, increasingly globalised markets and supply chains have largely informed recent interest in modern slavery. Modern slavery regimes set an expectation that companies must not hide behind the strongest link in the compliance chain, instead being held accountable for the weakest link: a company in the United Kingdom may be perfectly above-board in a foreign jurisdiction, but regulators now hold those companies to the standard of UK law for their actions in jurisdictions further up the supply chain, where protections against abuse and exploitation are not as strong.

Reading the room

GC surveyed top in-house counsel from across the world, asking participants to rate their organisation’s current risk levels on a scale of 1 to 5, 1 being the lowest risk, and 5 the highest. The responses were broken up into the following categories:

• Accounting fraud
• Antitrust/price-fixing
• Bribery and corruption
• Compliance/due diligence
• Cybersecurity and data privacy
• Environmental regulatory
• Money laundering
• Sanctions evasion
• Securities/commodities fraud
• Tax evasion
• Trade/foreign investment violations

Cybersecurity and data privacy risks were rated as the highest concern by survey respondents, both in terms of the risk they currently pose to businesses and how that risk was expected to change in the next five years. Cybersecurity and data privacy risks were rated at an average of 4.48/5 currently, which ballooned to 4.75 when respondents were asked to look ahead at the next five years.

Compliance and due diligence are also top of GCs’ minds – both when speaking about their organisation’s current level of risk and when looking ahead to how this might change over the next five years – coming in at an average rating of 4.27 with an expected increase of 0.22 to 4.49 in the next five years.

On average, nearly every category is expected to become more risky over the next five years. Bribery and corruption risks polled the biggest jump, increasing by 0.32 points on the survey’s five-point scale.

Risking it online

With cybersecurity and data privacy almost unanimously rated as the most pressing risks for GCs both currently and in the coming years, many of the in-house counsel surveyed and interviewed for this report had much to say on the subject.

‘Cyber threats form one of the biggest security risks of the 21st century,’ said Ritankar Sahu, general counsel and head of compliance for the Maxpower Group, operating throughout Southeast Asia and the Middle East.

‘Most Fortune 500 companies have been victims to some form of cyberattack leading to economic damage ranging from a few thousand to a few billion dollars. Cyber-attacks have increased dramatically in the last few months amidst the pandemic.’

Until relatively recently, it might have made sense to talk about cybersecurity and data privacy in terms of specific sectors, but the adoption of mobile platforms and cloud services – be they for internal operations, customer interactions, or both – has made cybersecurity everybody’s problem. In fact, the sector in which a given survey respondent is working had virtually no impact on their perception of cybersecurity and data privacy as a risk: GCs working for manufacturing companies were just as worried as those working for healthcare providers.

This is something that Seshani Bala, general counsel at Chartered Accountants of Australia and New Zealand, has seen personally.

‘Another big challenge is that we are trying to give customers and members a personalised experience, and to make data-driven decisions as a business,’ says Bala.

‘So, we are collecting more data to focus on that personalised, segmented experience. That increases the potential privacy risks in the event of a data breach. The penalties are very high under GDPR and Australian law. We are now seeing other countries move to a mandatory notification system that is in line with GDPR standards, and this poses greater pressure on organisations to make sure they have robust policies and procedures to quickly comply with those notification requirements.’

‘With the rapid development of online services, the risks associated with data storage and cybersecurity will develop,’ agrees Roman Kuznetsov, legal manager at WILO RUS.

Bala has worked closely with stakeholders in the wider business to make sure data protection policies are both clearly understood and rigorously enforced.

‘Once we have made sense of that, we can then drive processes and controls to reduce risk in that space. We partner very closely with our IT team. I think that has probably been the biggest change I have seen the last 12 to 24 months. I think Legal and IT need to be best of friends in-house, and you really need an integrated approach to effectively manage risk in that space.’

‘Before moving to a digital solution, I think it is really key to understand how each platform stores, secures and moves data. Mapping out that data flow process and understanding the data risks and data journey, as well as how it integrates with other platforms or plug-ins in other locations is important. It’s a given that digital solutions need to comply with applicable privacy laws but legal technology solutions also need to appropriately protect legal privilege, corporate record holding, and in-house destruction and recovery policies.’

Modern working

While the large difference between current risk and expected risk over the next five years is undoubtedly a reflection of an increasingly data-driven world, the effects of the COVID-19 pandemic will certainly also be playing a role. With home working becoming near-ubiquitous over the past few months, the volume of data being transmitted – either from workstation to workstation, colleague to colleague or business to customer (and vice versa) – is at an all-time high. This, too, means that the scope for bad actors to gain access to confidential data is also higher than ever.

‘The effects of the pandemic, and the current situation the world is in, pose several challenges for us in terms of rearranging our fraud agenda,’ says Gustavo Sáchica, chief legal and compliance officer at Allianz in Colombia.

‘In-house legal counsel need to anticipate the possibilities of fraud under pandemic circumstances. At Allianz, we have measured and stressed our risk tests in order to consider as many possibilities as possible.’

‘Due to Covid-19, increased working from home has resulted in a rise of remotely-accessed work platforms and digital ecosystems,’ says Sahu.

‘This has made us highly dependent on technology which in turn has exposed us to more sophisticated cyber threats. For MAXpower, this has not been much different. Our fleet of gas engines are spread across remote sites in South Asia, and given applicable travel restrictions, we have had to rely extensively on our cloud based technology platform which lets us track ‘live’ operating performance, profitability and emissions from a centralised asset dashboard. The technology also lets us engage in predictive analytics and gives us valuable fleet-level insights.’

‘From a risk management perspective, I think the industry view is that enterprises still have lots to do before they can claim that they are breach-proof. MAXpower’s exposure is no less than other similarly placed power producers in the market.’

‘We constantly strive to make our systems less vulnerable to digital threats. As general counsel, I recognise that we are not breach-proof and regularly engage in conversations with our operations folks trying to gauge whether we are doing enough.’

For some in-house counsel worried about what the future might hold for their cybersecurity efforts, the risk is already eventuating.

‘We have also seen our mail servers being the victim of ransomware attacks and we have had to strengthen our firewalls,’ explains Sahu. ‘In the months to come, I am certain that companies will allocate more budget and resources to address cybersecurity risks, and I do see a rise in procurement of cybersecurity insurance coverage.’

Regulators

The interaction between the regulators’ attitudes to risk and the reality on the ground for in-house counsel is complicated. In some instances, regulators are leading the charge by focusing on an area of concern and proactively shoring up the relevant protections, or cracking down on non-compliant entities. On the other hand, regulators may have fallen behind the in-house community in how they approach these areas of concern. In this way, regulators can make a company’s compliance journey both easier and more difficult.

Khaled Shivji, chief legal officer at the UAE’s Moro Hub, highlights this point. ‘In order to reduce the regulatory cost of compliance, we would be grateful to see more proactive guidance from regulators and prosecutors about the kinds of risks they believe are rated by the national and state governments as risks that, if not tackled, will diminish the country’s overall international rankings concerning white-collar crime.’

‘Increased oversight by regulators is reshaping the way we approach risk,’ agrees Armando Cruz, director at KPMG in Mexico.

And as with everything, this dynamic between regulators and the market is being redefined by COVID-19, according to Maria Alvear, general counsel at Chile’s GASVALPO.

‘In my view, the whole landscape will change after COVID-19 crisis lowers its impact. It will probably remain within us for a while and that encourages us to change our old ways of working and doing business, including regulatory risk management.

‘Regulatory risk management has been very challenging during these months, with several regulations being issued due to COVID, so it’s hard to keep up-to-date and perform accordingly. I guess this uncertainty that we are facing will remain; sticking to regulatory compliance will become more important than it is today to avoid a situation where lack of control and uncertainty give space for corruption to enter the business.’

Virtually all respondents to our survey had an opinion on whether ethics and compliance were treated as two different topics within their organisation. There was no overwhelming consensus, however 61% of survey participants said that they are not treated as distinct concepts within their organisations; 35% said that they were.

‘Many companies think that these should be separated, where one should focus on the law and the other on the company culture as a whole,’ explains Armando Cruz, director at KPMG in Mexico.

Regardless of the relationship between the two, some consensus has emerged from the results suggesting that the question of ethics does and should touch all areas of the business – not least of all in avoiding the ire of regulators and investigatory bodies.

90% of in-house counsel consider corporate ethics highly important in avoiding white-collar investigations. Similarly, 87% considered the legal team as ‘highly important’ to the promotion of an ethical business culture within an organisation – 12% consider it ‘moderately important’ – and just 1% of respondents thought that the legal team was less important than that.

The results show a near-universal appreciation for ethics within a business by in-house counsel. This is unsurprising. However, what is surprising is the extent to which that feeling from general counsel does – or doesn’t – manifest within the wider business.

Despite near-universal agreement among in-house counsel that their teams are important to an organisation’s ethical makeup, just 63% felt that they and their teams are appropriately placed to promote an ethical business culture within their organisation.

‘Even though they are managed by same team, they are materially different,’ says Miguel Oyonarte, VP legal and corporate affairs at VTR Comunicaciones SA.

‘Ethics is much bigger in terms of scope and impact on culture. For its successful management, it requires the lead of the CEO and all their direct reports. It is also much more difficult to change – it requires full cultural change.’

Indeed, those who didn’t feel that their team is appropriately placed overwhelmingly pointed to factors external to the legal team as being the biggest reason. 61% cited institutional structure as making legal’s involvement impractical. The next most cited reason was that culture and conduct were the domain of another department (17%).

Future finance

Cryptocurrencies and the blockchain technology underpinning them have seen exponential adoption over the past ten years. Perceived failures of the status quo and a desire from innovators for improvement has meant that today, cryptocurrencies are now widely accepted in many corners, from retailers to charities to governments. The underlying technology is finding wide application, being used to reinforce supply chains and preserve evidence.

The explosion of digital assets has been enabled by blockchain technology. A blockchain is a series of mathematical structures, inside which individual transactions are recorded. The record of each transaction – each ‘block’ – is dependent on the block that came before it, and becomes a permanent part of the history of the blockchain. This means that the record cannot be tampered with: once it is added to the blockchain, all subsequent transactions are recorded in relation to that block and all of the blocks that came before it. Following each transaction, the updated blockchain is distributed to each participant. Any attempt to change a record in the blockchain will put it at odds with the version held by every other participant in the blockchain, as well as all of the subsequent transactions that have been recorded.

‘Blockchains are basically networks – a series of computers – that rely on a process system of interconnected computers who validate transactions,’ explains John Roth, chief compliance and ethics officer at Bittrex.com. Bittrex is a US-based cryptocurrency exchange with a large clientele of institutional investors. He is also a former US Department of Homeland Security Inspector General and Department of Justice prosecutor.

‘In plain English, there are computer operators who are ensuring that the networks are healthy and that as you engage in transactions, these are actually valid transactions. Most folks aren’t doing it for free, they’re doing it because they’re incentivised by crypto currency. So, blockchain is more than just value transfer.’

‘Crypto is getting less and less risky because there are more and more providers of services which have been in the business for multiple years which educate the people,’ describes Lars Hodel, Head of Legal and Compliance Bitcoin Suisse AG, which was established in 2013 and is the first Swiss-regulated financial intermediary specialising in crypto-financial services.

‘If you want to buy Bitcoin or get crypto asset exposure today, you don’t need to log into some shady-looking site, you can just Google and find your providers to see that it’s real people. Access to crypto assets is getting easier.’

Dangerous money

Some sceptics of the digital asset revolution point to the difficulty of protecting against criminal misuse: after all, regular currency has financial institutions mediating each transaction and leaves a supposedly identifiable paper trail. The anti-money laundering battle is big enough with traditional forms of currency, so how can digital currencies avoid criminal misuse?

The United Nations Office on Drugs and Crime estimates that US$800bn to $2tn is laundered every year – most of this being in cash. According to the Chainalysis 2019 Crypto Crime Report, US$2.8bn in Bitcoin was laundered by criminal entities in crypto exchanges.

‘One of the key benefits from blockchain is user autonomy in that users are able to control how they spend their money without dealing with an intermediary authority like a bank or government,’ says Swadesh Gupta, Director of Legal and Strategy at Wallet Circle, a hyper-local customer engagement platform.

Roth expands: ‘There’s a fallacy out there that somehow these digital currency transactions are secret – actually, nothing could be further from the truth. These are very transparent transactions, you can identify transactions by date, time, amount and blockchain location.’

‘It resolves the trust issues in a transaction, and the transactions on blockchain are totally transparent,’ adds Gilbert Ng, legal counsel at Huobi Group. Huobi Group is a world-leading company in blockchain and digital asset industry with a mission to making breakthroughs in core blockchain technology and the integration of blockchain with other industries. It has over US $1bn trades occurring daily on their cryptocurrency exchange.

Washing dirty cash

Criminals are able to use crypto money laundering to disguise the criminal source of their cash assets employing a combination of different approaches. The most simple method of money laundering banks on the fact that undertakings made with cryptocurrencies are pseudonymous.

‘The reason that criminal activities increasingly involve digital assets is because of the anonymity features of these digital assets,’ says Ng. ‘But, looking at the recent trends, there are actually fewer criminal activities using digital assets for laundering.’

The usual approaches that apply to conventional cash money laundering also apply to crypto-laundering. There are three key phases of (crypto) money laundering: placement, hiding and integration.

Placement is moving the dirty cash from its original source into a legitimate cryptocurrency system.

‘The first crypto placement stage is super important to focus on,’ explains Roth. ‘Any time that there is a bridge between fiat currency and digital currency, you really want to pay attention to it.’

This is done through often loosely regulated crypto exchange platforms and initial coin offerings, right through to the use of cryptocurrency ATMs which have already proliferated throughout bars and grocery stores around the world. The complicity of crypto ATMs in the process highlights one of the reasons these novel digital assets are being used to launder criminal funds. What might initially be thought of as a necessary lowering of the barrier for widespread crypto adoption now represents an easy access point for moving dirty money into the digital financial system.

‘We know that in the placement stage, people transact with crypto ATMs,’ explains Rory Gordon, legal and compliance officer at Coinfloor, the UK’s longest established Bitcoin exchange.

‘We’ve had concerns from the police before because [crypto] ATMs have been particularly popular with drug dealers, seeking to convert large quantities of cash. A popular way to get rid of that cash is through [crypto] ATMs because you can deposit the cash, get the Bitcoin, and from there it’s much easier to make up a backstory as to where you got it all from.’

There are also the more conventional concerns at the placement stage, as Hodel explains:

‘It’s very easy to ask your friends to deposit money for you or ask a stranger if you can use his ID to open an account. These are the things that we see which are the most used cases in money laundering. These are very traditional, non-blockchain, non-crypto attack factors that you’ve had in the traditional banking world for years.’

The ‘layering’ phase

The second stage, hiding or ‘layering,’ conceals the origin of the dirty cash through a sequence of transactions and financial tricks, moving the cash through different accounts, currencies and exchanges to obscure its true origin. Just how effective a would-be launderer can be using digital assets will depend on the asset itself and the infrastructure used to deal with it. Some cryptocurrencies have specific focus on privacy, such as Monero. Others do not.

As Roth describes, all transactions are recorded on the blockchain, which provides a level of transparency which ultimately makes complete privacy difficult. Monero circumvents this. Monero transactions hide the sender by ‘signing’ each transaction with multiple signatures, only one of which is that of the actual sender. The amount being sent and the receiver are similarly private.

‘It depends largely on whether they’re using regulated exchanges. In the EU, US, Canada and Australia, the exchange networks are very heavily regulated and require verification procedures that make customer identification and law enforcement considerably easier. So, if a criminal uses one of those exchanges it’s almost a trivial exercise to be able to expose them. And because digital currency transactions are publicly indelible, all they need to do is cross-exchange once and it can be traced all the way back,’ explains Roth.

Hodel expands further, adding that: ‘Even if you use privacy coins where you can’t trace transactions, you need to explain why you used that coin. Any provider who sees a client using privacy coins on a large scale needs to question their client about why they’re using them. If a provider sees an unusual fund and analyses this on a professional level, then this will be flagged.’

‘When you look at currencies such as Monero, they use ring signature encryption which makes it incredibly difficult for any company to track the source of that asset,’ says Gordon.

‘However, some privacy coins do have keys to reveal the true owner of the assets which must be given over if there’s subpoenas or relevant court orders, but generally privacy coins allow virtual anonymity.’

‘Technically, criminals can stay anonymous under blockchain,’ says Ng.

‘But, practically, no. Most criminals will use crypto exchange platforms or over-the-counter (OTC) agents to convert digital assets into fiat currencies. In such cases, their identities would probably be revealed if proper KYC (know your client) procedures are in place.

‘It’s a fairly easy exercise to see through what’s really happening,’ says Roth.

‘With decentralised exchanges, it depends on what the exchange looks like and how it operates. It may make it more challenging, but no more challenging than tracing traditional money laundering through traditional banks.’

‘But, the risk that exists in cryptocurrency that doesn’t exist in typical currencies, is the idea that you can do a peer to peer transfer of value: I’m a bad person, you’re a bad person and we want to do some sort of financial exchange. We can do so with cryptocurrency without involving a bank or a credit card company because peer-to-peer transfers are with cash. This is a new paradigm for criminals to exchange value without somebody looking over their shoulder.’

The final stage, integration, involves the newly laundered money being returned to the launderer with an apparently legitimate – or at least, unknowable – legacy. If money reaches the integration stage, it becomes much more difficult to trace back to its criminal origins from that point.

Anti-moneylaundering solutions

Considering that blockchain technology administers a public log of each and every transaction – leaving behind a permanent trail – susceptibility to money laundering through cryptocurrencies is somewhat manageable.

‘Even if you are a weak provider or intermediary in the placement phase, who doesn’t take anti-money laundering (AML) seriously, I can still check that in the integration phase at a later stage on the blockchain, which is great because you can’t do that in the traditional banking world,’ says Hodel.

‘It’s wrong to say that cryptocurrencies can facilitate money laundering. Cryptocurrencies can be used for money laundering like any other asset, be that fiat, art or even physical precious metals. In the beginning, technology is usually used by people who want to take advantage of the fact that some technologies are not used very broadly.’

‘It was exactly the same with the internet, people used it to hack things and then today you still have online banking, despite the hacks. With crypto, it’s the same – it was used by people who wanted to try to find a new way across the banking system, to money launder.’

But while cryptocurrency is not the ultimate enabler of laundering that it is sometimes accused of being, stamping out money launderers requires supervision and a commitment to compliance on the part of companies within the ecosystem.

‘What helps is installing an in-house legal and compliance department and then training people – not only on the technicalities, but, also on what AML exactly is. Technical understanding is crucial. You need to know what you’re dealing with. If you take a retail compliance officer, you probably wouldn’t get the compliance challenges that you would expect from a tri finance bank and vice versa,’ adds Hodel.

Gordon echoes this sentiment: ‘Having a compliance and legal department and having the right policies and procedures in place, actually gives you the tools to tackle this. Of course, you need to obtain the necessary documentation on your customers. You need to know who they are but you also need to monitor their activity and have intelligent checkpoints in place.’

Though bad actors will continue endeavours to bypass and manipulate blockchain, money laundering can be prevented with devices that pair consumer data with their respective crypto transaction records. These tools can make it relatively easier for businesses to clamp down on crypto-laundering, stay AML compliant and isolate high-risk clients.

‘With crypto, there’s nothing new under the sun, this is simply a different sort of take on typical value transfer, but the measures for AML are largely the same,’ says Roth.

‘You have to KYC and understand your customer’s business, so you can understand what typical business transactions look like and have alerts generated for transactions or a series of transactions which deviate from the expectation of what that customer is doing. You must have good AML hygiene. It really isn’t all much different than what traditional financial institution programmes look like.’

Clean regulation

Globally, when it comes to cryptocurrency transactions and AML enforcement, the law drastically differs from jurisdiction to jurisdiction: from relatively strict regulations in the likes of UK, the US, and much of Europe to practically non-existent enforcement in many other countries.

‘Money laundering is an international crime and money launderers, just like other criminals, don’t respect international boundaries,’ argues Roth.

‘The ability to coordinate, harmonise and correlate these individuals to laws in a way that levels the playing field, among many different countries, with a uniform set of standards of laws that every country follows is super important. Otherwise, you get a regulatory arbitrage where money launderers will gravitate towards to weakest regulatory scheme.’

‘Like any nascent industry, one needs to be very aware of the risks that surround the crypto industry, especially when dealing with non-regulated entities,’ notes Jonathan Galea, CEO of BCA Solutions and a long-standing crypto-focused lawyer who wrote his 2015 Doctorate of Laws thesis on crypto and AML.

‘In fact, most companies would treat crypto as a high-risk industry. However, one needs to differentiate between the various service providers and stakeholders involved in the industry, versus the actual technology powering crypto as we know it. The latter, namely blockchain technology, has proven to be a far better tool for tracking and tracing movements of money than traditional technologies. This is precisely the reason why one shouldn’t go overboard, or essentially over-regulate, before a sufficient understanding of a new technology and its repercussions is obtained, and then proceed to assess the various stakeholders in a particular industry in order to regulate them properly.’

Arguably, the general lack of consistent global regulation is creating considerable risks in increasing the scope of potential manipulation of cryptocurrencies by criminals – therefore, the effectiveness of such protections against money-laundering is somewhat questionable and perhaps even discourages the broad scale adoption of cryptocurrencies.

‘One of the biggest challenges is that we’re not all speaking a common language across jurisdictions in terms of enforcement,’ adds Liat Shetret, Senior Advisor for Crypto Policy and Regulation at Elliptic, a blockchain analysis provider which specialises in crypto compliance and risk monitoring technology.

‘Without standardisation, the regulatory nuances between nations can be exploited. If there is a loophole, it will be found by bad actors, especially if there’s an assumption they won’t be caught because they assume their activity on the blockchain is anonymous. What many don’t realise is that all cryptocurrency transactions on the blockchain are immutable.’

‘There’s a vast disparity between the EU and the US on the one hand, and what I would call the under regulated countries, on the other hand,’ says Roth.

‘There needs to be more global coordination, and less tolerance for countries that prevent core regulation, so we have the cryptocurrency exchange market which is not completely dominated by these large exchanges who are purportedly registered in the Seychelles, Malta, Hong Kong or Singapore, but are in fact, not regulated at all.’

However, Gordon argues that the possibility of exploitation by criminals is being eroded:

‘It’s definitely an issue, but it’s being mitigated this year by the 5th EU Anti-Money Laundering Directive – so that’s the reason for the Financial Conduct Authority taking crypto under its wing. We’re seeing a lot more global co-operation with crypto compliance now.’

‘Global regulations are developing and on the right track, but it takes time for regulators to acquire sufficient knowledge of this industry,’ adds Gilbert Ng.

One of the biggest challenges facing in-house legal teams is one of compliance with everchanging AML and crypto regulation through differing jurisdictions.

‘This is one of the risks that we face. We need to vet every country – literally – for what is allowed and what isn’t. It differs even if you’re EU member states. That we do not have a unified approach towards this is something that makes it extremely difficult,’ adds Hodel.

Roth agrees. ‘There’s a variety of legislation that we deal with. One issue we have here in the US, you probably don’t have as an issue in the UK or the EU is here, is that we’re also governed by state law. So, because we’re operating in all 50 States, we are required to be compliant with state law as well as federal law. So the biggest challenge that we have is scanning a variety of different laws that apply to us and ensuring that we are in compliance with that.’

However, Hodel argues that ‘if you’re working in the financial industry, you’re used to having different legal and regulatory frameworks apply to your product. It would be nice to have one law that is applicable to any situation worldwide but this is not how law works. Just because crypto is not part of the financial market regulation yet, we still have the very basic civil and penal codes which, for example, provide punishment for fraud. We have a common understanding of what should be okay and what is not okay, and this doesn’t change when we’re dealing with crypto.’

Crypto disruption

Despite the fact that cryptocurrencies can indeed be used to conduct illicit criminal activity, the principle impact of such currencies on illicit crimes, such as money laundering, when juxtaposed to cash transactions, is little to none. According to The Foundation for Defense of Democracies and Elliptic’s 2019 report, US$829m Bitcoin was spent on the dark web. To put these figures into context, that’s only 0.5% of all Bitcoin transactions, with 2 to 5% of global GDP, or up to US$2tn through the traditional financial institutions.

‘Money laundering is not as big of an issue in the crypto space as it is often reported to be or often perceived. It’s a misconception and it’s actually very easy to counter,’ maintains Gordon.

‘We’re still in the early adopter phase of cryptocurrency,’ says Roth.

‘In the grand scheme of things, it’s just a tiny fraction of the global financial world. But, I think cryptocurrencies will reach a tipping point where it’ll be common for you to have a Visa, Mastercard and a cryptocurrency backed debit card in your wallet to engage in transactions. We think that the next two to five years will be a mainstream adoption of cryptocurrencies in a way that will fundamentally change the volumes of crypto involved, as well as the risks.’

Gordon agrees: ‘In the coming years, we’re going to see mass adoption, with big traditional financial players eventually entering the crypto industry once the regulation comes in. Crypto will be used as a store of value for a lot of unbanked individuals. Last year around 1.7 billion people were without banking globally. The great thing about crypto is that you can easily set up a wallet by yourself on the phone or computer. I think it has enormous potential to transform economies and provide opportunities to people the world over.’

I serve as the general counsel & head of compliance of MAXpower Group, Asia’s leading gas to power specialist and a key developer, owner and operator of small-to-medium gas-fired power plants. I also sit on the Board of the MAXpower-Mitsui & Co., a joint venture which operates a separate group of power assets in Myanmar. In addition to providing strategic business governance counsel to the Board, my work involves advising on power projects, turnaround management, FCPA enforcement and special situations M&A. Prior to joining MAXpower, I was the regional corporate counsel for Jacobs Engineering Group’s Asia operations, based in Singapore and Mumbai. I have also worked for Norton Rose Fulbright, at the firm’s London and Abu Dhabi offices with a practice focus on energy projects.

For MAXpower, white-collar crime exposure means unfavourable exposure to laws on bribery, sanctions, export control, anti-money laundering, internal controls, audit standards violations, etc. The potential breach of certain anti-bribery legislation like the US Foreign Corrupt Practices Act 1977 (FCPA) or the UK Bribery Act 2010 (UKBA) may pose a greater risk than others. The FCPA is the single biggest legislation affecting anti-bribery compliance programmes globally. The complexity of the application of the FCPA (or the UKBA) is that it is not dependent upon the existence of any contractual arrangements that a company may have in place. We have to engage in an extensive dialogue across all ranks of employees to socialise our exposure.

The biggest FCPA concern in emerging markets is pressure to pay. We try to tackle both the supply and demand side (more so under kleptocracies) of the bribery problem through a concentrated effort of top-level leadership, tone in the middle, a robust code of conduct, a tactical internal conduct code training process, ground-level determination, and ingenuity. We also try to convey the message to employees that penalties for non-compliance are severe, including imprisonment, unlimited fines (typically fixed at tens or hundreds of millions of US dollars), debarment from public procurement contracts, company director disqualification, asset confiscation, disgorgement of profits, adverse reputational consequences and substantial legal costs. To have greater impact, our training materials focus on figures (i.e. potential economic disruption) and flesh and blood references from past individual prosecutions.

The four broad components of a successful compliance programme consist of an analytical enterprise-wide risk management framework taking operating environments into consideration, broad institutional assent from participants, control structures within which the leadership can act to stem breaches, and monitoring by independent specialised actors. As general counsel, I play the independent monitoring role. We train our senior leadership to comprehend (with the understanding that the message will flow down) that in the case of foreign laws and regulations like the FCPA, a subject company has no means to contract out of potential liability.

Extra-territorial laws (like the FCPA) lack public assent in most emerging markets, which adds to compliance challenges. Pre-conceived notions of what actually constitutes ‘misconduct’ can also impact compliance efforts. Through our bespoke training and targeted employee engagement processes, and try to challenge such countervailing social norms. We also try our best to secure workforce assent to the compliance programme and aim for an institutionalised acceptance of the bribery and graft problem. As general counsel, I know that what may work for the developed world will not always work for emerging markets, and hence we deploy a risk-based approach. We, as a company, also realise that an eco-system of zero corruption is an illusion.

It is often the case with general counsel (no different in my case) that their formal authority falls far short of their responsibility, and their success is dependent on others outside their own chain of command. Therefore, general counsel (who also have responsibility for compliance) need to be a jack of all trades and be savvy enough to drive through crucial compliance controls. The right relationships inside a company (including by having the CFO and the Head of Procurement on speed dial) are very important.

As part of our corporate messaging, we also highlight that business conduct training is simply not moral rhetoric, but that breaches of applicable law can cause major economic disruption leading to loss of jobs, amongst other real-world consequences. The company leadership has also committed to encouraging reporting mechanisms of potential violations by offering a sense of assurance to employees that no retaliation will occur, subtle or overt, to ensure that employees feel safe to report concerns. We also realise that inconsistent moral messaging can be confusing for employees if legally enshrined moral principles (or organisational value systems) conflict with their own socio-cultural beliefs, as shaped by local standards and ways of doing business. We are conscious that a sound code of conduct crafted with the right ethical considerations will boost the company’s long-term competitiveness.

It is also important to realise that strategic legal or compliance personnel are not hired to be ‘liked’. Companies should remember that such personnel need to be respected as a voice of authority by employees of all ranks. In most listed companies, the chief compliance officer acts as an assurance for the public that the company is a good corporate citizen. Good compliance credentials will help in building public trust for the company.

Year on year, the world grows more tech-savvy. Most large in-house departments already use AI or automation tools in some form, and it does result in cost savings. From a white-collar crime angle, it is important to mention that the Criminal Division of the US Justice Department (DOJ) updated its memo on evaluation of compliance programmes in June 2020; this is a good reference document from a prosecuting agency setting out expectations on what a robust compliance programme should look like. The new subsection on access to data stresses the DOJ’s recognition that data access and monitoring is critical to the proper functioning of a compliance programme. Data analytics can help determine whether compliance failures are systemic or more aberrational. Such data can also help a company monitor investigations and discipline to ensure consistency, which the memo suggests is part of a compliance programme’s effectiveness. The focus on data analytics is thus a good indication that AI, machine learning and automation tools will play a more significant role in legal and compliance functions in the years to come.

At a time of increasing regulatory scrutiny in virtually all corners of business, and with the stakes having never been higher, now is the time for companies to get their house in order in terms of their compliance and investigatory response regimes. Our survey of top in-house counsel from across the globe revealed great disparities between organisations, not just in terms of how they plan for a potential investigation or prosecution, but also in terms of how high a priority such an endeavour is, and who within the business is best placed to take ownership of it.

But while most businesses – and certainly nearly every lawyer – would recognise the risk of inadequate preparation in this area, whether this recognition had translated into action is another story. Just 57% of respondents in our White Collar Investigations Survey reported that their organisation had implemented a response plan for regulatory investigations or white collar prosecutions. 39% reported that their organisation has no such plan.

49% of respondents felt that their company had robust and effective investigative protocols in the event of an external investigation; 29% said that they did not believe that they had such protocols and 22% were unsure.

While it might first seem reasonable to assume larger companies are more well-resourced and thus more likely to be in a position to create an investigatory response plan, this does not appear to be the case. In looking at whether respondents’ organisations had implemented a response plan, those from larger companies (with over 100 employees) were less likely to report their organisations as having implemented a response plan, at a rate of just 57%, compared to almost 80% of those from smaller (less than 100 employees) companies.

‘There can often be too many distinct business units that would be involved in an organisation-wide plan. What you end up finding is in those cases, it’s much harder to get a far-reaching plan together as in-house counsel,’ says one legal director in the Australian telecommunications sector.

‘It is very important in our view to avoid a culture where the operating commercial organisation believe that no written guidelines from the top of the organisation means “green light”,’ says Kjell Clement Ludvigsen, general counsel at Norway’s Nortura.

‘It should be very clear to all that they are responsible themselves for what they do, but they should ask for assistance from legal or compliance if they are in doubt.’

Preparedness

Another problem with trying to get a clear view of where businesses are in their white collar investigations risk is that areas of concern will differ from company to company, and sector to sector. Our survey asked respondents to rate their level of preparedness in a variety of key areas on a scale of 1 to 5, with one meaning ‘not prepared at all’ and five ‘very prepared’. On average, respondents reported that their business was most prepared in terms of their financial compliance policies, scoring an average of 3.9. Companies were least prepared in terms of their modern slavery policies, which came in at an average of 3.0.

Those who said that their organisation had implemented a response plan for regulatory investigations or white collar prosecutions reported being more prepared almost across the board than those who did not. In particular, respondents whose organisations had such a plan rated their preparedness, on average, up to a full point higher than those who did not. In particular, both bribery/corruption policy and modern slavery policy preparedness increased by almost a point (0.97 and 0.92, respectively) from companies without a plan compared to those with one.

‘Aramco has zero tolerance in relation to any anti-bribery and corruption activities,’ says Ahmad Ismail, general legal counsel at Saudi Aramco Shell Refinery Company.

‘Therefore, I align my plan backwards from there. At each board meeting, I will align this with my president – I will check if there are changes, or any fine tuning for the plan. We need to be agile yet able to optimise.

‘Particularly now, as we have seen Saudi Aramco has been listed on the stock exchange, that represents a higher level of responsibility, citizenship and corporate compliance for the organisation, including at the subsidiary level.’

Whose problem?

One reason why organisations appear to be behind the curve on investigatory planning is that it isn’t an area that uniquely lends itself to the legal team. Efforts in this area are likely to require active input from all corners of the business, as well as an ambient level of support from the leadership team.

Indeed, when asked who within their organisation was responsible for designing and maintaining the response plan, answers were split. While the legal team was the most commonly cited department, it ultimately accounted for just 35% of the responses – and just as many reported not having a response plan at all. 13% – the second most common response – said it was currently a multi-departmental effort, and 10% said it was the domain of a dedicated crisis management team.

‘Day by day, the executive team is more conscious of the importance and necessity of the identification, mitigation and follow-up of risks,’ explains Diana Daza, legal director at SGS in Colombia.

‘As a legal team, we are highly involved in daily risk management operations in order to prevent these sort of risks.’

Despite a current lack of ubiquity around which departments are given investigation planning responsibilities, there is a sentiment that this is changing. From interviews with participants in this survey, it seemed a common view that over time, the pre-investigatory planning job is landing more and more with the in-house team.

‘Based on conversations that I have had with peers, it has become quite common that legal teams, in particular the leadership team, are involved in assessing the risk of investigations and prosecutions,’ shares Oliver Jarberg, deputy chief legal and compliance officer and director of integrity & anti-doping at FIFA.

‘I personally believe that it is one of the key aspects – in particular at management level – for the legal and compliance function to be involved with. In particular, in-house legal teams should already be involved at an early stage by the business so as to flag critical operations, transactions, and provide advice and support on measures to be implemented to mitigate legal and compliance risks – including the risk of investigation and prosecution.’

Annual reviews

Another reason that uptake and confidence in organisations’ planning for white collar investigations is subdued might be because there needs to be an ongoing commitment to reviewing and modifying the plan in order for it to stay effective: external risks are changing constantly, while the risk profile of a business will likely change as it expands or contracts into or away from new business units.

When it comes to reviewing their planning and preparation processes in the context of investigation and white collar prosecution risks, 38% said that they review their process annually, while another 38% reported only conducting such a review on an as-needed basis – another 19% said that they never review their plans in this area.

‘We undertake an annual review and it is critical to understand both the changes in the legal landscape as well as regulators’ approach,’ explains Kwong Wen Wan, group chief corporate officer and group general counsel for Mapletree in Singapore.

Ahmad Ismail is both a proactive participant in his organisation’s investigation preparation, and an avid proponent of conducting regular reviews of any plans or policies.

‘The way I align my plan – especially in relation to anti-bribery and corruption and also in relation to legal and compliance – is that I first understand the company legal risk appetite and then align that to the business cycle of the organisation,’ he says.

‘Clearly, all organisations have their own business planning cycles, and within that business plan cycle you decide on the capital expenditure of the organisation, in other words, what type of investments they are making for the year.’

‘That is normally also mapped against the company’s risk map. So based on that, I will determine what the plan would be for the year in relation to legal compliance. I would analyse that risk map, and get clarification from the auditor and the Chief Financial Officer and the controller. I’d then identify what would be the risk appetite for the organisation, and then I’d map the plan for legal compliance for the year.’

For Jaberg, ‘at FIFA, we have a working group composed of representatives of different professional functions within the organisation, including internal audits, finance, legal and compliance, and different business units.

‘They meet on a regular basis to map FIFA’s main risks and devise strategies and plans so as to mitigate the risks identified within this working group.’

‘I think it is important to establish a formalised risk management process to identify the different risks – including that of investigations and prosecutions – as well as ensuring the processes and measures designed to mitigate such risks are defined, evaluated and implemented. As risks evolve over time, I think it is important that they are reassessed and the processes to address such risks are then amended as required, based on the learnings related to each risk identified. So, in fact, this is a very dynamic task which also requires the legal and compliance function to thoroughly understand the business, the processes and operations of the company.’

‘It’s important to be agile and on top of things, and adapt to the changing circumstances as required to protect the interests at stake.’

Renewed interest from regulators

Give the importance of preparedness for regulatory investigations and white collar prosecutions, why do companies of all sizes and sectors report such vastly different levels of planning in this area?

While the subject may have been on in-house counsel’s radar for many years, many counsel interviewed for this report mentioned a ‘sea change’ in the wake of the global financial crisis, which saw a redoubling of efforts on the part of regulators to rein in inappropriate and illegal conduct, particularly in the financial sector. While a decade is a long time in some respects, in terms of cultural shifts within massive organisations it isn’t very at all, and businesses are still coming to terms with heightened sensitivity on the part of regulators and similar investigatory bodies.

‘It takes time – lots of time – to see real cultural change take hold in a company, or industry,’ says one long-time banking general counsel based in the United Kingdom.

‘There is an increased level of consciousness around white-collar crime which I would say began post-GFC and has continued since then. But unless an organisation has already been stung, it can be difficult to enact change quickly – something I suspect every in-house lawyer will be familiar with. It is on the in-house lawyer to keep their foot on the gas and make sure the company keeps momentum towards compliance.’

Generally speaking, there is a trend with political and public pressure continuing to drive significant changes in white-collar law enforcement throughout the world. In my opinion, it is important for in-house counsel to be on top of things in this area and particularly when it comes to advising our internal clients with the view to mitigate risk. In particular, recent developments in relation to the COVID-19 pandemic have put a lot of pressure on colleagues at the forefront. We deem that it is our duty as in-house counsel to provide practicable legal advice to the business, and at the same time adequately addressing the legal and compliance risks.

Our first aim has always been to help our internal clients and members make decisions that are in line with the applicable regulatory framework. This includes policies relating to ethical conduct such as – in our case – the FIFA Code of Ethics and the FIFA Code of Conduct. We aim to provide them with the knowledge and tools needed to identify legal risks in advance and make decisions that adequately address these risks.

In sports, when it comes to integrity and compliance, I always tell our clients – which include players, referee officials and other stakeholders – that it is usually too late when we need to open investigations into alleged violations of rules safeguarding the integrity of sports. When we have to investigate misconduct, the damage is already done. So, with efficient, proactive and preventative measures, such as training, online awareness campaigns and so on, we can ensure that all those concerned know what the rules are, and are able to avoid – as much as possible – things going wrong. However, when things go wrong, it is also key that we ensure that issues are addressed in a timely and thorough manner and that we bring to justice those who don’t play by the rules and who are responsible for bringing our sport into disrepute.

Football, similar to many other aspects of business life, is not exempt from the risks of bribery and corruption. We have seen that different individuals and companies who have been involved in football have been found guilty, amongst other things, of bribery and corruption. In that respect, it is very important to have the right tools in place, including the right regulations and processes to address risks. Equally, it is important to learn from mistakes that have been made in the past and to avoid making the same mistakes again.

FIFA has undergone a very thorough and comprehensive governance reform process over the past years with the aim of addressing certain deficiencies that were discovered. As an example, we have strengthened and formalised our compliance function. We have further strengthened the system of checks and balances, including the implementation of terms of office, and segregation of powers of the different bodies of the organisation. Also, we have strengthened the function of our audit and compliance committee, which consists mainly of independent members. We have established a confidential reporting system or whistle-blower hotline in order to encourage a culture of speaking up and flagging wrongdoing, as it is discovered. We have established eligibility checks including integrity and background checks for all of FIFA’s committee members. We have further strengthened the processes in the context of the funds we invest to develop the game of football. We have enhanced our processes when we check on the service providers and third party vendors with whom we do business. We have also massively revamped our bidding processes for FIFA competitions, including the FIFA World Cup and the FIFA Women’s World Cup. We have also amended our policies to make them more user-friendly and relevant in everyday business transactions. These are only a few examples, but all this was, amongst other reasons, also done to strengthen our position in terms of anti-corruption and anti-bribery.

When focusing on the game of football, we see that match-fixing and doping are highly complex problems that require very stringent processes. Of course, the actions committed by the perpetrators concerned are also corrupt conduct, and here specifically in the context of sports, such corrupt and illegal actions go against the very essence of the game; the integrity of the sporting competition is destroyed, as is with the case with the use of doping. But what is more, if the unpredictability of the sporting result is jeopardised, the sport is basically deprived of its very essence, which is not to know in advance of a competition who the winner will be. If this element is lost, no one will watch football matches in the stadiums or in front of the TV, and the commercial partners that are helping generate revenue, which is reinvested in the sport, will no longer be interested. It is a vicious circle and we have a paramount responsibility to do whatever we can to best protect the integrity of our game.

This is also why we work with many different stakeholders to address the challenges of doping and match manipulation and why we are also dedicating a lot of resources and also expertise and effort to address these challenges.

When it comes to compliance and due diligence, we as an organisation have enacted many different initiatives, processes and tools. For example, our code of conduct serves as a one-stop shop; it provides direct access to the code in all different languages, and it provides for different and direct links to relevant directives, training materials and templates, including contract templates. We also have in person training, for example, we organised a compliance summit specifically tailored to the needs and challenges of our 211 members associations, the football confederations and other stakeholders. In fact, we are currently planning our next compliance summit which will be held online in Autumn.

Overall, when looking into the future, I personally am convinced that legal tech and artificial intelligence will be highly relevant and beneficial for in-house counsel. We have already evolved quite significantly, compared to where we stood five years ago. But, I believe that we are still in the early stages and that the technological revolution for in-house counsel is just beginning. What I am convinced of is that we as lawyers and in-house counsel need to be open to innovation and technology, amongst many other things to enhance our risk management.

The use of external counsel, once an investigation or prosecution has been made official, received across-the-board support from participants in this survey. 77% of respondents considered it at least moderately important for external counsel to be involved at that point, with almost half of those considering it highly important. 14% reported feeling that external counsel would not be involved.

‘Especially in smaller departments I have been a part of, having a good lawyer outside your business who knows your business is critical,’ explains one senior legal director in the European aviation industry.

‘Departments are strapped for resources as it is; the overhead of responding to a regulator – or worse, a formal prosecution – is beyond the capabilities of most departments.’

Those counsel who were a part of smaller departments were more likely to expect external counsel to be involved. Respondents in teams of 50 or larger were less likely than any other group to involve external counsel, with 31% reporting no involvement of external counsel at that stage.

When it comes to involving external counsel in anticipation of an investigation (as opposed to when one has formally been announced), approaches differ. Just 8% or respondents reported always involving external counsel at this stage; 33% reported occasionally involved external counsel and 38% reported involving counsel ‘often’. Almost 20% rarely involve external counsel at any point before the formal launching of an investigation or prosecution.

‘We are in almost constant contact with at least one outside lawyer to consult with on any real or potential investigations,’ says one veteran in-house counsel in the North American energy sector.

‘We can’t afford not to. If the first time you are meeting with a lawyer is when the regulator is at your door, a lot of (avoidable) damage has been done.’

While the in-house community has been vocal in pushing for diversity in their partner law firms, a company instructing external counsel on an investigatory or other white collar matter is typically more likely to involve a single practitioner for representation than other types of legal work. Therefore, survey participants were asked how important of a factor diversity and inclusion is when selecting counsel in these situations. The overwhelming majority felt it important, with 40% considering it a ‘highly important’ factor and another 40% considering it ‘moderately important’. Just 5% felt it unimportant.

In choosing external counsel, respondents reported choosing from a variety of sources. On average, in-house counsel were most likely to have found their chosen counsel by direct outreach to single firms – 20% of counsel reported choosing their representation this way. The next most popular source was the use of a company-curated preferred provider panel at 15%.

On the 30th of November 2017, The Australian Government announced a Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission). Appointed to preside over the public inquiry was High Court Justice, Kenneth Hayne. He was tasked with identifying the underlying causes of financial sector misconduct, and to uncover evidence of systemic issues within corporate practices.

The Commission was precipitated by a series of high profile exposés implicating Australia’s biggest banks in scandals covering fraud, predatory sales practices, FOREX trading impropriety, interest rate rigging and more. The Commission conducted seven rounds of public hearings over 68 days, called more than 130 witnesses, and reviewed over 10,000 public submissions. The findings made front page headlines across the country. Concluding the public inquiry, Commissioner Hayne put forward 76 recommendations directed at government institutions, regulators and industry leaders.

The Commission’s findings heralded sweeping changes within current operational frameworks in the financial advice, life insurance and superannuation sectors. Leading general counsel working across these industries in Australia candidly share their experiences in rebuilding consumer trust, as they work towards transforming regulatory practices across the country.

Cashing in

To understand the damning findings of the Royal Commission it is crucial to reflect back upon the historical development of banks in Australia. Jeff Morris was a financial adviser for Australia’s Commonwealth Bank and more importantly, was a key whistleblower spurring the public enquiry.

‘What I noticed was the mentality of banks; they lost their way, and they lost sight of their history,’ explains Morris.

‘The history of Australian banks is a good and honourable one, and an important contributor to national economic growth. It was in the 90s when things began to change. American sales cultures came in and banks got infected with the remuneration US banks had always paid.’

This shift away from customer-focused services towards bonus schemes led to deceptive conduct. Claims that arose included: charges for services that were not provided; continuing conflicts of interest affecting financial advisors; and an insufficient focus on risk management. In more severe cases, some financial institutions had inadvertently facilitated money laundering, turned a blind eye to terrorism financing, and promoted a culture of greed.

Refusing to stay silent, Morris filed several complaints to ASIC (The Australian Securities Investment Commission) Australia’s financial regulator, outlining acts of misconduct he had witnessed. For years ASIC did little to investigate the claims and in 2013 Morris decided go public. Several media outlets began to report upon allegations of fraud, forgery and management coverups. This ultimately resulted in a parliamentary inquiry and Royal Commission.

Since the Royal Commission was televised, Australians saw the direct impact financial misconduct had on individual’s livelihoods, prosperity, and dignity. The erosion of consumer confidence and trust in the sector was – and to some extent still is – extensive.

‘The thing that was so distinguishing about the Banking Royal Commission, was how it captured the public’s attention because of how it connected through case studies into such deep feelings and experiences within Australian consumers,’ says Grant Jones, General Counsel & Executive Lead, Regulatory Affairs at MLC Life Insurance.

‘It showed how customers felt so vulnerable to large institutions, and it gave voice to this feeling and experience.’

This sentiment was shared by David Cullen, general counsel of AMP, one of Australia’s leading wealth management companies.

‘I think it certainly is a pretty challenged environment after the Royal Commission. There is lots of activity and focus on remediating and rectifying legacy issues, making compliance improvements, and leaning into a much greater regulatory change environment than we have seen in recent years.’

The findings of the Royal Commission and the suggested reform package put forward by Commissionaire Hayne represents the largest and most comprehensive corporate and financial law reform process since the 1900s. The reform package addressed issues of weak regulation, corrupt reward structures and an overall disregard for client interests. From the 76 recommendations made, 54 were directed to Government, 12 to regulators and 10 to industry leaders.

‘Together, these reforms have and will continue to ensure that Australia’s financial systems deliver fairer outcomes for consumers and remains resilient to enormous stresses caused by events like the global financial crisis and now the coronavirus,’ said a spokesman from the Australian Treasury.

Leaning into legal

Since the Royal Commission, the role of in-house counsel has been cast into the spotlight. Professor Michael Adams, head of law at Australia’s University of New England explains the delicate position of corporate counsel.

‘The Royal Commission has really highlighted the role of lawyers within financial services, and in particular the role of various in-house counsel within these entities. I think there has been a lot of soul searching and discussions about whether more could have been done, or if they should have been more vocal in management discussions.’

‘First and foremost, if you are a practicing lawyer, solicitor or barrister – you are an officer of the court and you have duties which are predominately to the court, above and beyond that to your client, even as in-house counsel. So, in theory the delineation is very clear,’ says Professor Adams.

‘In practice in-house counsel roles are subjected to a range of pressures. The more senior of a lawyer you are, the more likely you are part of the management decision-making process. If you are a general counsel at a financial entity, you are part of the c-suite.

‘You are there to facilitate your organisation to develop new products and get around legal barriers and regulatory hurdles. That is part of your job. However, you do have an obligation to speak out against ethical violations to explain when something is misleading or unreasonable.’

Getting ethical

Navigating commercial obligations, whilst acting as a trusted advisor may sometimes present ethical grey areas for corporate counsel.

‘The Royal Commission constituted a profound point of inflection in the industry where firms were forced to publicly look into a dark mirror and make a decision to fundamentally change,’ says Jones.

‘What the Commission particularly highlighted through its case studies, is how easily unfair decisions which have real adverse impacts on people can become normalised within a large commercial operations.’

‘This was a very confronting realisation for industry because the vast majority of people across financial services get up each morning and go to work, wanting to do help and do some good and to make a contribution to their customers and community. They are horrified at any prospect of hurting customers.’

‘So when industry people saw the impact of particular conduct through the lens of impacted customers – it was a very confronting moment – people felt deep shame and were challenged at a level of personal values. It was a real moment.’

Similarly, Elizabeth Weston, former head of investment legal and governance at Cbus Super Fund reflects on the on the Royal Commission and its importance on ethical conduct.

‘For me, it was about primacy of community expectations vs the black letter of the law. As a lawyer, obviously people can sail close to the wind, but just because you can do something does not mean you should do something. So, this was a stark reminder of the importance of community expectations and the obligations to always act in the best interests of members.’

Since the Royal Commission, there has been a renewed focus on ethical conduct within the financial sector.

‘I really think those in the sector occupy a unique position of trust, because they are looking after the financial wellbeing of Australians, which is a responsibility and a pretty heavy one. But it is also a privilege,’ explains Cullen.

Culture corrupted

One of the major criticisms coming out of the Royal Commission was the toxic culture prevalent within financial service industries. In fact, Commissionaire Hayne in his final report outlined harmful cultural practices directly linked with risky, immoral and even illegal activities from financial providers. He wrote:

‘Rewarding misconduct is wrong. Yet incentive bonus and commission schemes through the financial services industry have measured sales and profit, but not compliance with the law and proper standards.’

Therefore, cultural practices play a pivotal role in driving or discouraging misconduct.

‘Quite often, an in-house counsel’s job is going to be telling people unpleasant truths, things they do not want to hear. In a culture where everything is being covered up, in a toxic culture, in-house counsel will frequently be pressured to suppress news and not present senior executives with bad news that they know they do not want to hear,’ says Morris.

Weston agrees: ‘As in-house counsel – especially in financial services – there is always a risk that you will fall captive to business and rubber stamp initiatives. One of the key challenges is the fact that you are sometimes delivering deeply unpopular messages.’

‘As you become more senior, you become resigned to the reality of your function as not merely a trusted counsel but also as an officer of the court. I think at times nobody really wants to hear the squeaky wheel, but it is better they do so, before all the wheels fall off the wagon.’

‘I think for me it is about how to deliver that message in a way that stakeholders are able to identify an alignment of interests. How do we counter that risk and deter it in such a way that they will see where you are coming from and act accordingly?’

Looking to the future post-Royal Commission, the role of in-house counsel is fundamental in influencing healthy cultural practices within the workplace.

‘The role of in-house counsel is more important than ever; certainly in this sector they are busier than ever,’ says Cullen.

‘I am a bit wary of the view that in-house lawyers are the conscience of an organisation because really I think everyone should shoulder that conscience. But we do have a key role in setting and being part of the moral compass of an organisation.

‘I think the other key thing in the Royal Commission was about misconduct. It was asked to look into conduct that may fall below community expectations – even where not strictly contrary to law. Now, that is quite a challenging environment for lawyers to operate in because generally lawyers are most comfortable when dealing with black letter legal obligations. The concept of what is and is not contrary to community expectations will be something lawyers have to consider as part of their advice. It raises the issue of ‘where is the line drawn?’ but increasingly this is another challenge that in-house lawyers will have to grapple with.’

Fairness is another concept that does not necessarily follow the black letter of the law, yet according to Grant Jones, general counsel at MLC Life insurance, it has become a key topic for consideration post-Royal Commission.

‘There are two clear learnings that I took from the Royal Commission that influence how I perform my new role today.

‘Number one is fairness. I believe fairness will be the defining regulatory principle of our time. The second learning is that fairness needs the most protection in every 100 small decisions that are made across a company every day, relative to the fewer and bigger decisions a board will make that have the benefit of lots of perspective and debate.

‘Why is the first important? It is important because it prompts the question, how do you embed fairness in your business processes? Fairness is an idea, it does not have a fixed perimeter and is entirely subjective. With that being the case, how can it be a principle of law that you can design processes and products off the back of? This is the challenge for industry participants and regulators, but it’s a critical issue to solve.’

Governance glow up

As a result of the increased regulatory environment following the royal commission, companies across the financial sector are reassessing their internal corporate governance processes. In particular, one of the most obvious shifts for in-house counsel post-Royal Commission has been the push towards strengthening internal corporate governance framework.

‘In Australia, we have come out of a Royal Commission into Financial Services which has really emphasised the need for robust corporate governance and seen an increased focus by our regulators to take action against white-collar crime. That trend is unlikely to change,’ explains Seshani Bala, group general counsel & corporate assurance at Chartered Accountants ANZ.

‘One of the things I noticed following the Royal Commission was the broadened remit of the General Counsel. I previously led the legal function and my remit was extended to risk and governance. There is definitely a trend towards integrating those functions so you can really drive process synchronisation. Risk can be identified and managed and governance around that risk solidified.’

This shift has also been observed by Cullen: ‘Supporting boards and their increased governance needs has undoubtedly heightened post the Royal Commission. I also think the approach to interacting with regulators is of fundamental importance.’

In-house legal teams across the finance industry are tasked with improving corporate governance frameworks in order to avoid public scrutiny or corporate watchdog fines. Raising the accountability and governance standards across the financial sector is crucial.

‘I was hoping that the Royal Commission would lead to a renaissance for legal function within financial services. Perhaps it did within the retail banking sector, but I am not sure if it did so much in the industry funds sector,’ says Weston.

Focusing on the future

Overall, the Royal Commission and its findings sent shock waves through the financial sector of Australia. Revelations of systemic misconduct and corporate coverups brought to light shameful practices and toxic work cultures.

‘Sometimes it takes a disaster or a near disaster for people to recognise – really truly appreciate – cognitive diversity. As a legal professional you bring a different perspective to bear because of your discipline and because of your training as an officer of the court,’ outlines Weston.

‘I think as lawyers I have always felt that we know about worst case scenarios, we seem to be the people who envision it, we seem to be the people who consider what it would look like on the front page of the paper, rather than waiting until it is on the front page of the paper.’

Although the financial sector in Australia has gone through significant regulatory transformation, acknowledging past mistakes and implementing new frameworks aimed at improving industry practices are the first steps towards rebuilding consumer trust.

My role in Moscow is heading up the legal and compliance team. I am responsible for this whole area, which includes things such as: risk management, internal investigations, preparation and execution of compliance and legal plans, litigation, contractual work and really everything you can think of.

I am not aware of any multinational organisations nowadays which does not have a compliance policy and framework. Almost all of them have a compliance specialist or in-house legal person in place. In order to move forward, the biggest challenge nowadays is to foster a proper compliance mindset. This is so that people will not perceive compliance as merely a ‘tick the box’ exercise. That is the challenge that I believe remains in place in many parts of the world. Even many senior colleagues in large companies still view compliance as a ‘tick the box’ exercise. They view it as only being the responsibility of legal and compliance departments.

Obviously, corporate ethics is not only about compliance with applicable laws and regulations, it is also about sustaining the long-term business success of an organisation. It is up to us lawyers to understand technicalities. But when it comes to business clients, they have to understand the principles behind why specific rules were introduced. Also, the more our internal clients believe and understand corporate ethics, the fewer number of white-collar crimes will be committed, and in-house counsel will be able to dedicate their time to other important matters. Promoting ethical culture means not only constant training efforts in this direction, but also fostering the right mindset. It is important for us to ensure our clients will understand not only the letter of the law, but also its spirit, and the rationale behind a certain legislative provision, therefore enabling them to make the right choice in a dilemma.

When looking at my own team, further improvements can be made to promote ethical business culture. For instance: making legal and compliance functions independent from the business (solid reporting lines should flow into that function and not into business. Legal and compliance should have their own independent budget); making sure that legal and compliance directors are part of the management teams for respective business units; and when deciding where to hire a legal and compliance professional it is necessary to take into account not only business considerations (size of the business, its growth and profitability) but also a risk profile of a given jurisdiction.

When it comes to bribery and corruption and due diligence, the pharmaceutical industry is highly regulated. It inherently requires us to deal a lot with governmental officials (while registering products, running clinical trials, selling medicines to the government etc). Moreover, due to the state-owned nature of many healthcare systems, administrators in clinics and doctors can be classified as governmental officials from both the FCPA (Foreign Corrupt Practices Act) and UKBA (UK Bribery Act) angles. Thus, bribery risks are at the top of the agenda of international pharma companies. Due diligence risks primarily relate to the difficulties in identification of real ultimate beneficiaries in high risk jurisdictions (Latin America, CIS, Southeast Asia) due to the sophisticated techniques used by those who try and conceal real ownership.

For instance, we had a case where the real ownership of one of our distributers was concealed. According to the official registers the shareholder of the company was person X, but it transpired that the real beneficiary behind was a completely different person. In fact, that person was a governmental official. This created a lot of legal risks. We hired a private investigator to run an in-depth compliance check mandated by our compliance policy and procedure. When we received the report from the investigator, we took a risk-tailored approach and discussed each and every red flag related to the situation. As a team we tried to find a meaningful solution. We then took it to the senior levels of our company so that management would be aware and endorse our actions, and offer their advice based on their knowledge and experience. We of course took independent legal advice as well. In the end we decided to run more enhanced due diligence checks over our critical high-risk partners.

Also, when it comes to crisis management, we have a very solid risk management framework in place which enables us to address crises in a speedy and coherent way. For example, we ran a whole risk assessment when things started to go off recently due to the coronavirus outbreak. We immediately decided to make all our sales calls virtual, even in regions where the government had not yet mandated it. Legally, it was permissible to do face to face meetings in some countries at the start of the pandemic. However, we considered the safety of our customers and our own personnel, and we decided to take everything virtual. We also created some new platforms, and as a result tweaked our compliance rules and procedures to the virtual working environment.

I think when we look to the future, white-collar crime is going to become more sophisticated. If we look back five or ten years ago, if a person wanted to defraud a company, he or she would simply use his or her credit card improperly. Now, corporate fraud is more sophisticated. People are becoming more underhanded when it comes to white-collar crime; it is getting harder to detect and prevent. In addition, the regulatory framework for the pharma industry is not getting easier.

Cyber-crime is also a growing risk area going forward. The main thing here is to make people aware of the core techniques that criminals can use. It is important to be on high alert and to no longer perceive the virtual world as not real; it is very much real. Also, people should not look at cyber-crime as purely the responsibility of IT. It is the responsibility of every employee and people should be trained to detect phishing emails and be aware of their VPN when sending corporate sensitive data.

When overcoming these future and current challenges, it helps when compliance and legal teams come together in a co-ordinated effort. They may be two separate functions, but a collaborative approach is best when preventing white-collar crime.

My past in-house roles were in fast moving consumer goods (FMCG) companies where I had international remit and exposure to the benefits of legal operations and using digital solutions in European and US markets. Having a cross-border perspective has really shaped my legal career and how I view in-house lawyering, particularly with respect to ensuring in-house legal teams join the data world so they can make data-driven decisions in this digital economy.

In terms of how I got to my current role, I have always loved problem solving and driving outcomes. When I was in high school I really focused on science and maths subjects, but decided I wanted a complete change when I entered law school at university. I ended up doing a combined Law and Arts degree at The University of Auckland and then did the usual ‘kiwi’ thing of working in large corporate law firms before heading off overseas for the traditional ‘OE’ (overseas experience).

I really enjoyed the fast-paced M&A and private equity deal work in private practice, but I never got the opportunity to view business transactions across their life cycle, because I always had to move onto the next deal so quickly. I did a brief in-house secondment and loved it – everyone told me that once you go in-house, you will never go back! My first in-house role was as international general counsel for an FMCG company where I had remit for all legal matters across 43 markets globally. I gained wonderful experience about customer needs and how to provide business-ready advice. In my current role at Chartered Accountants ANZ, a professional membership body with over 125,000 members globally, I lead the legal, governance, risk, compliance and operational excellence teams which provide integrated assurance and enable the organisation to grow, react and adapt to a changing environment across Australia, New Zealand, Asia and the United Kingdom.

The privacy and cyber landscape is constantly evolving across the globe – we are seeing an increase in disruptive technologies, a move to digital delivery, the rise of the ‘no touch’ economy, the commercialisation of consumer data and consumer demand for delivery at pace. But in parallel, we are also faced with an increase in privacy regulation and the risk of cyber threats. In fact, in 2020, we’re experiencing a year like no other, as we all navigate through a global pandemic! Privacy and cyber security are front of mind as our business balances rapid digital transformation with ensuring our post-COVID operating model is relevant in this new world.

For example, the rapid change from an on-premise technology operating model to a ‘cloud model’ has resulted in a proliferating of data across platforms and increased external cyber exposure to corporate systems. This will surely increase to the point where data will no longer reside in a traditional on-premise location, changing how we manage and protect both cyber and data privacy forever.

Digital solutions are also key in managing areas like whistleblowing. Recent legislative changes support the trend towards whistleblowers being seen as a corporate asset and key to maintaining a culture of good corporate governance.

Businesses can have a good whistleblowing policy which contains anti-victimisation provisions and provide for anonymous disclosure but this needs to be operationalised – using a secure digital platform is the best way of mitigating risks in this space.

External counsel certainly do play a role when it comes to the investigations process, but that depends on the type of investigation. Some investigations need to be conducted under legal professional privilege and using an external firm assists with maintaining privilege. It also provides a level of independence, and external law firms are also able to offer practical guidance on how to manage an issue based on their experience with other clients and regulators. There are definitely benefits with using external counsel, but not with every investigation. A lot of things can be done in-house, so it really depends on the risk profile of an organisation and the cost/benefit analysis.

Looking towards the future, I think in-house legal teams need to be much more tech savvy. Innovation intelligence and being a quick adopter of technology is one of our legal team’s KPIs. Technology was previously a job for IT teams, now it is a whole of business function focused on protecting data. I think in-house counsel are well placed to show leadership in this space due to the privacy, governance and risk management responsibilities they have. In-house legal teams need to get a deeper understanding of technology and need to partner very closely with IT teams. There are huge opportunities for in-house legal teams to step up in this space – it’s an exciting time to be an in-house lawyer!

For companies and their general counsel – as with the rest of the world, generally – 2020 presented unique challenges. As we move through 2021, organisations of all sizes and across all industries face unprecedented forms of scrutiny, liability, and potential “bet-the-company” penalties for misconduct by US and other international regulators.

In response to the COVID-19 pandemic, governments worldwide have distributed significant amounts of emergency relief funds to help manage the pandemic and mitigate its impact on individuals and businesses. Over the course of the last year, the United States, for example, has passed the largest spending measures ever enacted, providing more than five trillion dollars in aid through multiple stimulus bills and more is being proposed. Those relief funds include oversight mechanisms based upon TARP that seek to combat potential fraud, waste, and abuse on behalf of fund recipients, paving new avenues for regulatory scrutiny.

In June 2020, the US Department of Justice (DOJ) issued updates to its Evaluation of Corporate Compliance Programs as part of its overall framework that prosecutors should consider in conducting corporate investigations. That framework will apply to COVID-related investigations. It also provides insight for GCs of corporations seeking to develop and implement a best-in-class compliance program. Among its recommendations, the guidance encourages companies to leverage technology and engage with compliance data real-time – a clear signal to businesses of the importance of data management and security in building a robust compliance program.

Additionally, although robust white collar enforcement has continued in a number of areas over the past four years, the 2020 US Presidential election will usher in a new administration that will likely adjust its regulatory and enforcement priorities on several fronts. With new leadership, financial regulators – including the DOJ and US Securities and Exchange Commission – are poised to take more aggressive stances to combat alleged corporate wrongdoing.

It is no surprise, therefore, that global general counsel are expressing heightened concern over these new and emerging challenges. To gain more direct insight into these issues, Latham & Watkins is delighted to partner with GC Magazine and The Legal 500 in their inaugural “Under Investigation: A GC Guide to White Collar and Sanctions Trends in 2021” to ask GCs about their top regulatory challenges. The following responses offer a snapshot into the concerns and risks GCs around the world have identified as top-of-mind in this evolving regulatory climate.

Douglas Greenburg
Benjamin Naftalis
Nathan Seltzer

Global Chairs, White Collar Defense & Investigations, Latham & Watkins LLP

Since November 2020, white-collar defense lawyers have faced one question: will the Biden administration change US priorities when it comes to pursuing a range of economic crimes?

Generally, it takes a relatively long time for a new administration to have an impact on white-collar crime enforcement. White-collar matters often take a long time to process: cases that are not already being investigated can take months to appear on the radar, and the decentralised nature of the US system means that changes at the national level are often less consequential than appointments of US Attorneys at key offices throughout the country. In addition, the previous administration did not roll back on its enforcement pursuits to the extent many had anticipated. For example, aggressive FCPA enforcement continued through the last four years, in contrast to many expectations.  All that said, we expect the next four years will bring rigorous white collar crime enforcement across a spectrum of white-collar cases.

Early indications of the new administration’s approach can already be seen in the appointments made by various regulatory agencies, with Obama-era alumni returning to senior positions. Given the likelihood of similar appointments at the DOJ, the SEC, and other relevant regulatory bodies, the next four years could be marked by a return to the priorities set in the Obama era, which alone would mean an increase in the volume of white-collar work.

While it is still too early to judge exactly how the legislative and regulatory priorities of the new administration will impact business, existing features of the enforcement landscape will continue to have a big impact on international business.

First, we expect to continue to see a sustained emphasis on anti-money laundering enforcement, and the FCPA will remain one of the most important US federal laws for multinational companies. Second, sanctions and trade controls will similarly continue to exert a substantial influence on enforcement in the US and beyond, largely because – in the United States – there is rare bipartisan consensus on the value of sanctions as an instrument of national policy. One area we expect an uptick in enforcement is securities fraud investigations against both corporations and Wall Street institutions, both civil and criminal, as we expect the new Administration will be highly motivated in this area.  Lastly, the aftermath of COVID-19 will likely result in heavy scrutiny of potential fraud related to various COVID relief programs and in their related significant federal investment.

General counsel will need to mitigate these and other emerging risks in the coming months.

Compliance from home

Almost without exception, all major policies and procedures related to compliance presuppose that employees are physically present in an office; that employers know where data and other records are stored; and that compliance teams have the ability to directly monitor staff activity.

For many companies, the global pandemic has introduced new remote working environments where the physical presence of a company’s employees is largely uncertain, data may be stored across a wide range of depositories, and training is limited to formal interactions over webcam. For the past year, corporate compliance has taken on an entirely new identity.

Finding ways to ensure proper oversight of employees in a remote environment is a work in progress, and it remains to be seen how regulators will evaluate the measures taken by employers. Even without worrying about the stance regulators are likely to take, businesses must work out how to build and maintain a strong culture of compliance in a remote working environment. Establishing the right tone and culture is, of course, much more difficult without physical interaction; nevertheless, it is a challenge businesses and GCs must reconcile for the future.

Regulatory cooperation and conflict

For multinational companies, the list of potentially relevant prosecutorial authorities grows with every year. We continue to see increasingly aggressive white-collar enforcement in many countries around the world, accompanied by closer international cooperation among governmental authorities.

At the same time, conflict of laws between jurisdictions is becoming more common, meaning multinationals must navigate a world where they face competing laws in different markets. For example, US authorities have come to recognise that companies are limited in what they can lawfully do to cooperate when an enquiry requires the production of European data. Governmental authorities will be pushed to cooperate ever more closely because US authorities often will only be able to obtain necessary data only from their foreign counterparts.  As a result, multijurisdictional investigations will increasingly be coordinated between the different national bodies involved in investigating and prosecuting a case.

The more white-collar crime is viewed as a matter for collaboration among national regulators, the more likely a jurisdiction will expect its laws to play some part in mitigating the alleged misconduct. As any multinational legal or compliance team knows, misconduct often occurs in countries that do not have a well-established judicial system or, in some cases, effective rule of law. This situation makes the resolution of any potential compliance issues in such countries challenging at best.

Additional complexity can result by “blocking statutes” increasingly prevalent in certain jurisdictions, effectively prohibiting compliance with US sanctions. This creates a challenge for GCs of multinationals, who must navigate an increasingly interconnected world while also adhering to sometimes completely incompatible sets of laws and regulations.

General counsel will need to be sophisticated at navigating the relevant laws to avoid trouble. The world is becoming more complicated and risks to businesses are growing. This means their advisers will have to find unique solutions to a host of difficult challenges. The days of rolling out the same playbook for every problem are over.

Above all, GCs should remember the first law of compliance: when problems arise, one cannot ignore them in the hopes that they will disappear. At minimum, GCs will need to identify and act on potential problems as soon as possible. Waiting to see how something evolves is no longer an option in a world where every country has the ability to bring sanctions, and coordination among international regulators is the norm. Pick up the phone and call someone who can help you avoid compliance problems that will prove far more expensive than taking the necessary actions to prevent them.  And, when an investigation arises, GC’s will need experienced counsel who can ensure the company cooperates when appropriate, but who can also advocate aggressively, when necessary.

Authors:

Douglas Greenburg, Global Chair of the White Collar Defense & Investigations Practice, is a partner in the Washington, DC office of Latham & Watkins LLP

Benjamin Naftalis, Global Vice Chair of the White Collar Defense & Investigations Practice, is a partner in the New York office of Latham & Watkins LLP

Nathan Seltzer, Global Vice Chair of the White Collar Defense & Investigations Practice, is a partner in the London office of Latham & Watkins LLP