Handling Whistleblower Complaints Globally

Posted by Amanda Nieweler

on April 8, 2015

A Global Perspective for North American Companies

A few weeks ago, we partnered with i-Sight to co-host a webinar: Handling Whistleblower Complaints: A Global Perspective for North American Companies.

The presentation slides are available on Slideshare, above. If you missed it, here’s a synopsis from the presentation:

Highlights

  • There are challenges of receiving whistleblower complaints from foreign countries, including language, time zones, cultural differences
  • Most common complaints received by North American companies are from foreign subsidiaries or branches
  • Regulatory issues surrounding the receiving and investigation of complaints that come from outside North America
  • Common pitfalls of investigating foreign whistleblower complaints
  • Best practices for following up with foreign complainant

Global Corruption

  • Bribery affects one-quarter of the world’s population
  • More than 50% of global compliance executives in the 2014 Kroll Anti-Bribery and Corruption Benchmarking Survey anticipate the bribery and corruption risks to their companies will
  • 75% have no oversight of cyber security
  • 58% never train third parties
  • Only 43% monitor compliance after a third-party relationship begins
  • Only 48% of compliance officers automate their anti-corruption program is some way

FCPA Fallacies

  • Our Foreign Sales are too immaterial to create FCPA Risk. The FCPA applies to US residents, citizens and most organizations in the US or subject to US securities laws and reporting requirements – no matter the size or revenue. Even the smallest improper payment or benefit can violate the FCPA, causing an investigation for your firm and potential fines and penalties
  • Our Foreign Customers are not government departments/agencies 3. Our Employees never interact directly with anyone from foreign governments
  • We’re better off not knowing what our foreign personnel and agents do to get business done
  • Everybody else does it and never gets caught

Challenges

  • Rapidly changing landscape in global regulations regarding whistleblower protections, policies, data privacy and transfers
  • Lack of coherent interpretation and enforcement of the various regulations
  • Cultural perspectives on concept of whistleblowing
  • Intake of information – limitations of what and how
  • Language challenges – nuances and meaning
  • Investigatory issues – local investigators key
  • Employee consent and interaction regulations and protections vary greatly

Regulatory Issues and Conflicts

  • Numerous regulatory issues surrounding the receiving and investigation of complaints that come from outside North America
  • Establish rules and protocols prior to receiving a complaint
  • Understand various restrictions on data transfers of the countries you do business in
  • EU, Canada, Australia, New Zealand, Mexico, Russia, India, South Africa, Philippines, Colombia and Costa Rica all have higher levels of data privacy and protection legislation
  • CEE/SEE countries including Romania, Bulgaria, Hungary, Slovakia, Serbia, Czech Republic recently enacted whistleblower protections for both public and private companies
  • Turkey does not have whistleblower protections but does have whistleblower regulations on rewards to be paid on anti-smuggling cases

Data Protection

  • Ensure you are aware of local regulations regarding privacy and data protection
  • What types of information can be shared across borders
  • How was the report made? Hotline vs. In person
  • Access to personal information must be strictly controlled
  • In EU, some anonymous reports must be limited to a controlled variety of issues
  • Ensure compliancy with local DPAs
  • Ensure you have local investigators
  • BYOD issues

Foreign Data Privacy Laws

  • Foreign Data Privacy Law pose some of the greatest challenges because of restrictions on the kids of data that can be collected and transferred out of the jurisdiction
  • Many countries have enacted laws that place a high priority on protecting personal data, including establishing a fundamental legal right on the privacy of personal data, even if such data are contained on employer’s system or computer
  • 46% of respondents in KPMG’s survey reported that their greatest challenge in conducting cross-border investigations is handling data privacy issues

Most common complaints received by North American companies from foreign subsidiaries

  • Bribes and corruption
  • Embezzlement or misappropriation
  • Conflict of interest
  • Fraudulent financial reporting
  • Data breach
  • Industry specific regulatory issues

Common pitfalls of investigating foreign whistleblower complaints

  • Language challenges
  • Body Language – looking someone in the eye could be considered offensive
  • Cultural differences
  • Data protection issues
  • Loyalty sensitivities
  • Employee counsel/Legal counsel rights
  • BYOD issues
  • Privacy issues

4 Key Issues for Cross-Border Investigations

  • Attorney-Client Privilege
    • Can be significantly less in foreign countries or non-existent
    • Best practice to engage local counsel before initiating an international investigation
  • Data Privacy Restrictions
    • Employee consent, proof of necessity, wildly fluctuating between jurisdictions
  • Blocking Statutes
    • EU, Canada, Australia, UK & France restrict production of documents or other evidence intended for use in a foreign proceeding unless pursuant to a treaty or international agreement
  • Employment & Labour Laws
    • Some jurisdictions require consultation with employee representatives (work counsels)

Best practices for following up with foreign complainants

  • Identify investigation team quickly after receiving complaint
  • Address data protection issues at every step during the investigation and data collection process
  • Understand and remediate cultural differences and legal nuances
  • Be aware and cognizant of data retention and destruction protocols of foreign data
  • Impart a strong E&C program to help mitigate risk
  • Assessment and assistance from external and local resources to ensure you are not violating any local laws
  • Re-examine and refine internal controls annually
  • Increase due diligence to establish consistent review process
  • Educate your employees regarding consent

Key Trends

  • Tough environment
  • Small companies and large multinationals can be targeted
  • Increasing regulation globally
  • Increasing enforcement
  • Internal controls are key as regulators are focusing on extent of them, including training and corporate culture
  • Increasing use of hotlines

Anti-Corruption Compliance Program Considerations

  • DOJ/SEC sophistication and expectations are increasing when reviewing ethics and compliance programs
  • DOJ/SEC consider level of commitment regarding the E&C program
  • Executive management and cultural commitment examined
  • Internal controls are key when evaluating fines and penalties
  • E&C programs must be re-examined, re-trained, tested
  • Dedicated oversight regarding changing regulatory status globally

Risk Management

  • Dig deep into backgrounds of employees and reputation of third party vendors
  • Conduct thorough due diligence prior to entering contracts, joint ventures and other foreign transactions
  • Ensure segregation of responsibilities
  • Implementation of financial and internal controls
  • Conduct periodic ethics training of employees and third party providers
  • Develop, distribute and promote a financial and operational code of conduct
  • Perform a risk assessment and ensure to do follow-ups
  • Be vigilant – avoid complacency
  • Outsource routine activities
  • Remain aware of lifestyle changes of employees
  • Ensure a culture of integrity and transparency
  • Be aware of political connections of third party vendors
  • Verify truth about potentially damaging rumors
  • Be aware of exposure to corruption via local relevant regulations
  • Re-examine compliance procedures in all major areas of concern
  • Ensure customized local codes of conducts and policies are distributed
  • Ensure North American management is aware of potential flags when initiating investigation

Summary

  • Fluid regulatory environment requires diligence for North American organizations conducting business globally
  • Ensure E&C program is re-examined annually to meet any changing regulatory requirements
  • Train, retrain employees on consent, protocols and local regulations
  • Encourage and nurture a culture of integrity and expectation of behaviours
  • Establish rules of conduct if an incident does occur
  • Ensure all information is documented in one case management system immediately and that all pertinent information is stored and disposed of according to the regulations of the local authority

Grab your free copy of our eBook 7 Reasons to Implement a Whistleblower Hotline!

eBook: 7 Reasons to Implement a Whistleblower Hotline