4 Compliance Priorities That Are Driving the Need for Enhanced Due Diligence
Compliance professionals are no strangers to the evolving regulatory and political landscapes that frame their work. Remaining vigilant of new and developing priorities and understanding how they fit into a due diligence program is essential to mitigating risk. However, keeping up with the most pressing and relevant trends and effectively addressing them through due diligence can prove to be a challenging endeavor for even seasoned professionals.
As the landscape becomes increasingly complex, enhanced due diligence comes into sharper focus as a key factor in making educated business decisions that also meet regulatory and compliance requirements. In this blog, we’ll discuss four key priorities that every organization should consider and how they promote the growing need for enhanced due diligence.
1. Don’t Count ESG Out in 2023
Driven by both stakeholder and regulatory demands, ESG considerations have become an organizational imperative. Companies are not only placing a greater focus on engaging in sustainable and ethical business practices but also revamping company processes and culture to align with their ESG initiatives.
ESG is steadily becoming a core pillar of business operations for companies in numerous industries. As ESG becomes more ingrained into businesses, organizations worldwide will need to factor this evolving compliance priority into their due diligence processes. For example, on a global scale, calls for mandatory human rights and environmental due diligence legislation (HREDD) have grown steadily louder, resulting in an array of established or draft laws aimed at making HREDD a reality to which organizations will need to adapt. Let’s take a look at how ESG priorities are creating an amplified need for enhanced due diligence.
For numerous organizations, creating a “culture of compliance” has been a major initiative in reshaping company culture. Others are taking it one step further and establishing ESG as a core pillar of both their company’s operations and culture. Those that have prioritized ESG are increasing their focus on social inclusivity in the workplace, as well as avoiding the negative implications associated with toxicity in their environment.
As companies revamp their cultures and reframe them around ESG, the strategic use of background checks and social media due diligence will play a crucial role in ensuring goals are met. During the hiring process for executive or high-profile candidates who will shape the company’s culture, businesses should investigate a potential hire’s background to identify any red flags that may indicate past resistance or negativity toward environmental or social actions.
The same approach can be taken for third-party relationships and M&A deals. Businesses should utilize enhanced due diligence to investigate past actions of other companies to discern whether their actions align with current ESG priorities. Prioritizing deals and business relationships that reinforce a company’s ESG commitments can further solidify company culture.
Underscoring a major factor in compliance risk, US-China supply chain risk management challenges were framed by the passage of the Uyghur Forced Labor Prevention Act (ULFPA) in December 2021. The Act, based on a bipartisan bill, bans imports from China’s Xinjiang Uyghur Autonomous Region (XUAR) unless the importer can prove they were not made using forced labor. The ULFPA sets a substantially higher bar that directly impacts the import of all products derived from goods and services in the region.
While it isn’t the first US act of its kind, ULFPA is by far the most sweeping regulation aimed at China that has been issued by the US. It grew out of reports that the Chinese government has, since at least 2017, arbitrarily detained as many as 1.8 million Uyghurs, Kazakhs, Kyrgyz, and members of other Muslim minority groups in a system of extrajudicial mass internment camps, formal prisons, and detention centers, and has subjected detainees to forced labor, torture, political indoctrination, and other severe human rights abuses.
The fact that the standards and regulatory scope common in Western jurisdictions are far from the realities in China prompted the response from the US. Fund managers, for example, have been accused of inadvertently investing in companies that may be involved in repressing ethnic Uyghurs. China’s growth offers the hope of big returns. But when it comes to ESG ratings, Chinese companies rank below most emerging markets.
There are signs, however, that an ESG reckoning is looming for Chinese companies and those investing in them. In October, Morningstar downgraded three Chinese tech giants on its watchlist — Tencent, Weibo, and Baidu — to the category of “non-compliant with UN principles.”
The Uyghur issue alone has created a major rift between the US and other Western governments. That and human rights problems generally will make China a hotspot for compliance professionals navigating supply chain challenges in 2023.
Around the world, other jurisdictions are expected to introduce their own human rights-centered legislation or expand upon existing rules and regulations. The EU’s draft, Corporate Sustainability and Due Diligence Directive, is a proposed blueprint for a mandatory HREDD standard among member states. Meanwhile, countries such as France, Germany, and Norway have enacted their own mandatory HREDD legislation.
Developments remain less concrete in the UK, where numerous companies, investors, and business associations have called for the government to establish its own HREDD legislation, which would extend beyond the existing Modern Slavery Act. However, the UK government has not signaled any intention of conforming to the EU’s roadmap for mandatory HREDD regulations. For compliance professionals operating in cross-border arenas, keeping abreast of the shifting checkerboard of due diligence regulations will be essential.
In Germany, the “Act on Corporate Due Diligence in Supply Chains” came into force on January 1, 2023. This new law, which holds companies accountable for due diligence throughout their supply chains is a good start but should be strengthened, according to some critics who are proponents of stiffer international and EU standards. The Act calls for large companies to assume responsibility for identifying risks of human rights violations and environmental destruction at direct suppliers and, if necessary, also at indirect suppliers. It currently applies to German companies with at least 3,000 employees but may be expanded to include those with a minimum of 1,000 employees.
Norway’s Transparency Act, passed in June 2021, requires companies to conduct human rights due diligence assessments on their own operations as well as their entire supply chain. With a view to identifying and remedying any human rights violations, the law applies to companies that are registered or selling in Norway and meet two out of three criteria: at least 50 full-time employees, an annual turnover of at least NOK 70 million (EUR€6.9 million or US$7.94 million), and a balance sheet sum of at least NOK 35 million (EUR€3.5 million, or US$3.97 million).
In January 2022, new due diligence and reporting obligations were introduced to the Swiss Code of Obligations and are effective for financial year 2023. These new “ESG requirements” are aimed to strengthen reporting and provide more prescriptive guidance on due diligence activities that select Swiss companies should be employing.
It is anticipated that Canada’s bill on human rights due diligence, S-211, may pass as early as March 2023, “according to the office of Sen. Julie Miville-Dechêne, the lawmaker who sponsored the legislation.” However, while the bill is a positive step towards combating human rights abuses, there are concerns it does not do enough to mandate or outline specific due diligence activities in which companies should participate.
Among regulations that are likely to be strengthened in the near future is the Duty of Vigilance law. Compliance professionals with business matters in France need to be well-versed in that country’s Duty of Vigilance law, passed in 2017, which firmly places the onus of due diligence duty on large French companies, requiring them to publish an annual “vigilance plan.” The law applies to French companies with more than 5000 employees in the company’s direct or indirect France-based subsidiaries or with more than 10,000 employees, if including direct and indirect subsidiaries globally.
In creating a vigilance plan, compliance staff must describe specific measures that are in place to identify risks and ensure that the company’s activities – as well as the activities of subsidiaries, subcontractors, and suppliers – are not impacting human rights or the environment as a result of their actions.
Finally, the long trail of oversight, negligence, and careless attention to working conditions in distant regions has made clear the essential importance of cultivating a company culture that promotes not only awareness of business ethics on a broad scale, but also the embrace of social inclusiveness and sustaining corporate values.
In the United States, the Department of Justice (DOJ) is expected to continue to step up enforcement in 2023. This comes in light of additional revisions to the so-called Monaco Memo, and signals that the DOJ intends to expand its focus on corporate criminal enforcement. Enterprises that run afoul or ignore the DOJ’s published guidance – particularly if they have done so in the past – can expect far-reaching sanctions and swift enforcement action.
Released in 2021, Deputy Attorney General Lisa Monaco’s memo sets certain expectations on companies to identify, to prosecutors, individuals connected with corporate misconduct. Despite its good intentions, the Monaco Memo has received a mixed reception. Compliance professionals will need to take steps to ensure they are in full compliance with DOJ directives in 2023 and beyond.
Concurrent with developments at the DOJ, the Securities and Exchange Commission (SEC) saw an unprecedented wave of whistleblower reports and tips in 2022. The agency is paving the way to take on a higher volume of cases with expanded examination and enforcement efforts, requesting increased budgets and headcount as part of this new priority.
The SEC’s requested budget for fiscal year 2023 includes an increase of eight percent over 2022, driven largely by the addition of 125 new positions intended to enhance enforcement. This comes after an announcement in the spring that the agency was adding 20 positions to the Division of Enforcement’s Crypto Assets and Cyber Unit.
Cryptocurrency’s time in the spotlight will continue in 2023, as notable increases in fraud, scams, and other illicit activities have highlighted key, recent challenges for regulators. The collapse of cryptocurrency exchange and hedge fund FTX, has not only underscored regulatory challenges related to digital assets, but also spurred regulators in multiple jurisdictions into action.
The European Union has been one of the more aggressive jurisdictions when it comes to comprehensive regulation of cryptocurrency markets. The Markets in Crypto-Assets (MiCA) regulation was approved by the European Council in October 2022 and is expected to be a framework for outlining uniform requirements for crypto assets. Regulators in the UK are expected to consider new laws and regulations as officials voice their concerns on “the next FTX-style collapse.” Sir Jon Cunliffe, deputy governor of the Bank of England, has been among those demanding that regulators prioritize consumer protections through cryptocurrency legislation. The Telegraph has reported that Cunliffe said Britain should “continue to bring these activities and entities within regulation.”
The Japanese government also has taken a strong position on the regulation of cryptocurrency and urged other global leaders to do the same. Mamoru Yanase, deputy director-general of the Financial Services Agency’s Strategy Development and Management Bureau, believes there should be stricter rules in place for digital assets, and that crypto should be regulated and supervised in the same manner as traditional financial institutions. Following Japan’s lead, German financial watchdogs, including BaFin, have also called for greater global efforts in terms of cryptocurrency regulation.
In the US, President Biden has been careful to balance priorities when it comes to cryptocurrency, aiming to develop legislation that combats illegal uses of cryptocurrencies, but does not stifle the growth of digital assets. During this time, the SEC has been no stranger to leading the charge in cryptocurrency-related enforcements — two of which came early in 2023.
Outside of the SEC, other US government agencies are stepping up oversight to specifically address illicit activities in the digital asset realm. Recently, Republican lawmakers announced the creation of a new subcommittee that will oversee the crypto and fintech industries, called the Subcommittee on Digital Assets, Financial Technology, and Inclusion.
The complexities that characterize today’s unpredictable, business world impose unprecedented demands on due diligence professionals everywhere. Machine learning and artificial intelligence (AI) have emerged as valuable tools for helping to meet these demands.
Making use of computational analyses, however, requires going beyond aggregating and sorting data. The sheer analytical power that makes machine learning and AI such formidable tools has simultaneously elevated the human factor in generating outcomes. In order to realize the full benefits of technology within the due diligence space, compliance teams must learn to strike a balance between the use of AI and human analysis and involvement.
Turning data into specific actions calls for the added dimension of human intelligence. Re-assessing context, responding to intuition, applying nuanced interpretations, addressing the occasional “accidental” insights – these all play a central role in formulating actionable guidance and recommendations that businesses can put to work.
While AI and other automated processes can add value to the execution of due diligence, they cannot replace human intelligence. There is a growing realization that human analysis remains the key driver of quality in enhanced due diligence work. These emerging solutions and features should be seen as tools to streamline or supplement due diligence processes, not overtake them.
4. Data Security & Privacy Are Key in M&A and Investment Due Diligence
World economies may be stalled for now, but the galloping expansion of data and, with it, security and privacy concerns, shows no sign of slowing down in 2023. Ensuring data privacy and protection today constitutes one of the biggest challenges organizations face. As a result, there is more need than ever for business professionals to deploy powerful, extensible security technologies and strategies that meet these challenges, especially in the arenas of M&A and investments. In these areas, standard due diligence is often not enough; enhanced due diligence is necessary to ensure evolving regulatory requirements are met and risks are promptly addressed.
Statistics on the growth of data storage suggest that public and private cloud infrastructure combined will comprise more than 200 zettabytes (ZB) of data by 2025. (One zettabyte is equivalent to roughly one trillion gigabytes.) That amount of data would top 2019’s 4.4ZB and 2020’s 44ZB. The potential for expanding cybercrime is sobering.
With ever-increasing amounts of data available, there are special considerations that need to be made when engaging in new investments or deals. For example, acquiring a company that has not complied with relevant data privacy laws, such as the General Data Protection Regulation (GDPR), can create enormous risks and problems for the buyer. These risks can include public backlash for inadequate data practices, enforcements and fines from regulatory agencies, potential vulnerabilities that can be exploited by bad actors, and data breaches.
Reputational damage, regulatory penalties, and the average cost of a data breach (estimated at more than $3 million in the US, according to research by IBM and Ponemon) are enough to destabilize the most well-disciplined business. Companies in the EU that experience a material breach of customer data due to insufficient data security controls face penalties that can reach as high as four percent of adjusted gross revenue or €20 million, whichever is greater.
The soaring popularity of mobile apps — including WhatsApp, Facebook Messenger, Snapchat, Telegram, Signal, and iMessage — has spawned recent SEC investigations of broker-dealers for violating regulations covering the use of personal messaging devices, resulting in more than USD 1.8 billion in fines to 16 financial institutions.
The agency’s scope has since broadened to include investment funds and advisers. The message here is clear: compliance professionals must be certain their firms are strictly adhering to SEC guidelines on messaging apps.
Meanwhile, in Asia, China has introduced several significant data protection laws with important potential ramifications for companies doing business there. Chief among these are the Data Security Law (DSL), which became effective in September of 2021, and the Personal Information Protection Law (PIPL), which came into force in November of 2021. The PIPL has raised the bar significantly for personal information protection in China.
Not unlike other regions, a key component of compliance with these Chinese laws is the requirement of consent as the principal basis for data collection and handling. The laws constitute a comprehensive regulatory framework, with provisions for extraterritorial reach, the restriction of cross-border data transfers, and significant revenue-based fines for non-compliance.
Ongoing implementation of regulations and guidance concerning the PIPL, the DSL and other data protection laws can be counted on. Companies with operations in China, including banking-related and asset management firms, will want to prioritize keeping up with regulatory developments to conduct enhanced due diligence and maintain compliance with these evolving policies.
Regulations, enforcements, and political situations won’t stay the same, and neither should your due diligence requirements. Keeping pace with rapidly changing landscapes in cryptocurrency, data privacy, and human rights, among other areas, requires global context and actionable insights that contribute to a well-informed due diligence strategy.
IntegrityRisk can provide organizations with risk management services tailored to businesses of all kinds that address the array of existing regulations and help them prepare for regulations that may materialize in the coming year. To learn more about keeping up with the due diligence landscape in 2023, contact the experts at Integrity Risk International.