As we move into this new year, there are numerous risk management hot spots pulsing on the radar screens of risk and compliance professionals. Some are familiar, while others are just emerging. With uncertainty due to the pandemic persisting into a third year, key vulnerabilities that will require vigilant responses in 2022 range from intensifying focus on human rights, third-party risk management and ESG challenges related to crypto and cyber, as well as geopolitical pressures in Europe and Asia.
In the US, new federal activities on the risk and compliance front have been announced by the Department of Justice (DOJ) and the Securities & Exchange Commission (SEC). All of which redraws risk management strategies that can best serve the needs of risk and compliance professionals in 2022.
Americas – Domestic Oversight on Forced Labor Is Expanding
The current administration in Washington is demonstrating an appetite for challenging how businesses manage their supply chains and the degree of corporate reporting accountability that company leadership can be held to.
In late December, President Biden signed into law the Uyghur Forced Labor Prevention Act, a bipartisan bill that bans imports from China’s Xinjiang region unless the importer can prove the goods were not made with forced labor. The legislation applies to “all goods, wares, articles, and merchandise mined, produced, or manufactured wholly or in part” in Xinjiang, a sprawling region in China’s far west where, beginning in 2017, the Chinese government has carried out a mass “reeducation” campaign against Uyghurs and members of other ethnic groups.
Numerous independent sources estimate that more than one million people in Xinjiang have been detained in camps, with some released, some transferred to prison and others pressured to work in factories. In its annual human rights report released in March, the Biden administration declared China’s treatment of the Uyghurs a genocide, formalizing its dire assessment of Beijing’s campaign of mass detention and sterilization of minority groups in Xinjiang.
Under the 1930 Tariff Act, it is illegal to import into the US any goods made in whole or in part by forced labor. The new law prohibits all imports from Xinjiang “unless US Customs and Border Protection certifies by clear and convincing evidence that goods were not produced with forced labor.”
In Latin America, a November 2021 Washington Post article about child labor in the Brazilian acai industry underscores the need for companies to develop compliance programs that identify and mitigate possible child labor in their supply chains. The article focuses on acai berries sourced from two regions in Brazil that are allegedly harvested from child labor and then exported from Brazil to various countries, including the US.
Acai harvesting as “one of the most dangerous jobs in Brazil” in which young children may climb trees that are up to 65 feet tall. Child labor in the acai industry is being investigated by both US and Brazilian authorities and is likely to be followed by other examinations into child labor practices in Brazil and elsewhere.
Intelligence Collection Is Accelerating
Concurrently, the administration in Washington is enacting a first-ever Strategy on Countering Corruption to increase intelligence collection and diplomatic measures where violations occur. The new plan, a first in the US, lays out a comprehensive approach for how the US will work domestically and internationally, with governmental and non-governmental partners, to prevent, limit, and respond to corruption and related crimes.
The Strategy on Countering Corruption places special emphasis on the transnational dimensions of the challenges posed by corruption, including by recognizing ways in which corrupt actors have exploited the US financial system and other rule-of-law based systems to launder their gains. The added burden of verification will present corporates with added pressure to Know-Your-Customer practices.
Due Diligence in the Spotlight
The US government is also raising the bar on scrutiny of corporate behavior by the federal government. In December, the DOJ and SEC issued an unusual joint warning addressing the continued importance of third-party risk management, particularly involving due diligence questionnaires and compliance certifications, two risk management tools that have become ubiquitous since passage of the Foreign Corrupt Practices Act (FCPA). Both tools are brief and relatively non-intrusive, easy to administer and evaluate, and cost virtually nothing.
While practical and largely effective, both tools have a crucial underlying flaw: They are self-certified. The third party alone provides the responses. In many cases, most of those responses are truthful and verifiable. But in some cases, responses are unreliable.
The specific warning about due diligence questionnaires and compliance representations issued by DOJ and SEC reads: “Relying on due diligence questionnaires and anti-corruption representations is insufficient, particularly when the risks are readily apparent.”
While it stopped short of describing potential charges against compliance officers and executive management, the message is clear: businesses need to press for an accurate picture of their third-party compliance exposure or risk drawing federal scrutiny at some level.
ESG and Geopolitical Disruptions Key Areas of Focus
In the last decade, there has been an unprecedented shift in investor focus on ESG-related risks and corporate decision-making. Now more than ever, investors are demanding disclosures on ESG-related issues, and the SEC in the US and regulatory agencies around the globe – especially in the European Union – have responded accordingly. The implications for risk management professionals are clear.
On 21 April 2021, the European Commission published a proposal for a Corporate Sustainability Reporting Directive (CSRD), which will amend the existing Non-Financial Reporting Directive (NFRD). The revised directive will support the European Green Deal, a set of policy measures intended to combat the climate crisis by transforming the EU into a modern, resource-efficient, and competitive economy, with no net emissions of greenhouse gases by 2050.
The CSRD is part of the bigger Sustainable Finance package, which enables the Green Deal by helping to channel private investment behind the transition to a climate-neutral economy. The Sustainable Finance package, in turn, includes the EU taxonomy (with the Climate Delegated Act), which provides clarification around the economic activities that contribute most to meeting the EU’s environmental objectives. The package includes six amending Delegated Acts, which will ensure that financial firms include sustainability in their procedures and investment advice to clients.
Meanwhile, in early March 2021, the Securities and Exchange Commission’s (SEC) Division of Examinations announced its Examination Priorities for 2021, which included an enhanced focus on climate-related risks. Within 24 hours, the SEC announced the creation of a twenty-two-member Climate and Environmental, Social, and Governance (ESG) Task Force in the Division of Enforcement, charged with identifying ESG-related misconduct. The task force will also coordinate the effective use of SEC resources, including using sophisticated data analysis to mine and assess information across registrants, to identify potential violations.
Subsequently, on April 9, 2021, the Division issued a Risk Alert, identifying certain observations of deficiencies and internal control weaknesses from examinations of investment advisers and funds regarding ESG investing, as well as observations of effective practices from such examinations.
Within the larger initiative, the Biden administration will bring increased scrutiny to company and personal liability at the CEO level as well as third-party supply chain risks in China.
Regardless of whether a standardized disclosure framework is implemented, the SEC expects to see investment advisers and advisers to private funds provide accurate disclosures of ESG investing strategies and adopt and implement policies, procedures, and practices that are consistent with their ESG-related disclosures. As a result, companies can expect that during ESG-related examinations, SEC staff will focus on several key points, including:
- Whether an adviser’s ESG-related practices comply with the adviser’s written policies, procedures, and disclosures regarding ESG investing approaches
- Whether the adviser’s public ESG-related proxy voting claims are consistent with internal ESG disclosures and marketing materials
- Scrutiny of an adviser’s regulatory filings and marketing materials, including things such as performance advertising, reports to sponsors of global ESG frameworks, client presentations and responses to due diligence questionnaires
The SEC steps echo similar moves under the EU’s CSRD initiative. The Directive will address a number of items, including:
- Widening the mandate to apply to more entities, focusing on nearly all companies listed on the EU regulated markets, with extended ramp-up for small and mid-size businesses.
- It will apply to EU companies or EU subsidiaries of a non-EU company; they comprise a “large undertaking.” The designation applies to an entity that meets two of the following three criteria: a net turnover of more than €40 million; balance sheet assets greater than €20 million; more than 250 employees.
- The CSRD will apply to insurance undertakings and credit institutions regardless of their legal form.
Geopolitical tensions, meanwhile, are adding to uncertainty around compliance, particularly in the human rights arena. Conflict between Russia and Ukraine and China’s attempts to expand its sphere of influence beyond its immediate borders continue to cloud the outlook in political and economic terms.
The possibility of military and political disruptions in Eastern Europe, among other places, is expected to have some impact on governance and compliance developments already underway in Europe. If Russia were to invade Ukraine, it would present risk management challenges for companies in neighboring countries in Europe and even for businesses with operations or major investments in China (or even Hong Kong).
Even prior to Russia-Ukraine tensions, the EU in March 2021 had approved an outline proposal with the goal of formulating a systemic approach to responsible and sustainable business and human rights practices in EU supply chains. The EU Directive on Mandatory Human Rights, Environmental and Good Governance Due Diligence is expected to be approved this year, at which point EU member states will be given time to include it in their national legislation. The Directive will likely become operational in 2023 at the earliest. The Directive is expected to apply to large companies, publicly listed or high-risk SMEs, and companies providing financial services and products.
The COVID-19 Factor
A chief characteristic of third-party risk management, which is dynamic, nimble responses to potential red flags, will continue to be complicated by the persistent COVID-19 pandemic in 2022. The Omicron variant has now spread around the world and, in many regions, has brought about revamped restrictions, leaving their mark on compliance and risk management.
Travel restrictions, nationwide lockdowns and worldwide instability have resulted in complex supply chain disruptions that highlight multiple underlying risk factors between business relationships. Some business impacts have subsided due to increased adoption of COVID-19 vaccines. But with the Omicron variant now being connected to an increase in infections, it’s clear we are not out of the woods yet.
Cryptocurrencies and Cybersecurity
The meteoric rise of cryptocurrencies and advent of decentralized finance, or DeFi, has caught governments and the private sector out of position on regulatory, law-enforcement and corporate oversight. The gulf between crypto as an actively traded global currency and appropriate levels of regulatory coverage is, justifiably, a rapidly growing area of concern.
Directly related is the threat to third-party supply chain risk management posed by so-called “big-game ransomware.” Crypto’s asymmetrical advantage is periodically thrust into public view every time a major financial breach or ransomware attack comes along with a demand for ransom to be paid in crypto.
Over a period of just 18 months during late 2020 and into 2021, global companies saw an unprecedented number of cybersecurity compromises that placed US critical-infrastructure businesses on notice:
- SolarWinds. Thousands of companies were exposed via a software supply chain attack which could allow foreign adversaries back-door access into critical infrastructure.
- Colonial Pipeline. A ransomware attack that caused a shutdown of oil and gas operation in the southeastern portion of the US.
- JBS Foods. Plants were forced to shut down due to a ransomware attack which impacted beef production.
- Kaseya. Software supply chain attack that targeted managed service providers, exposing hundreds of businesses to unauthorized access and exfiltration of sensitive information.
- Invenergy. Ransomware exploit directed at a non-grid related system but executed by the same threat organization that targeted Kaseya and Colonial.
The hack of Colonial Pipeline alone, in which ransom was paid in Bitcoin, demonstrated once again the potential for lethal scenarios involving U.S. critical infrastructure, and the pressures being brought to bear on cryptocurrency risk management resources.
The US State Department recently announced its Rewards for Justice program, aimed at snagging actionable information on foreign malicious cyber activity against the U.S. The program is offering bounties up to $10 million for information leading to the identification or location of anyone participating in ransomware attacks against critical US infrastructure at the direction or under the control of a foreign government.
In addition, we expect to see new and expanded regulations covering the crypto space. The financial services sector will be monitoring closely and will need to move quickly in adapting internal compliance policies and procedures to this complex area.
A Range of Challenges and the Tools to Meet Them
The year promises to be another year of tests for compliance professionals. As challenging as risk management and compliance was in 2021, a host of issues, from third-party supply chain exposure to a pandemic that shows no signs of disappearing soon to geopolitical tensions, make 2022 even more daunting.
A significant ramp-up in oversight coming out of the US and EU in particular will influence the risk-management landscape in new ways for compliance professionals. The ultimate effectiveness of risk management and compliance measures across the board this year will be tested in the face of a sweeping array of threats. Only time will tell how well the industry will learn and adapt.
Allow our experts in pan-geographical regulatory compliance trends to help make due diligence compliance much easier. To get started, contact us today.