(?.12 ’20B?6AF ˜

1 Trade Security Journal Issue 6

trade securityJournal

new anti-corruption legislation to impact corporates in ireland

talking trade security with the founder of China Labor Watch

How to address human rights risks in supply chains: new research

a guide to us data protection

understanding india’s offset policy Issue 9. September 2018

KYC: aproCess ripe forautomation


IN THIS ISSUE

3 neWs round-upCalifornia’s data privacyclampdown: what itmeans for businesses

India’s corruption law a‘game-changer’

G20 aims for Octoberdeadline on crypto anti-money launderingstandard

Uber appoints first dataprotection and privacychiefs

Singapore data breachhits 1.5m victims

EU-Japan deal ‘goesbeyond trade’ to includereciprocal dataprotection

Ireland, Greece andRomania face fines forAML failings

UK to adopt fifth EUanti-money launderingdirective in advance ofBREXIT

Facebook and Googleurged not to complywith ‘troubling’ Vietnamcybersecurity law

Cyber-crime a growingthreat to UK law firms,report warns

9 data priVaCYFive questions youshould ask aboutBahrain’s new dataprotection law

10 fraudEU final guidelines onfraud reporting underthe Payment ServicesDirective

11 LegaL priViLegeCommon sense prevailsin the UK’s battle overlegal professionalprivilege

17 Human rigHtsHow to address humanrights risks in supplychains: new research oncurrent practices

21 anti-CorruptionNew anti-corruptionlegislation to impactcorporates operating inIreland

23 teCHnoLogYKYC: a process ripe forautomation

31 anti-CorruptionSecond Circuit CurbsFCPA application tosome foreignparticipants in bribery

34 nationaL seCuritY Understanding India’soffset policy

38 nationaL seCuritYTightening the screws onFDIs: The Leifeld caseand projecteddevelopments in foreigndirect investments inGermany

As we head into deep summer,there is (if this latest iteration ofthe Trade Security Journal is to bebelieved) no letting up in theworld of compliance. These pagesreveal that regulation andenforcement remain vigorouslypromulgated and enforced (if notalways and everywhere with thesame energy, conviction orcapacity) – and that new frontiersof technology create their ownchallenges.

All readers will be aware ofthe growing focus on humanrights issues attached to supplychains. In this and recent issues,we can see that this is a trulyglobal development.

Meanwhile, Gil Rosen’s articleon Israel’s data protection regimeis a reminder that while there arefew in the world who aren’tGDPR-aware, other jurisdictionsalso possess laws that must berespected and articles fromCanada and Russia and the UKprove – if proof was ever needed– that CFIUS isn’t the onlynational security regime in play…

BREXIT, elusive though it maybe, is everywhere at the moment.But as our interviewee CarolineBarraclough explains, it has putwider supply chain issues in thelimelight in a way that theyhaven’t hitherto enjoyed. Giventheir increasingly mind-bogglingcomplexity, that, perhaps is atleast one good thing to haveemerged from the triggering ofArticle 50?

Tom Blass

July 2018

A guide to US data protection

27

TSJ meets Li Qiang, founder ofChina Labor Watch

12

issue 9, septemBer 2018 from tHe editor

� ��

�&��)&�(+$)&#�!

��*��#(��$&&)%(�$#�!��'!�(�$#�($��"%��(��$&%$&�(�'��#�&�!�#�

��! �#��(&��'��)&�(+�*�(��(��$)#��&�$��#��$&��(��

�$*�($��&�''��)"�#�&��('�&�' '��#�')%%!+��#'��#�*�&�'��&��

��)��($��(��%&$(��(�$#

�#��&'(�#��#��#��,'�$-'�(�%$!��+��

��

Cover

illu

str

ation b

y M

eSam

ong


NEWS ROUND-UP

Earlier this summer, California’slawmakers unanimously passed abill on data privacy – the first of itskind in the United States –affording residents of the stateunprecedented control over theway that third parties can use theirpersonal information (see TradeSecurity Journal issue 8).

The Consumer Privacy Act(also known as AB 375) stipulatesthat:

l Californians may opt out of thesale of their data and requestdeletion from informationbases.

l Data cannot be taken fromminors (age 13-16) without theirexplicit consent, or the consentof their parents (under 13).

l Businesses must disclose, uponrequest, how consumer data isbeing used.

The law – dubbed ‘GDPR-lite’by some – has already invitedbacklash from tech giants, despitebeing more than 12 months awayfrom implementation.

The inability to see exactly whois accessing data, and for whatreasons are all causes for concernfor big business, while newdisclosure requirements and thethreat of penalties fornoncompliance introduce a streamof new responsibilities andlimitations.

Despited being outwardlysupportive of consumer rights onthe surface, a number of well-known tech companies areunderstood to have helped fundopposition to the bill.

The law will have less of animpact on smaller businesses. AB375 will only apply to ‘any

business that earns $25 million inrevenue per year, sells 50,000consumer records per year, orderives 50 percent of its annualrevenue from selling personalinformation.’ However, SMEs arestill advised to review theirinformation security and dataprocessing measures.

In a blog post, lawyersCourtney Bowman and KristenMathews at the law firmProskauer, say the law ‘has thepotential to change the privacy lawlandscape in the U.S. – not justCalifornia…The law’s protectionof California-based “consumers”means that many companies, eventhose based outside California andeven outside the U.S., will besubject to its requirements.Businesses will incur significantcompliance costs in order toupdate procedures, policies andWeb sites in accordance with thenew law. Additionally, the Act’sgrant of a private right of actionmeans that companies will have toanticipate a possible flood ofconsumer-driven litigation.’ n

California’s data privacy clampdown: what itmeans for businesses

The law – dubbed ‘GDPR-lite’ by some – ‘has the potential to change the

privacy law landscape in the U.S. – not just California.’

SHUTTERSTO

CK.C

OM

In July this year, India’s parliamentpassed new anti-corruptionlegislation which campaigners sayis possibly a ‘game-changer’ in thefight against graft. The Preventionof Corruption (Amendment) Act2018 has been some time in coming– the amendments having firstbeen introduced in 2013.

The original act is almost threedecades old but has long been inneed of a revamp to reflect globaldevelopments, say lawyers.

Anay Banhatti, a partner at theMumbai office of Economic LawsPractice, told TSJ that India hadcommitted to changing thelegislation in the light of itscommitments under internationalconventions. ‘The most importantchange,’ said Banhatti, ‘is thatunder the new legislation thecompany has committed anoffence where anyone within theorganisation or associated with theorganisation is proven to havegiven a bribe – so that places it on

the same footing as the UK BriberyAct – creating a kind of vicariousliability of the company for theaction of its employees and of thoseassociated with the company(including its subsidiaries andagents). Now the onus is on allcommercial organisations to haveanti-corruption complianceprocedures in place.’

Prior to the legislation’samendment, he said, the law hadbeen focused on punishing bribe-takers, not givers. ‘Someone givinga bribe was not specifically orexplicitly covered in the offence,which was really targeted atgovernment officials, althoughbribe givers could be charged withaiding and abetting…’

India scores poorly inTransparency International’sCorruption Perception index –atnumber 81 among 180 of thecountries rated. Nonetheless, saysBanhatti, attitudes are changing,albeit slowly. ‘Our firm holds

training sessions, and people aresurprised at the strength of the law.Enforcement levels are strongerthan they have been in the past,when corruption was considered acost of doing business.’

Banhatti said that a series ofscandals in the past decade –including a case which saw thegovernment undercharging mobilephone companies for frequencyallocation licences – has beenbehind the change. ‘That mattersaw the courts directing the CBI(Central Bureau of Investigation)

and others to investigate seniorpoliticians and big companies andhas set the tone.’

As the legislation, thoughpassed, is yet to come into force,the response from businesses inthe country has been varied. ‘Wespeak to a lot of companies,’ saidBanhatti, ‘and it’s clear that atsenior levels [management] isuncertain as to how the new lawwill be enforced or if put in place.

‘Some companies, particularlyinternational companies, haveformal anti-corruption plans inplace because they’re alreadyregulated under the FCPA andUKBA. Indian companies –without such documented systems– are more worried, and this willmean a big shift in corporateculture for them.’

According to Banhatti, nationalresources and the purchase ofdefence equipment are likely to beparticularly in the sights ofinvestigators. n

India’s corruption law a ‘game-changer’


NEWS ROUND-UP

G20 member countries are toreview the global anti-moneylaundering standard on crypto -currency by no later than October,according to a G20 statement.

Finance ministers and centralbank governors from theorganisation hosted a meeting inArgentina on 22 July, resulting ina deadline for the Financial ActionTask Force (‘FATF’) to explain howits current AML standards willapply to crypto transactions.

Clarifications were originallyasked for by March, as a result ofG20’s aim to enforce globalregulations on the subject.

The statement recognises thegrowing benefits of crypto-assets.However, it warns that they cancause problems regarding terroristfinancing, tax evasion, and money

laundering. The risks posed arenot significant, the FinancialSecurity Board (‘FSB’) assures, buttransactions require ‘vigilant’

surveillance. G20 continues to actagainst money laundering, withthe expectation that FATF willprovide insight promptly.

The challenge regulatoryauthorities face withcryptocurrencies is that – sincethey are so new – many existingsecurity laws do not accommodatethem. FATF is already working tocreate binding rules forcryptocurrency exchanges thatcomply with global AMLregulations. Topics such as knowyour customer (‘KYC’) norms areto be raised, along withestablishing licences for sellers.

Regulation will help providecertainty in the cryptocurrencymarket, director of competition atthe Financial Conduct AuthorityMary Starks hopes: ‘We need toask ourselves as regulators whatwe should do so that we are notinhibiting the benefits noroverlooking the risks.’ n

G20 aims for October deadline on cryptoanti-money laundering standard

Because cryptocurrencies are so new, many existing security laws do not

accommodate them.

Between a series of scandals and anupcoming IPO, Uber is continuingto overhaul its approach to privacywith the appointment of two newofficials. Ruby Zefo, former chiefsecurity counsel at Intel, has beenannounced as the first ever chiefprivacy officer at the company.Simon Hania, joining fromTomTom, will take charge of dataprotection.

The changes come as a result ofa turbulent few years for the taxiservice. Following a breach thatexposed the data of 57 million

users in 2016, the US Federal TradeCommission (‘FTC’) called for animproved privacy policy at theHigh-profile allegations of sexualharassment at the companybrought further discomfort, whilethe threat of losing its licence tooperate in London led to thecompany committing to new andimproved governance measures.

Uber is currently managed byDara Khosrowshahi, who says hewishes to ensure that the companyis ‘putting integrity at the core ofevery decision we make’.

Though privacy executiveshave previously worked inindividual departments such asengineering and legal, this is the

first time an expert has been hiredto provide full responsibility.

Zefo, who is also a member ofthe International Association ofPrivacy Professionals (‘IAPP’), willbe based in San Francisco. She willfill ‘a critical global roleresponsible for the developmentand implementation of privacystandards, procedures, andprocesses,’ says Uber’s chief legalofficer. Hania will be based inAmsterdam, the Netherlands,overseeing compliance with theGDPR. n

Uber appoints first data protection and privacy chiefs

A quarter of Singapore’spopulation – including the islandstate’s prime minister – has beenaffected in the island state’s singlelargest data breach to date.

A statement issued by theMinistry of Communications andInformation and the Ministry ofHealth described a ‘deliberate,targeted, and well-planned’ cyber-attack on SingHealth, one ofSingapore’s major healthcareorganisations. ‘It was not the workof casual hackers or criminalgangs. The attackers specifically

and repeatedly targeted PrimeMinister Lee Hsien Loong'spersonal particulars andinformation on his outpatientdispensed medicines.’

The ‘attackers’ were said tohave illegally copied the names,addresses, and outpatientdispensed medicines of 1.5 millionSingaporean residents. Officialsbelieve that an advanced persistentthreat (‘APT’) group – described asan organisation that commitscareful, premeditated cyber attacks– carried out the hack.

Singapore’s data regulationshave been fortified in recent years,the most notable change being theCybersecurity Act 2018. This newlaw calls for the appointment of aCybersecurity Commissioner tooversee the protection of criticalinformation infrastructure (‘CII’) –any information which couldcause harm to the state if wrongly

accessed. Critical services,including energy, aviation, andmedia, as well as healthcare, arerequired by the government tostrengthen their network securityin response to possible attacks.

The Personal Data ProtectionCommission, Singapore’s privacywatchdog, will investigate theattack. n

Singapore data breach hits 1.5m victims

for further information on singapore’s Cybersecurity regime, see:

‘Draft Cybersecurity Bill introduced in Singapore – five key takeaways for your organisation,’Trade Security Journal, issue 3, September 2017


NEWS ROUND-UP

A third of the global economy andabout 600 million people willbenefit from what has been called‘the largest bilateral trade dealever.’ So says the EuropeanCouncil, after council presidentDonald Tusk signed a bilateraleconomic partnership agreementwith Japan’s prime minister ShinzōAbe, which, the European Unionsays, ‘goes beyond trade dealsonly’.

Key elements of the dealinclude:

l Tariffs on more than 90% of theEU’s exports to Japan will beeliminated. Over time around85% of EU agri-food productswill be allowed to enter Japanentirely duty-free.

l Reciprocal data adequacy,meaning that information suchas credit card details andbrowsing habits can beaccessible between Japan andthe EU. Currently, only 12nations are permitted to storeEuropean persons’ informationon their servers. A jointstatement, issued to easeconcern about data safety,maintains that the EU andJapan would adhere to the‘relevant internal procedures’

necessary to ensure ‘the world’slargest area of safe datatransfers’.

In a briefing, lawyers atDebevoise & Plimpton noted: ‘TheEU Commission and Japan’scentral data protection authority –the Personal InformationProtection Commission (“PPC”) –have been discussing a mutualadequacy finding since January2017. Since recent reforms toJapan’s Act on the Protection ofPersonal Information (“APPI”), thedata protection regimes of both theEU – the EU General Data

Protection Regulation (“GDPR”) –and Japan have prohibited, withcertain exceptions, cross-bordertransfers of personal data unlessthe data recipient is located in acountry designated as providingan adequate level of protection.The Commission and the PPC arenow to begin the internalprocedures necessary to formallydesignate the data protectionregimes of the other as adequate –the EU by formal adoption of an“adequacy decision” with regardto Japan, and the PPC bydesignating the EU’s dataprotection system as “equivalent”.’

They predict that the ability tofreely transfer data between the EUand Japan ‘should make businesstransactions within the combinedarea more cost- and time-efficient,bolstering the impact of thereduced and eliminated tariffsagreed to under the trade deal.However, they warned: ‘Until theadequacy decisions are fullyadopted, businesses exporting datafrom Japan to the EU or vice versashould remain vigilant to ensurethat cross-border transfers areconducted with advance consent orin compliance with GDPR- orAPPI-approved mechanisms.’ n

EU-Japan deal ‘goes beyond trade’ toinclude reciprocal data protection

‘The mutual adequacy finding marks the first reciprocal recognition of data privacy equivalency between the EU

and a third country.’

The European Commission hasreferred Ireland, Greece andRomania to the European Court ofJustice ‘for failing to implementthe 4th Anti-Money LaunderingDirective into their national law’.

The Commission has‘proposed that the Court charges alump sum and daily penalties untilthe three countries take thenecessary action.’ It is understoodthat this means that Ireland, whichthe Commission said‘implemented only a very limitedpart of the rules’ faces a €1.7million fine, plus additional dailypenalties.

Věra Jourová, Commissionerfor Justice, Consumers and GenderEquality said: ‘Money launderingand terrorist financing affect theEU as a whole. We cannot afford to

let any EU country be the weakestlink. Money laundered in onecountry can and often will supportcrime in another country. This iswhy we require that all MemberStates take the necessary steps tofight money laundering, andthereby also dry up criminal andterrorist funds. We will continue tofollow implementation of these EUrules by Member States veryclosely and as a matter of priority."

EU Member States had till 26June 2017 to transpose the 4thAnti-Money Laundering Directiveinto national legislation. Thedirective aims to strengthen therisk-assessment obligations ofbanks, lawyers, and accountantsand improve transparency in thebeneficial ownership ofcompanies.

According to The IrishExaminer, a spokesman forIreland’s ‘Justice Minister, CharlieFlanagan, said most of theprovisions of the directive wouldbe transposed by the CriminalJustice Money Laundering andTerrorist Financing Amendment)Bill, which has already passed allstages in the Dáil [lower house ofthe Irish parliament] and is due tocome before the Seanad [upperhouse] after the summer recess,with all required measures due tobe in place before the end of theyear.’

The fourth anti-moneylaundering directive, put into

place in 2017, has since beenreplaced. ‘The fifth addressesissues of tax evasion and fraud,exposing the names of trustbeneficiaries and extendingcustomer verification require -ments, and must be followed by allEU member states by 2020,’ notesthe Commission. ‘These new rulesaim at ensuring a high level ofsafeguards for financial flows fromhigh-risk third countries,enhancing the access of FinancialIntelligence Units to information,creating centralised bank accountregisters, and tackling terroristfinancing risks linked to virtualcurrencies and pre-paid cards.’ n

Ireland, Greece and Romania face fines for AML failings

the Commission’s announcement can be seen at:

http://europa.eu/rapid/press-release_IP-18-4491_en.htm


NEWS ROUND-UP

The UK is likely to enforce an EUlaw that is expected to exposethousands of tax evaders. The fifthanti-money laundering directivecame into effect in the EU early inJuly and EU Member States haveto until 10 January 2020 totranspose it into nationallegislation – a deadline roughlynine months after that currentlyset for the UK to leave the EU.

According to the UK’sDepartment for Business, Energyand Industrial Strategy (‘BEIS’),the fifth directive should beimplemented into nationallegislation shortly. A response tothe Panama Papers investigation,the fifth directive seeks to combatterrorism, corruption, and anti-money laundering. Notableelements include:

l Public registers of companyowners in every EU MemberState;

l Access to the names of bankaccount holders for nationalfinancial intelligence units;

l Access to the names of thebeneficiaries of trusts;

l A right for the government to‘call in’ large transactions thatcause a national security threat.

The law does not apply to the

Channel Islands or to offshorefinancial centres such as Bermudaand the Cayman Islands.However, a Labour Partyamendment to the sanctions andanti-money laundering bill alreadyrequires such territories to declarepublic registers of companyownership.

Brexit does not officially takeplace until next March 2019, andthe UK is required to adhere to allEuropean Union laws until then.Nonetheless, the choice to adoptthe fifth directive outside of the EUwould signal motion towards aninternational clampdown onfinancial secrecy.

‘These proposals will ensurewe have the appropriatesafeguards to protect our nationalsecurity,’ said Greg Clark BEISbusiness secretary, whilst ensuringthe economy stays ‘open to highlevels of foreign investment in thefuture.’ n

UK to adopt fifth EU anti-money launderingdirective in advance of BREXIT

BEIS: ‘These proposals will ensure we have the appropriate safeguards to

protect our national security.’

Miller & Chevalier Chartered . 900 16th Street NW . Washington, DC 20006 . millerchevalier.com

“The firm is absolutely superior. It always provides a rapid response and represents great value for money. In addition, it has a pragmatic outlook that translates to a very business-friendly approach.”

- Chambers and Partners

Business and Human RightsCustoms and Import TradeDefense Trade and National SecurityExport Controls and Economic SanctionsFCPA and International Anti-CorruptionInternal InvestigationsInternational Trade RemediesTrade PolicyWhite Collar Defense


NEWS ROUND-UP

A group of US lawmakers hasurged Facebook and Google not tocomply with Vietnam’s newcybersecurity law amid concernsabout storing users’ personal datawithin the countryand threateninghuman rights.

‘This broad and vaguelyworded law would allow thecommunist authorities to accessprivate data, spy on users, andfurther restrict the limited onlinespeech freedoms enjoyed byVietnamese citizens.’ So wrote 17bipartisan members of the USCongress in a letter to Google CEOSundar Pichai and Facebook chiefMark Zuckerberg. A similar letterfrom senators is expected.

According to the Vietnameseauthorities, the 16th draft of theLaw on Cybersecurity is intendedto combat defamation, protectminors, and uphold cybersecuritystandards within the country.However, there are concernsamong observers regarding certainobligations.

The law would require global

sites to locally store important userdata, as well as opening offices inVietnam. Article 15 outlines illegalcyber activities including ‘anti-state information’ – meaning thatusers could be banned fromexpressing dissent online. Underthe law, offending content must beremoved within 24 hours ofreceiving a request from theMinistry of Public Security.

‘This bill will provide yet one

more weapon for the governmentagainst dissenting voices,’ saidBrad Adams, Asia director ofHuman Rights Watch. ‘It is nocoincidence that it was drafted bythe country’s Ministry of PublicSecurity, notorious for humanrights violations.’

Within Vietnam, there has beensome push back against the lawamid worries that it will impactforeign trade and investment –

vital sources of the country’sincome. However, the head of thecommittee which drafted the lawmaintained that its requests for thesocial media sites were reasonable:‘Placing data centres in Vietnamincreases costs for businesses butis a necessary requirement to meetthe cybersecurity need of thecountry.’

Writing in issue 8 of TradeSecurity Journal, lawyers fromBaker McKenzie noted: ‘The DraftLaw changes the scope of datasubjects from “Vietnamese users”,which includes users withVietnamese nationality only, to“users in Vietnam”, whichincludes all users of anynationality who use serviceswithin Vietnam.

‘In sum, a plain reading of thelaw suggests that the scope of thisrequirement has been broadened,which in effect would mean that itis easier for overseastelecommunications and Internetservice providers to fall within thepurview of this provision.’ n

Facebook and Google urged not to complywith ‘troubling’ Vietnam cybersecurity law

US lawmakers are concerned about the implications of the new legislation.

The United Kingdom’s NationalCyber Security Centre (‘NCSC’)has published its first reporthighlighting the growing cyberthreat to the legal sector. It saysthat due to the nature of theinformation they typically dealwith (sensitive client information,sizeable funds, etc.), law firms arebecoming a prime target for cybercriminals. The frequency of onlineattacks is increasing exponentially,with 60% of firms affected in 2018,compared to 42% in 2014. It’sestimated that £11 million of fundshave been stolen by cybercriminalsfrom firms in the UK in the past 12months.

The report, ‘The cyber threat to

UK legal sector’, was created inconjunction with the Law Societyof England and Wales and othermajor law firms involved inIndustry 100, a scheme developedby the NCSC to enable a widerunderstanding of cyber security.

The report discusses the‘strategic necessity’ of cybercrimeawareness post-GDPR, as well asadvising law firms on the bestways to protect their information.Findings indicate that the primarythreats are phishing, data breaches,and ransomware. ‘The cyber threatapplies to law firms of all sizes andpractice, from sole practitioners,high street and mid-size firms, in-house legal departments up to

international corporate firms,’reads the report.

Despite the warnings, LawSociety president ChristinaBlacklaws sees the report as anopportunity for awareness ratherthan fear. ‘As data controllers, lawfirms handle significant volumes ofconfidential and sensitiveinformation and client monies aspart of their daily work. In thepost-GDPR world and as the sectordelivers and transacts more online,it’s vital that we get a common

view and understanding of cyberthreats and their impact. It’s apositive step to help our membersspot vulnerabilities and putrelevant safeguards andprotections in place,’ she said.

Last year, DLA Piper, one of thelargest law firms in the world, fellvictim to a sustained cyber attackacross multiple offices, leavingphone and IT systems down andits reputation somewhatcompromised as operationsground to a halt. n

Cyber-crime a growing threat to UK law firms, report warns

download 'the cyber threat to uK legal sector' here:

https://www.ncsc.gov.uk/legalthreat

trade security Journal welcomes your newsand comment. Contact the editor [email protected]

preparing for BreXitIn the light of the UK’s intended departurefrom the European Union, it is imperative forEU and UK companies to understand:• New licensing requirements for UK exports

to the EU and vice versa• Implications of Brexit for controlled goods

supply chains and intra-company transfers• Potential for further divergence as EU

export controls evolve

export controls and my company• Where should responsibility for compliance

‘sit’ in your company?• Who should be trained in export controls? • Ensuring export control awareness

company-wide• Record-keeping and preparing for an audit

Case studies presented on the course willexplore situations such as• The classification of goods in different

scenarios• Impact of supplying the same goods to

different markets (assessing need for end-use statements or undertakings)

• Sending equipment for repairs ortemporarily, for marketing purposes

• How US controls apply in the UnitedKingdom/European Union

the training will include break-out, industry-specific sessions for representatives from• Oil/ gas/ energy • Aerospace• Vehicles • Chemical industries• Technology – IT/ encryption

Award-winning Export Controls Consultancystrong & Herd, in association with WorldeCr,the journal of export controls and sanctions,is delighted to present this two-day, in-depthtraining on export controls and creating anInternal Compliance Plan which is practical,fit for purpose, and tailored to yourcompany’s specific needs.

While eminently suitable for those new toexport controls, established professionalswill find it a stimulating refresher – and arare opportunity to share ideas.

The course will cover:

the Basics• An introduction to export controls –

looking at the UK export control system inglobal perspective

• Military Goods and Dual-Use goods – howdo they differ in law? How do I distinguishbetween them?

• Who, in my company, is responsible forcompliance?

• How is the transfer of intangibletechnology controlled and why?

• Record-keeping and technical information

the anatomy of export Controls – anintroduction to• Licensing• End-users, end-user statements and

undertakings • Catch-all• Sanctions

export controls in the united Kingdom• The Export Control Joint Unit (ECJU) – its

role and function• Licensing applications – getting started

with SPIRE• Knowing your OIELS from your OGELs:

distinguishing between types of licenceand their application requirements

Export controls, ICPs and good practice

A 2-day training programme, with Strong & Herd in association with WorldECR

NING...TRAINING..NOVEMBER 15-16..

w Export controls, ICPs and good practice, a 2-day training event, will take place on 15-16 November 2018 at The Strand Palace Hotel, 372 Strand, London WC2R 0JJ

w Attendance costs £945 (+VAT where appropriate) and includes 2 days of training,breakfast, lunch and morning and afternoon refreshments. Special rates are availablefor organisations wishing to send 3 or more delegates.

w For further information or to reserve your place, email [email protected]

outcomes and benefits of attending Attendees of this intensive, two-day training can look forwardto leaving with greater confidence that they understand, andcan apply within their own organisations, key concepts andrequirements of export control compliance, and generate achecklist of best practice requirements relevant to their own

company needs.

All attendees will receive a certificate of attendance.


BULLETINS

the Kingdom of Bahrain has becomethe second country in the GCC toissue a national data protection

law. Organisations operating in Bahrainor processing the personal data ofconsumers from Bahrain should beaware of the new obligations andsanctions in the legislation that willbecome effective in 2019. Here are thefive questions you should be asking tounderstand how the new law will impactyou.

Bahrain’s Personal Data ProtectionLaw No. 30 of 2018 (‘the Law’) has beenpublished in the Official Gazette on 19July 2018. The Law aims to be consistentwith international practices in theprotection of personal data and toenhance the attractiveness of Bahrain toforeign investors by providing a clearframework for processing personal data.It is anticipated to be supplemented byresolutions that are due to be issued by 1February 2019.

Who is affected?The Law will apply to any processing ofpersonal data wholly or partly byautomated means or the manualprocessing of personal data that willform part of an organised filing system.

The Law is stated to apply toindividual residents or workers inBahrain, locally established businessesand any businesses outside Bahrain thatprocess personal data ‘by meansavailable within the Kingdom’ other thanfor purely transitory purposes.

This means that non-Bahrainibusinesses operating data centres orusing third-party data processors inBahrain will be caught by the Law. Anynon-resident person or business that issubject to the Law must appoint anauthorised representative in theKingdom to perform its local legalobligations.

The Law does not apply to processingof personal data within the context of

personal or family affairs or processingthat relates to national securityundertaken by security authorities in theKingdom.

What data is protected? The Law defines personal data asinformation relating to an identified oridentifiable individual. This is largelyconsistent with European and similarinternational definitions of personal dataor personally identifying information(‘PII’) under equivalent legislation,although there is express reference toidentification of an individual via their

Personal ID Card in addition to otherfactors specific to the individual'sphysical, mental, cultural, economic orsocial identity. Data subjects will haverights of access to personal data and toinformation concerning the processing oftheir personal data, as well as the right toobject to processing for direct marketingor automated decision making.

What are the key obligations?Many of the obligations placed on ‘datamanagers’ (controllers) will be familiar toorganisations that operate under dataprotection laws in other parts of theworld, including requirements to processdata fairly and lawfully, to collectpersonal data for legitimate, specific andclear purposes, and to ensure that data isadequate, relevant and not excessive asto the purpose for which it was collected.Data cannot be processed without theconsent of the relevant individual (data

subject) unless it falls within one of thefive grounds for processing in Article 4 ofthe Law.

These grounds include theperformance of contracts or legalobligations, protecting the data subject’svital interests, and safeguarding the datacontroller's legitimate interests. There arederogations for the processing ofpersonal data for journalistic, artistic orliterary purposes and more stringentrules applying to the processing of‘sensitive personal data’ (i.e., personaldata that directly or indirectly revealsracial or ethnic origin, political orphilosophical views, religious beliefs,trade union membership, criminalrecord, health or sexual condition).

One interesting feature of Bahrain’slegislation is the role of the ‘DataProtection Supervisor’. This is anaccredited third party that may beappointed by data controllers at theirdiscretion or, in some cases, at thedirection of the data protection authority.The Data Protection Supervisor mustexercise its role in an ‘independent andneutral manner’ (unlike, for example, thedata protection officer appointed byEuropean entities under the GDPR).

Its responsibilities include monitoringand verifying the data controller’scompliance with the law, supporting thedata controller in exercising its rights andperforming its obligations, maintaining aregister of processing, and coordinatingbetween the data protection authorityand the data controller.

The Law prohibits the transfer ofpersonal data outside Bahrain tojurisdictions that are not approved by thedata protection authority unless the datasubject provides consent or the transferfalls under a specific derogation,including transfers necessary for theperformance of contracts, protection ofthe data subject’s vital interests orpreparing, pursuing or defending a legalclaim. The Law also requires data

The Law aims to be

consistent with international

practices in the protection of

personal data and to

enhance the attractiveness of

Bahrain to foreign investors.

Five questions you should askabout Bahrain’s new dataprotection law By Dino Wilkinson, Clyde & Co.

www.clydeco.com


BULLETINS

controllers to enter written contracts withthird parties that process personal dataon their behalf (data processors).However, there is no mandatory databreach notification provision in the Law.

How will the law be enforced? A range of criminal and administrativefines may be imposed under the Law.Criminal offences – including theprocessing of sensitive personal data ortransfer of personal data outside theKingdom in violation of the Law orfailure to notify as required by the Law –may attract fines of up to BD 20,000 (US$ 53,200) or imprisonment for up toone year.

Administrative fines for other offencesmay be imposed on a scale up to BD20,000 (US$ 53,200) for one-off fines ordaily penalties of up to BD 1,000 (US$ 2,650), which may be increased forrepeat offences. Other sanctions availableto the regulator include publishing

statements concerning established violat -ions and referring potential crimes to thepublic prosecutor. Individuals may claimcompensation for damage suffered due toany processing of their personal data bya data controller in breach of the Law.

What should organisations do now?The Law will become effective from 1August 2019, but any organisations thatare involved in processing personal datain Bahrain should start conducting anassessment of their processing activitiesat the earliest opportunity in order tounderstand the implications of the Lawand implement appropriate compliancemeasures. This process would typicallystart with a due diligence exercise tounderstand the flows of data around theorganisation. Contracts with third partieswill also need to be reviewed along withprivacy policies, consent forms andemployment agreements. Once the lawcomes into effect, data controllers will

have to notify the authority prior toconducting any data processing unlessthey appoint a Data ProtectionSupervisor or the processing is limited tocertain activities set out in Article 14 ofthe Law.

Some types of data processing(including automated processing ofsensitive personal data, biometric datafor identification purposes, geneticinformation and video monitoring) willrequire the express prior approval of theauthority. Ongoing awareness andtraining in data protection is likely tobecome a more commonplace feature forcompanies in Bahrain and we wouldexpect to see organisations adopting datagovernance policies, procedures andpractices in line with internationalstandards. Processes will need to be inplace to ensure that organisations cancomply with their obligations andrespect the new rights afforded to datasubjects. n

on 18 July 2018, the EuropeanBanking Authority published finalguidelines on fraud reporting

under the revised Payment ServicesDirective. PSD2 aims to increase thesecurity of electronic payments anddecrease the risk of fraud. The Directive,which has applied since 13 January 2018,requires payment service providers toprovide, at least on annual basis, data onfraud relating to different means ofpayment to their national regulator. Theregulators must in turn provide suchdata in aggregated form to the EBA and

the European Central Bank. Existing datareporting practices vary across the EU.The EBA has worked with the ECB todevelop these Guidelines to ensure thatdata is reported consistently and that thedata is comparable and reliable.

The final Guidelines are addressed toPSPs, except account information serviceproviders, and to their nationalregulators. The guidelines coverpayment transactions that have beeninitiated and executed, including theacquiring of payment transactions forcard payments, identified by referenceto: (a) fraudulent payment transactionsdata over a defined period of time; and(b) payment transactions over the samedefined period. The guidelines also setout how national regulators shouldaggregate the data.

Following the feedback to the EBA’s

consultation last year on proposedguidelines, a number of changes havebeen made, including aligning therequirements with those in the ECBRegulation on payment statistics(ECB/2013/43). The main changes are:

l It had been proposed that quarterlyreporting of high-level data would berequired with a more detailed set ofdata on a yearly basis. Instead, thefinal guidelines impose one uniformset of reporting requirements on asemi-annual basis;

l Country-by-country data breakdownsare no longer required; and

l Fraudulent transactions where thepayer is the fraudster are no longerwithin the scope of the guidelines.

The guidelines apply from 1 January

EU final guidelines on fraudreporting under the PaymentServices DirectiveBy Thomas Donegan, Shearman & Sterling LLP

www.shearman.com

the final guidelines are available at:

http://www.eba.europa.eu/documents/10180/2281937/Guidelines+on+fraud+reporting+under+Article+96%286%29%20PSD2+%28EBA-GL-2018-05%29.pdf/5653b876-90c9-476f-9f44-507f5f3e0a1e.


BULLETINS

Companies around the world canfinally breathe a sigh of relief todaywith respect to the UK’s position on

privilege in criminal investigations. In amuch-anticipated judgment on the ENRCcase (Serious Fraud Office (SFO) v EurasianNatural Resources Corp. Ltd [2018] EWCACiv 2006), the English Court of Appealhas clarified the boundaries of legalprofessional privilege. The judgmentrealigns the UK’s position on privilege incriminal investigations with that of othercommon law jurisdictions by taking acommon sense approach and morereadily protecting the work of lawyersand other advisors. This decision will beof great interest to companies who dealregularly with regulators andprosecutors in the UK (such as the FCAand SFO) or are involved in multi-jurisdictional investigations.

The key elements of the judgment areas follows:

1. The test for the application oflitigation privilege in English law iswhether or not litigation is inreasonable contemplation. In criminalproceedings (as has long beenacknowledged to be the case in civilproceedings) whether or not litigationis in reasonable contemplation is aquestion of fact. The Court of Appealexplicitly rejected the first instancejudge’s proposition that in criminalproceedings litigation can only be saidto be in reasonable contemplationonce the prosecutor has satisfied the

so-called ‘Code tests’ and is set tobring charges.

On the facts of this case, the Courtof Appeal found that the advice ofENRC’s external counsel that theevidence unearthed by their internalinvestigation meant that there was ’areal and serious risk of lawenforcement and/or regulatoryintervention, including criminalprosecution’ was sufficient basis toconclude that litigation – in the formof a criminal prosecution – was in

reasonable contemplation, notwith -standing that the SFO had not yetcommenced a criminal investigation,let alone a prosecution.

2. Litigation privilege applies to:a. Notes of interviews.b. Documents containing the factual

evidence presented by a company’sexternal lawyers to the company’sboard.

c. Reports created by an external firmof forensic accountants.

The Court of Appeal considered thatthe above-listed material was created at atime when litigation was reasonably incontemplation and that the documentshad been brought into existence for thedominant purpose of resisting oravoiding criminal proceedings.

The Court of Appeal rejected the firstinstance judge’s conclusion that litigationprivilege could not apply to this materialon the basis that if ENRC had chosen toco-operate with the SFO, much of thismaterial would have been handed over.

As a result of this decision, Englishlaw in relation to privilege is now farmore closely aligned to that in the US.The Court of Appeal explicitlyacknowledged in its judgment that it wasadvantageous to multinationalcompanies for there to be some‘commonality’ in privilege law acrosscommon law countries.

In addition, the Court of Appealcommented on one of the thornierquestions of English law on privilege:who is the client? In a case known asThree Rivers (5), the House of Lords hadheld that, in companies, the client waswhoever was instructed to give or receivelegal advice. The Court of Appeal notedthat while it did not have grounds todepart from a decision of the House ofLords, it was of the view that the rule inThree Rivers (5) was more appropriate tothe 19th Century. In this regard, theCourt of Appeal acknowledged that inlarge, complex, multinational companiesthe information needed to seek legaladvice is not often in the hands of theboard or those who are specificallyauthorised to seek legal advice (e.g., thegeneral counsel). Accordingly, if amultinational company cannot ask itslawyers to obtain the information neededto give advice (including from employeeswith the relevant first-hand knowledge)knowing that it is protected by legalprivilege, then multinational companieswill be in a less advantageous positionthan smaller, less complex ones. n

Common sense prevails in theUK’s battle over legalprofessional privilegeBy Amanda Seddon, Matthew Burn, Amanda Raadand Sarah Lambert-Porter, Ropes & Gray

www.ropesgray.com

2019, except for the reporting of datalinked to the exemptions from therequirement to use strong customer

authentication provided for in theRegulatory Technical Standards onstrong customer authentication

(Commission Delegated Regulation (EU)2018/389), which will apply from 14September 2019. n

the enrC decision can be located at:

https://www.bailii.org/ew/cases/EWCA/Civ/2018/2006.html

As a result of this decision,

English law in relation to

privilege is now far more

closely aligned to that

in the US.


Look, listen and learnAn increased awareness of potential liabilities for human rights violations in international supplychains, means companies are well advised to have a good understanding of suppliers’ practices andworker treatment. Trade Security Journal meets Li Qiang, founder of China Labor Watch, to find outwhat questions companies with manufacturing operations in China should be asking.

TALKING TRADE SECURITY

ROBERT ESSEL



earlier this summer, Trade SecurityJournal editorial board memberGlen Kelley visited the offices of

fellow New Yorker Li Qiang to discussworking conditions and the role ofmultinationals in China.

These are, of course, interesting timesfor US-Chinese relations: indeed, theyverge on the acrimonious, with the USgovernment alleging that China is inbreach of WTO rules – and looking toplunder US technological advances forthe country’s own gain. Meanwhile,many US companies say they can keepup with consumer demand only bytaking advantage of China’s cheaplabour supply. And in so doing, saycampaigners like Mr Li, they may wellfind themselves complicit with a modeof production that disregards workerrights in favour of profit.

Mr Li is the founder of the advocacygroup China Labor Watch (‘CLW’). Hemoved to the United States in 2000. Priorto that time, Li Qiang played a leadingrole in organiSing networks of labouractivists, researching factory labourconditions, and conducting workereducation and legal assistanceprogrammes in China. Since then, CLWhas conducted over 400 assessments oflabour conditions in Chinese factoriesmaking products for multinationalcompanies across industries rangingfrom furniture to shoes, stationary totoys, and garment to electronics. Theassessments typically use a combinationof undercover investigation and off-siteworker interviews. In some cases, CLW’sefforts have resulted in workers beingpaid substantial amounts of owed backpay or other significant improvements inworkers’ rights and working conditions.

Glen Kelley is partner at theinternational trade law firm JacobsonBurton Kelley PLLC, based in New York.His practice focuses on economic andtrade sanctions, export controls, anti-corruption, anti-money laundering andnational security law. Prior to joining thefirm, Glen was the chair of the regionalleaders of the global sanctions and tradegroup of a leading international lawfirm. Glen has served as an AttorneyAdviser at the US Department of State.

All Mr Li’s comments were voiced byElaine Lu, a Program Officer at ChinaLabor Watch who interpreted theinterview. There are points in theconversation where Ms. Lu has addedher own comments based on herunderstanding of and familiarity withMr Li’s thinking.

glen Kelley (‘gnK’): I’ve read your bio onthe CLW website. Could you tell me alittle more about how you decided tofocus full time on shining a spotlight onlabour conditions and labour rights inChina?LI QIANG (‘LQ’): Earlier in life I was aworker at a state-owned enterprise(‘SOE’) in China. I had a licence topractise as an attorney. I felt that theSOEs were treating workers unfairly – forexample, only the leadership receivedhousing benefits.

In 1997 I was almost detained inSichuan by Chinese officials, for activitiesincluding giving legal advice to laid offworkers. I fled to Guangdong and foundconditions for workers were even worsein privately-owned companies that hadreceived foreign investment than in theSOE factories.

Since then we have sent people intofactories producing goods for manymajor MNCs (multinational companies)including Nike, Walmart and Toys R Us,to work and research the conditionsthere. People from many of the Fortune500 companies have visited our officesover the years, to discuss labour issues intheir factories in China.

gK: What do you consider to be the mainlabour and related civil rights concerns inChina today?LQ: One of our first and main concerns isthat the factories are violating Chineselabour laws, for example the workinghours. Another primary concern is thatworkers still do not have real freedom ofassociation. Workers have to put in a lotof overtime now just for a sustainablestandard of living.

gnK: So it seems that it’s a problem withChinese laws not being followed, but alsoit seems the laws are not set up well to

protect workers from very badconditions. Do you think that’s fair to say– that there’s also a need to change tolaws as well as applying and enforcingthem? Li Qiang: The most important thing is forworkers to have freedom of association.

A lot of officials in the Communist partyhave strong interests in the way factoriesin China are functioning. Multi-nationalcompanies and Chinese factories havevery strong economic interests in how thefactories are functioning.

Given these strong countervailinginterests, because workers don’t have thefreedom of association, the ability toorganise to protect their rights, it meansit’s hard to implement the labour lawsthat do exist in China. Factories take amore targeted (reactive) approach whenit comes to rights.

For example, if workers complain,that’s when factories go ahead andactually try to abide by the laws. [But] thepenalties [for breaching labour laws]aren’t sufficiently heavy to be effective –so it is still more profitable to exploit theirworkers. These are still major problemseven though the law is still being betterimplemented than it was in 2000.

gnK: Okay. So, how is CLW trying toshine a light on these concerns and bringabout change? LQ: We continue to do a lot of factoryresearch and investigations and we targetthe MNCs’ products that are

‘One of our first and main

concerns is that the factories

are violating Chinese labour

laws, for example the

working hours.’

about China Labor Watch

CLW views Chinese workers’ rights as

inalienable human rights and is

dedicated to workers’ fair share of

economic development under

globalization.

CLW increases transparency of

supply chains and factory labor

conditions, advocates for workers’

rights, and supports the Chinese labor

movement.

Founded in 2000, China Labor

Watch (CLW) is an independent not-

for-profit 501(c)(3) organization. Over

the past 17 years, CLW has

collaborated with unions, labor

organizations, and the media to

conduct in-depth assessments of

factories in China that produce toys,

bikes, shoes, furniture, clothing, and

electronics for some of the largest

multinational brand companies. CLW’s

New York office creates reports from

these investigations, educates the

international community on supply

chain labor issues, and pressures

corporations to improve conditions for

workers.

source: http://chinalaborwatch.org



manufactured in China to try highlightthe rights of workers.

Some of these MNCs, such as Appleand Samsung, have made changes intheir factories after we have released ourreports. On the other hand, when weinvestigated [certain] Chinese companies,we actually received a lot of retaliationfrom the Chinese government throughthe local public security bureau [policeoffice].

But we have seen that some of thesecompanies do make changes and we tryto identify and target companies thatmay be willing to do so. Increasedfreedom of association in their factoriesprovides support and resources for thelocal NGOs to really push for freedom.

gnK: Is there just one CLW office in China? LQ: We used to have two, but last yearour Shenzhen office closed because of theIvanka Trump investigations. Thegovernment took all of our computersand everything.

gnK: Recently, it seems like there havebeen some CLW investigations that get alot of attention. Ivanka Trump productswas one. Another is Amazon.com which Ithink is working with Foxconn. Theyattracted a lot of coverage for youractivities. Does that help, or is it more ofa distraction? LQ: Generally, it is helpful; for examplein the Amazon case, Foxconn made some

changes to the conditions for theirdispatch workers [a type of temporaryworker status not entitled to the rights offull-time employees under Chinese law].The majority of [them] started to beconverted to regular workers, which wasimportant because [previously] therewere too many dispatch workers atFoxconn.

After we released a report on one ofApple’s suppliers, they paid back theirworkers 3.7 million RMB in overduewages.

gnK: In the last few years, a lot ofmultinational companies have beenfocused on the rising cost ofmanufacturing in China, including risinglabour costs. I think there’s anassumption that labour rights must beimproving because wages are rising. Isthe average worker actually seeing a lotof benefit from those increases in thecost of production? Are the conditions inChina really improving?LQ: I don’t believe that there areimprovements for workers. It’s really[inflation]. The prices of consumerproducts have increased and that’swhat’s pushed the increase in wagesmore than anything else. Property priceshave increased, and basically productslike eggs, vegetables, meat, these priceshave also increased in China as well. Wecan say that workers’ wages haveincreased but so have the costs of basic

products, so the wage increases are notreally benefiting workers in the long run.

A lot of the MNCs that have movedtheir factories to other countries fromChina have done so [for reasons besidesthe increase in labour costs]. Andworkers are also the victims of this.

If you break down the revenues frommanufacturing operations in China, firsta large portion goes to the companies’profits. Second, the Chinesegovernment’s revenues [taxes, licensingand other fees] are a large portion. Thenthe bank [financing, interest paymentsetc] costs and property costs are a largeportion. Out of the total profits [revenuesgenerated from manufacturing done inChina], labour costs only take a reallysmall share of the pie. So even if theygave more to workers, manufacturingcosts could nonetheless decrease. TheChinese government gets a share. Thebanks get a share. MNCs get a share, soin the end no-one wants to give way andsay, ‘Let’s give more money to workers.’That’s why attention has been focused onthe labour costs.

gnK: Are there any steps being taken bythe Chinese government to address anyof these concerns regarding labourconditions, labour rights? For example,[are] there reforms of the official labourunions? Is that something that’s stillbeing discussed in the government? LQ: The steps that are taken are very

TSJ editorial board member, Glen Kelley met Li Qiang at the China Labour Watch offices this summer.



limited. For example, the ACFTU [theofficial government-directed umbrellalabour union in China] says that factoriesshould, for example, be establishingunions, but these unions [sponsored bythe ACFTU] are ineffective in general.They don’t really address or benefitworkers.

We have been able to push companiessometimes in their factories to undertakeunion elections, but these are justindividual cases. Sometimes, withpressure, an individual factory will holda union election at that factory, but this isa very targeted approach.

gnK: What you would like multinationalcompanies with manufacturing operationsin China to learn from your work? LQ: I hope MNCs can push their factoriesin China to be aligned with and fullycomply with Chinese labour laws andthat they can make it possible for workersto enjoy freedom of association in theirfactories.

If neither of those are viable options,they should at least establish a workerhotline. That way, workers can perhapscontact MNCs or a third party about anygrievances or complaints they have withthe factory.

Given the current political system inChina, it’s very difficult for workers toestablish a union inside the factory that’srepresentative of their interests. So MNCscan only work within the confines ofwhat they can do, clearly.

gnK: Are you seeing companies meetingresistance from the government whenthey try to move forward and implementsome of these changes?LQ: There have been some cases. A fewyears ago we were trying to convince aGerman company to establish a union attheir factory. But the factory was jointlyowned with a Chinese company whichsaid, ‘No, we don’t want the union.’

When we pushed other companies toestablish unions at larger factories –when the Chinese government realisedthat they were trying to establish a union,they stopped it. But there have been somesuccessful cases, where it is done withoutthe government knowing it.

gnK: Speaking of German companies,some countries have this model whereworkers have representation on theboard of the company, referred to ascodetermination or a sort of a co-management idea. Is that an idea thathas come up, especially with the GermanMNCs, in China?

LQ: It may not work because a lot ofthese Western ideas may not actually beapplicable in China. The factorymanagement gives workers a lot ofpressure. For example, if we tried to usethis idea in China, these workers’representatives may be told or pressurednot to actually represent workers but torepresent management. I think it’s veryfar-fetched, to have workerrepresentatives in China. If MNCspressure these factories, then maybethey’ll have some representation in someother way. There’s a very long road

ahead for workers to be able to be at theballot in China.

gnK: How would your recommendationsfor MNCs differ where the companydirectly owns the factory, as issometimes the case? LQ: If the MNC owns a factory in China,it’s easier for it to have workerrepresentatives. If the factory actuallywants to democratically elect workerrepresentatives and have a union, thenthe ACFTU (All-China Federation ofTrade Unions) doesn’t mind that.

To reiterate, the unions, factories,aren’t representative of workers’interests. It’s all controlled bymanagement. If the managementthemselves, directed by the MNC,actually want the union to representworkers they can make that happen.

gnK: So the leaders of the union wouldactually be elected by the workers, forexample?LQ: They can elect these leadersaccording to ACFTU guidelines. CLWhas actually helped to democraticallyelect workers through working withsome of these factories.

gnK: Who do you see within the MNCs tobe focused on these issues and takingaction? For example, there is thecorporate social responsibility (‘CSR’)function or team within most companies.

Are there other functions within theMNCs that you’re trying to engage with –like legal departments? Or are you goingdirectly to the board and saying, ‘Youhave to address Chinese labour rightsissues because it’s a broader risk to yourcompanies’ profitability and operations?’LQ: We generally write letters to theCEO. One thing is that the kind ofauthority the CSR function has withinmost companies is still quite limited –which is generally less than that enjoyedby the public relations department. Onthe other hand, if the director of CSR isable to be present at board meetings, thenthat may be helpful.

gnK: That’s starting to happen in somecompanies?LQ: Yes, some CSR departments are notactually managed by the public relationsdepartment, but instead under thefinance or the legal department.

In the case of one company we metwith a Chief Financial Officer. And atanother major company we met withsomeone from the legal department. [Sothe people that we meet with] are all fromvarious departments.

Some address issues quite quickly. Itdepends on where they are in theorganisational chart. If they’re down atthe fourth level, it’s really hard. Forexample, one of our contacts in a USmultinational has to go through three orfour people to get to the board, so thatmakes it much slower. It really dependson who they work with.

gnK: But overall it seems like slowlythere’s a positive trend with more andmore direct board involvement.LQ: It’s a positive development. Itdepends on public pressure. If, youknow, there’s a lot of pressure from thepublic, they will make changes muchquicker.

gnK: I really think within companies, allthese functions – legal, compliance, CSR– probably agree that there’s a saying:‘Never waste a good crisis.’ So, when thecompany is under a lot of pressure, that’sthe right time to try to makeimprovements in the way they’re doingtheir business. LQ: A few years ago, after we released areport on Timberland, they severed tieswith their factory in China and no longergave them orders. Two thousand peoplewere fired. The factory was listed on theHong Kong stock exchange and its shareprice decreased.

After two or three years, I went back

‘I hope MNCs can push their

factories in China to be

aligned with and fully comply

with Chinese labour laws and

that they can make it

possible for workers to enjoy

freedom of association in

their factories.’



to Timberland and said, ‘You can’t justtake orders away, you know, have theseworkers losing their jobs. You reallyshould be making changes to thefactories.’

I also spoke with the factory owner.They started up an assembly line forTimberland products at that factory andthey recruited 200-300 people. It was justone assembly line while originally therewere seven assembly linesmanufacturing for Timberland. Elaine Lu: The reaction to public relationspressure really depends on the company.They differ. In 2008 when CLW releaseda report on factories owned by the [HongKong magnate] Li Ka-shing, he sent aconsultant to come and meet with Li andthen they actually wanted to cooperateon a project. (Li Ka-shing owned two toyfactories.)Li: Sometimes companies will just get ridof their responsibilities. For example, ifviolations are discovered at a factory,they’ll just move the orders to anotherfactory. In that case, Li Ka-shing sold thetwo toy factories eventually, which youcan do if you’re very rich, though othercompanies aren’t able to do that.

gnK: It seems like the trend is MNCs are

getting smarter about these kinds ofissues that really present substantial riskto them and trying to address them in aproactive way. Is it fair to say thatoverall companies are giving this issuethe attention that it should get, or more

and more companies are slowly gettingthere? ? LQ: It really depends on the profitscompanies make. If the company’s veryprofitable, they [can afford] to makechanges to working conditions. But iftheir profits aren’t doing too well, they’reprobably reluctant.

It’s not really about the people at thetop. If the person who’s the director ofCSR is really willing to make changes tothe working conditions across theirsupply chain, then, surely, we will see

improvements. It’s not always up to thepeople at the highest level like the CEOto be pushing and making changes.

Sometimes we meet someone whoreally cares. The most successful caseshave been where we’ve dealt withsomeone not at the highest level,someone who’s further down on theorganisational chart.

Certain managers are like, ‘Oh, wedon’t want to deal with this,’ and justpush you to someone higher, theirmanager or the department manager.And they say things like, ‘We really care,if there’s any issue please reach out to us.’[laughs]

Sometimes you meet a CEO, and theysay: ‘Any issues, just send us an email,’but that seems to be just polite words.Prior to 2009 we saw CEOs of [a numberof] companies, but mainly that servedthose companies’ public relationspurposes. So, it wasn’t very helpful.

gnK: Okay. So, my optimism that thingsare improving should be moderated! LQ: As long as you find someone that’swilling to take positive action within thecompany’s internal policies andregulations, then for sure workers’ rightswill be better protected. n

‘If the person who’s the

director of CSR is really

willing to make changes to

the working conditions

across their supply chain,

then, surely, we will see

improvements.’

Above boardSuccessfully mastering the regulatory and ethical challenges of

multi-jurisdictional expertise and global reach.

Our combination of deep legal and practical government and

Europe, Asia and the Middle East, enables us to provide tailored,

commercially focused legal, strategic and public affairs advice

on the full range of international trade-related compliance and

regulatory issues you might face. dechert.com

D


HUMAN RIGHTS

in June 2018, the Swiss NationalCouncil adopted a legislativeproposal which, if passed by the

Council of States, will introducemandatory human rights due diligencefor certain companies. This is the latestexample of a regulatory trend toincreasingly focus on the human rightsimpacts of companies across their supplychains. Other recent examples includethe French Duty of Vigilance Law,adopted in 2017, which requirescompanies to implement vigilance planson human rights for their own operationsand those which they control. TheCalifornia Transparency in SupplyChains Act and the UK Modern SlaveryAct both expect companies to report onthe steps they have taken to eradicateslavery and human trafficking in theirsupply chains. The UK Joint Committeein Human Rights has also proposed thata ‘failure to prevent adverse humanrights impacts’ mechanisms beconsidered.

This increased focus on addressinghuman rights in the supply chain echoesthe principles set out in the influentialUN Guiding Principles on Business andHuman Rights (‘UNGPs’), adopted in2011. The UNGPs first introduced theconcept of human rights due diligence,(‘HRDD’) which, unlike traditionaltransactional due diligence, is anongoing and comprehensive process. Itshould ‘identify, prevent, mitigate andaccount for’ actual or potential adversehuman rights impacts a company may beinvolved in through its own activities orbusiness relationships, including those inthe supply chain.

Since the adoption of the UNGPs,other international frameworks andindustry guidance have been updated toinclude expectations around HRDD insupply chains. These include the OECDGuidelines, various sectoral duediligence guidance materials developedby the OECD, and the InternationalFinance Corporate (‘IFC’) PerformanceStandards. Civil lawsuits are alsoincreasingly being brought against

transnational companies for humanrights harms which are alleged to havetaken place in their supply chains. Recentexamples include actions brought interms of consumer law, misleading anddeceptive conduct, tort and specialiststatutory claims.

Hrdd in the supply chain: researchRecent research by the British Institute ofInternational and Comparative Law(‘BIICL’) and law firm Norton RoseFulbright (‘NRF’) has considered currentpractices around HRDD in the supplychain, within the fast-developing legalframework. The study highlighted a fewkey components for undertaking HRDDin the supply chain.

Identification of human rightsimpacts in the supply chain is animportant first step in understandinghow to address these impacts. BIICL’sresearch showed that the nature ofsupply chains varies widely, and thatone of the key challenges for manycompanies is the definition of theirsupply chain for the purposes of human

rights due diligence. Intervieweesindicated that the level of scrutiny willdepend on factors such as the supplier'sprevious human rights record, country ofoperation and sector. The UNGPsacknowledge that limited resources

might necessitate this kind of‘prioritisation’ of the most severe humanrights risks. Severity is defined withreference to the ‘scale, scope andirremediable character’ of the adversehuman rights impact.

Many companies find it helpful tostart with a mapping exercise to identifysuppliers and trace the supply chain. Inmany supply chains there are nodes or

How to address human rights risks in supplychains: new research on current practices New research by the British Institute of International and Comparative Law and law firm NortonRose Fulbright throws light on current practices and perceptions of human rights due diligence insupply chains. Lise Smit outlines its findings.

Interviewees indicated that

the level of scrutiny will

depend on factors such as

the supplier’s previous

human rights record, country

of operation and sector.


HUMAN RIGHTS

points beyond which detailed tracingbecomes difficult, such as smelters. Oneinterviewee used an innovative approachwhich it calls a ‘controlled supply chain’.It uses only certain smelters which,through partnership with local civilsociety organisations, it felt the company‘could work with’. They indicated thatthe company ‘does not need to know forsure’ that the minerals used in theirproducts are from selected mines. Thecompany is ‘generating the demand atthe fair mine’, and as such it is ‘notimportant’ whether it flows from thesmelter into their products or acompetitor’s products.

Interviewees indicated that first-tiersuppliers may not wish to discloseinformation about their own suppliers.For this reason, the questionnaires sent tofirst-tier suppliers often contain questionsabout their second- and third-tiersuppliers, and codes of conduct andcontractual clauses often containprovisions requiring the first-tier supplierto ‘pass forward’ the human rightsstandards into their own expectations oftheir suppliers.

Tracing the supply chain may beincreasingly assisted by technologicaladvances such as tags, scanning devicesand blockchain software which enableraw materials to be traced back to a farm,factory or fishing vessel.

It is important to undertake regularhuman rights impact assessments(‘HRIAs’), as human rights impacts maychange over time. BIICL’s research hasindicated that companies which assumecertain risks, such as those prevalent inthe sector, are likely to thereby miss theirother human rights risks. Similarlimitations apply when assumptions aremade based on region. One intervieweeindicated that through their HRIA theyrecognised that their supply chainhuman rights risks would not always belocated overseas but may lie in their ownhome state jurisdiction. They nowundertake HRDD for their local andforeign suppliers, indicating that they‘treat it the same’.

Various mechanisms are used for theprevention of potential impacts. Mostcompanies indicate that their leverage isstrongest at the point before entering into

a relationship with a supplier, duringsupplier ‘on-boarding’. Companies usequestionnaires, database searches andother forms of desktop research. Thisscreening will be escalated into morethorough investigations, where the initialscreening raises red flags about humanrights in the supplier, country, or sector.Codes of conduct and contractual clausesare the most frequently used tools forsupply chain human rights duediligence. However, these provisionsshould be accompanied by ongoingmonitoring, human rights policies and

action plans embedded in the suppliers’operations, human rights training, andactive and open engagement with thesupplier on the realities of improvingconditions.

In order to be effective, codes ofconduct also need to be accompanied bypurchasing practices such as prices andlead times. Companies need to ensurethat human rights due diligence isintegrated across all relevant functions ofthe company, including the team whichdrafts the human rights clauses, and theteam which negotiates suppliers’ prices.

Although interviews confirmed theimportance of rights-holder engagementin identifying and adequately addressinghuman rights impacts, stakeholderengagement is extremely limited withrespect to human rights impacts ofsuppliers. In contrast, companies oftenuse external human rights experts in theirsupply chain HRDD, and human rightstraining is very common.

Where existing human rights impactshave been identified, the UNGPs requirecompanies to respond with remediation,and, where relevant, to exercise leverageover the supplier that caused the harm.The company should also considerwhether termination of the businessrelationship is the best option for humanrights.

The use of operational-level humanrights grievance mechanisms for humanrights due diligence by suppliers appearsto be limited. They most commonly takethe form of the company’s own humanrights grievance mechanisms beingavailable to those whose rights are

affected by its supply chain. However,some examples exist of companiesrequiring their suppliers to have humanrights grievance mechanisms in place.

The most commonly used tools totrack and monitor the effectiveness ofhuman rights due diligence actions areaudits, investigations and compliancemeasuring tools. Presumably as a resultof the well-known limitations oftraditional auditing to address humanrights impacts in the supply chain,interviewees referred to the use of a newkind of audit, specifically aimed athuman rights. These specialist humanrights audits are used to monitorcompliance with the company’s humanrights provisions and codes of conduct,and auditors are human rights experts.Many companies are also currently in theprocess of updating their internalcompliance measuring mechanisms toincorporate sophisticated human rightsstandards for suppliers.

Suppliers are frequently subject toauditing requests from multiple buyers,which has led to the phenomenon of‘audit fatigue’. As a result, variousinitiatives have been established in orderto align auditing practices across sectors,so that a company will accept a supplier’sauditing certificate which was producedfor another company. Whereas there aresome examples of third-party vettingtaking place through multi-stakeholderinitiatives, such as the International Codeof Conduct Association (‘ICoCA’), manyinterviewees expressed the need for morecentralised cross-sectoral third-partyvetting mechanisms.

Interviewees indicated the importanceof having local experts on the ground, tomonitor supply chain compliance, toprovide information on the localenvironment, and to build strongrelationships with suppliers.

As part of human rights due diligence,the UNGPs expect companies tocommunicate externally how theyaddress their human rights impacts. Onecurrent trend in companies’ efforts tocombat a lack of supply chaintransparency is to publish the details oftheir suppliers.

findings and themesA few key themes and observations werehighlighted during the above study:

Beyond compliance and audit: a deeply embedded governanceCompanies are increasingly seeking toovercome the limitations of traditionalcodes of conduct and audits and are

It is important to undertake

regular human rights impact

assessments, as human

rights impacts may change

over time.

read the report

making sense of managing human rights

issues in supply chains is here:

https://www.biicl.org/duediligence


HUMAN RIGHTS

exploring more innovative approaches.Those companies which have focused ondeveloping advanced supply chainHRDD indicated that this is a deeplyembedded and comprehensive approach.One interviewee stated: ‘We know oursupply chain better than anyone else.’Another interviewee stated: ‘To drive realimpact does not happen from one day toanother. It requires commitment andmoney, financing to pay for protectionand better working conditions, newschools that prevent child labour, andmines that are better built.’

Overview of affected rightsThe UNGPs highlight that companies canpotentially have an impact on any of theinternationally recognised human rights.The study highlighted a wide range ofhuman rights which are frequently at riskin supply chains. Forced labour and childlabour came up most frequently acrosssectors. Many companies alsoencountered risks to migrant rights, theright to life, the right to physical integrity(such as through violations by securityservices), freedom of religion, land rights,cultural heritage, and the right to health.

Small and medium-sized enterprisesSmall and medium-sized enterprises canfind implementing HRDD challenging,but they can nonetheless have an impactthrough their own processes. Largerbusinesses can help by engaging incapacity building.

Solutions beyond the first tierThere are currently limited practices inplace for exercising leverage beyond thefirst tier of the supply chain. Where this

is done, it usually takes place eitherindirectly through the first-tier supplier –for example, through codes of conductwhich require a first-tier supplier toimpose similar standards on those in thenext tier and so on, or through collectiveengagement with peers or multi-stakeholder initiatives. Manyinterviewees recognised the importanceof going beyond the first tier, andhighlighted this as their next priority.

Collective actionSupply chains are often opaque, complexand stretch over multiple jurisdictionswith widely different legal environments.In order to address their supply chainhuman rights impacts, companies oftenfind that they need to act collectively.This enables business to tackle challengeswhich a single company is unable toaddress.

Collective engagement takes manyforms, including industry or cross-sectoral business initiatives, as well asmulti-stakeholder initiatives withgovernmental bodies, civil societyorganisations, trade unions andinternational organisations. Initiativesrange from softer approaches, such asdialogue, to those which intervenethrough oversight and sanctions, andthose which focus on standard setting orgovernance.

The supplier’s perspectiveSuppliers are often required to complywith multiple audits, training andscreening requirements of theircustomers. Without effectivecollaboration between different companyfunctions, and alignment of purchasing

practices with the company’s humanrights expectations, suppliers may besubject to unnecessary cost and timeburdens.

The role of states and regulationThe study showed a generally strongsupport for clear regulation in this fast-moving area. Companies would welcomelegal certainty as to what is expected ofthem with respect to their supply chainhuman rights due diligence.

Domestic and international law hasbeen slow to catch up with the realities ofglobal business activities and theirhuman rights impacts. Current legaldevelopments are taking place in a rather

piecemeal fashion and often focus onparticular issues such as modern slavery,conflict minerals or illegal logging ratherthan HRDD as described in the UNGPs.The few legislative measures which doincorporate HRDD take a range of forms,such as reporting requirements,mandatory due diligence obligations,import restrictions, and publicprocurement measures.

In this way, the absence of regulationhas been a significant challenge forcompanies, particularly for those withoperations and supply chains spanningmultiple jurisdictions. One intervieweestated that ‘states are not regulating asmuch as they should’, and another stated:‘We would like to see more regulation. Itwould force our tier two, three and foursuppliers to improve their processes –and our competitors. We rely on thewhole industry.’

the drivers for supply chain-related HrddInterviewees confirmed the avoidance oflegal risks and reputational risks as twoof the key reasons for conducting HRDD.Other notable incentives are meetinginvestor expectations and achievingsustainable supply chains. Intervieweesnoted that by ensuring that human rightsimpacts within the supply chain wereaddressed, the company is able toimprove the sustainability of the supplychain. One interviewee stated that ‘[I]fyou stop scoring suppliers on symptoms

There are currently limited

practices in place for

exercising leverage beyond

the first tier of the supply

chain.

Companies would welcome legal certainty as to what is expected of them with respect to their

supply chain human rights due diligence.


HUMAN RIGHTS

and look at root causes, you will deliverbetter outcomes for people and productquality, which helps to deliver a betterbusiness.’

internal challenges andopportunitiesInterviewees reported efforts to simplifyinternal rules and processes, in partthrough the development of new andcentralised tools, and the need for evercloser inter-departmental coordinationbetween key functions such asprocurement, legal and CSR.

The study concluded with a fewrecommendations.

l Human rights due diligence has to bea robust, substantive and ongoingprocess. It should cover all humanrights risks which could arise in thesupply chain, and not just thosecovered by reporting requirements, orhuman rights risks which arefrequently associated with a specificsector.

l Comprehensive HRDD requiresgovernance commitments at the mostsenior level of the company. Thisincludes board and CEO engagement.

l Companies should ensure that theyhave a unified approach whichinvolves all relevant corporatefunctions, including legal, compliance,human resources, procurement andsourcing, as well as the board. Acompany may waste the extensiveresources which it spends onimplementing human rightsstandards into its supply chain codesof conduct, if it does not ensure thatthose efforts are aligned with itsbuying practices.

l In order to achieve this internalcoherence, it is important to translatethe importance of human rights intooperational language. This is oftenfacilitated if supply chain humanrights due diligence is viewed as a keycomponent of the company’scommercial objectives, including asustainable supply chain.

l Transportation and distributionsuppliers should be viewed as part of

the supply chain for the purposes ofhuman rights due diligence. Despitethe potential for human rights issuesbeing well-documented in, forexample, the shipping sector, theserisks still seem to be receiving limitedattention to date.

l Companies should develop and adaptauditing systems designed specificallyto identify human rights impacts andmonitor substantive compliance withhuman rights standards. Auditorsshould have appropriate humanrights-related experience, andcompanies should work with externalexperts as appropriate.

l Companies should proactively engagelocal stakeholders, including rights-holders and local civil societyorganisations, to take part ingathering information, makingdecisions and strengtheningrelationships with suppliers.

l Companies should participate incollective action, including throughindustry and other multi-stakeholderinitiatives, aimed at raising humanrights standards in supply chains.

l Technology could be used anddeveloped for traceability,identification of human rightsimpacts, stakeholder engagements,grievance mechanisms andcertification. Technology used forHRDD should be developed inconsultation with human rightsexperts to ensure that no human rights

are infringed by the use of thetechnology.

l The next frontier is effective humanrights due diligence beyond the firsttier of the supply chain. For thispurpose, companies should explorethe possibilities offered by collectiveaction, partnerships with local civilsociety organisations and humanrights experts, operational-levelgrievance mechanisms for thoseaffected by supply chains, and by

encouraging open and honestdialogue with first-tier suppliers.

l Companies should participate in thevarious ongoing consultations forregulatory reforms. This will add tothe process’s legitimacy and ensurethat enacted laws are realistic andeffective. Such engagement could bedone individually or through industrybodies or other representatives.

Human rights due diligence in thesupply chain is a new and developingarea, with even the leading companiesindicating that they are only starting ontheir ‘human rights journey’. Companieswith less advanced processes,particularly SMEs, should not to bediscouraged by the complexities of thesupply chain, as it is important to ‘startsomewhere’. As one intervieweecommented: ‘Let’s just start asking thequestions. These are the kind of questionsthat we started asking in health andsafety years ago.’ n

Lise Smit is an Associate Senior Research Fellow in Business and

Human Rights at the British Institute of International and

Comparative Law.

The report was co-authored by Lise Smit, Gabrielle Holly and

Robert McCorquodale, with thanks to Norton Rose Fulbright LLP

about the British institute of international andComparative LawThe British Institute of International and Comparative Law (‘BIICL’) is a world-

leading independent legal research organisation which has been conducting applied

research on contemporary legal issues for 60 years. BIICL’s Business Network acts

as a bridge between the global business community and the Bingham Centre for the

Rule of Law and BIICL.

For information on BIICL’s business and human rights work visit:

https://www.biicl.org/bandhr.

For more information on the Business Network see:

https://binghamcentre.biicl.org/business-network.

Comprehensive human rights

due diligence requires

governance commitments at

the most senior level of the

company.


ANTI-CORRUPTION

new anti-corruption legislation hasbeen signed into Irish law. Theintroduction of new corruption-

related offences and tough penalties inthe Criminal Justice (CorruptionOffences) Act 20181 (‘the Act’) isexpected to have a significant impact oncorporates and other organisationsoperating in Ireland.

Though signed into law, the sectionsof the Act still require to be commencedby ministerial order before becomingoperative.

The introduction of new anti-corruption legislation was one of theseveral measures proposed by thegovernment in its White Collar CrimePackage2 announced in November 2017.

The Act repeals and replacesprevious legislation on anti-corruptionand bribery (the Prevention ofCorruption Acts 1889 to 2010),consolidating Irish law on corruptioninto a single piece of legislation.

global scopeIrish citizens, companies and othercorporate bodies registered in Irelandwho commit acts outside of Irelandwhich if committed in Ireland would bean offence under the Act may beprosecuted in Ireland.

Consequences for companiesUnder the Act, a company is liable forthe actions of directors, managers,secretaries, officers, shadow directors,employees, agents or subsidiaries whocommit a corruption offence with theintention of obtaining or retainingbusiness or a business advantage for thecompany. If convicted, a company isliable to a fine of €5,000 on summaryconviction or an unlimited fine onconviction on indictment.

A company can seek to defend aprosecution by showing that it took ‘allreasonable steps and exercised all duediligence’ to avoid the commission of the

offence. One would expect that in theevent of a prosecution, a company’s anti-corruption policies and procedures willcome under scrutiny and may provecritical where a company is seeking to

New anti-corruption legislation to impactcorporates operating in IrelandThe Criminal Justice (Corruption Offences) Act 2018 introduces tough new penalties and offences tothe Irish anti-corruption regime. Greg Glynn, Joanelle O’Cleirigh, Richard Willis and Deirdre O’Mahonylook at the possible impact of the legislation on companies doing business in the country.

A director, manager,

secretary or other company

officer, who consents to the

commission of an offence by

the company, may also be

guilty of that offence.

What can companies doto minimise risk?l Put in place clear and

comprehensive anti-corruption

policies or review existing policies

already in place.

l Ensure all personnel receive

training on these policies and on

how to recognise and deal with

suspected bribery.

l Discuss and review the

effectiveness of the policies and

procedures at board level.

Remember, ultimate

responsibility rests with the

board.

l Appoint a compliance manager

with day-to-day responsibility for

implementing the policies,

monitoring their use and

effectiveness, and updating them

as necessary.

l Keep a written record of any

gifts/advantages given or

received.

l Communicate your organisation’s

zero-tolerance approach on

bribery to third-party service

providers, suppliers and other

organisations with which you do

business.


ANTI-CORRUPTION

rely on this defence. Policies andprocedures on their own may not beenough, however, as was seen earlier thisyear in the UK’s first contestedprosecution of a company for failing toprevent bribery. The company in thatcase – a small company employing 30people – had policies and procedures inplace but the jury found that these wereinadequate to prevent corruption.

Consequences for company officersA director, manager, secretary or othercompany officer, who consents to thecommission of an offence by thecompany, may also be guilty of thatoffence. Equally, they will be guilty of anoffence if it is proved that thecommission of the offence by thecompany was attributable to wilfulneglect on their part. n

offence

Active and passive corruption

Active and passive trading ininfluence

Corruption in office

Giving of gifts to facilitate anoffence

Creating or using a falsedocument

Intimidation

general terms

Corruptly offering, giving, requesting, accepting orobtaining a gift, consideration or advantage as aninducement to, or reward for, doing an act inrelation to one’s office, employment, position orbusiness.

Corruptly offering, giving, requesting, accepting orobtaining a gift, consideration or advantage toinduce another person to exert an improperinfluence over an Irish or foreign official.

Commission of an act, or use of confidentialinformation, by an Irish official in relation tohis/her office, employment, position or business tocorruptly obtain a gift, consideration or advantage

Giving a gift, consideration or advantage to aperson knowing that it will be used to facilitate anoffence under the Act

Corruptly creating or using a document knowingor believing it to contain a false or misleadingstatement with the intention of inducing anotherperson to do an act in relation to his/her office,employment, position or business to the prejudiceof that other person

Threatening harm to a person with the intentionof corruptly influencing that person or anotherperson to do an act in relation to that person’soffice employment, position or business

Key penalties

Summary conviction: €5,000/ 12 months’ prison/forfeiture of property

Conviction on indictment: fine/ 10 years’ prison/forfeiture of property











offences and penalties

Greg Glynn, Joanelle O’Cleirigh, Richard Willis and

Deirdre O’Mahony are partners at law firm Arthur Cox in

Dublin.

[email protected]

[email protected]

[email protected]

[email protected]

http://www.irishstatutebook.ie/eli/2018/act/9/enacted/en/pdf

http://www.arthurcox.com/wp-content/uploads/2017/11/New-White-Collar-Crime-Package-Nov-2017.pdf

Links and notes1

2


TECHNOLOGY

making tools that improve ourlives is an impetus we can traceback into prehistory, to times

when we tamed the destructive force offire and learned to fashion cutting bladesfrom flint. Our civilisations developedthrough agricultural revolutions, first inthe neolithic age, as we modified ournatural environment to raisedomesticated food plants, and later as wecreated large-scale systems of irrigationthat allowed cropping in areas ofseasonally low rainfall.

Our prowess as creators of technologyis evidenced in a series of industrialrevolutions that started in the 18thcentury, as described by Klaus Schwab,Founder and Executive Chairman,World Economic Forum: ‘The FirstIndustrial Revolution used water andsteam power to mechanise production.The Second used electric power to createmass production. The Third usedelectronics and information technologyto automate production. Now a FourthIndustrial Revolution is building on theThird, the digital revolution that hasbeen occurring since the middle of thelast century. It is characterised by afusion of technologies that is blurring thelines between the physical, digital, andbiological spheres’.1

In its 2017 report, ‘A Future ThatWorks: Automation, Employment, andProductivity’,2 McKinsey Global Institutemakes a strong case for our continuing toinnovate with technology to improveperformance of our economies:

‘Automation of activities can enablebusinesses to improve performance, byreducing errors and improving qualityand speed, and in some cases achievingoutcomes that go beyond humancapabilities. Automation also contributesto productivity, as it has donehistorically. At a time of lacklusterproductivity growth, this would give aneeded boost to economic growth andprosperity and help offset the impact ofa declining share of the working-agepopulation in many countries. Based onour scenario modeling, we estimateautomation could raise productivitygrowth globally by 0.8 to 1.4 percentannually’.

process redesign and automationAs David Autor, Professor of Economicsat Massachusetts Institute of Technology,observes: ‘Most work processes drawupon a multifaceted set of inputs: laborand capital; brains and brawn; creativityand rote repetition; technical masteryand intuitive judgment; perspiration andinspiration; adherence to rules andjudicious application of discretion.’3

To take advantage of the FourthIndustrial Revolution requirescompanies to redesign processes suchthat people collaborate with newtechnologies and hand over operationalcontrol where automation can substitutefor their labour. And inversely, within aredesigned process technology, alertshuman experts to re-take control whentheir judgement and problem-solvingskills are needed to complete a task.

Process redesign involves mappingout constituent activities and the flow ofcontrol from activity to activity, and thenanalysing each activity to determine theappropriate level of automation, if any.Activities characterised by ProfessorAutor as involving rote repetition andadherence to rules are immediatecandidates for automation, whileabstract tasks that ‘require problem-solving capabilities, intuition, creativity,and persuasion’ are best left to those inprofessional, technical, and managerialoccupations.

robotic process automationRobotic process automation (‘RPA’) istechnology of the Fourth IndustrialRevolution ‘designed to reduce theburden of repetitive, simple tasks onemployees’.4 The robotic component ofRPA is software programmed toautomate rule-based and highlystructured tasks. RPA can be viewed as acontrol function spanning multiplesystems, that include databases and otherinformation sources. RPA offers a clearinterface, such that a process beingautomated appears as familiar andsimple to operate by anyone alreadyfamiliar with the work. This simplicityextends to RPA being explainable, soprofessionals responsible for the processimmediately understand the current stateof operation, and where and when therobot requires human assistance tocomplete a task.

The impact of RPA is to improveproductivity which is measured bycomparing output per time unit achievedin the new process design with thatachieved in the previous pattern of work.

artificial intelligence (‘ai’)According to Technopedia, ‘Artificialintelligence (AI) is an area of computerscience that emphasises the creation ofintelligent machines that work and reactlike humans’. Critical components of AIinclude machine learning, involving

KYC: a process ripe for automationAgainst a background of increasing criminal threats, robotic process automation and artificialintelligence can enhance know your customer efforts and improve compliance, writes Wayne Johnson.


TECHNOLOGY

computer algorithms that continuallylearn from experience in order toimprove themselves, and naturallanguage processing, which is the abilityfor computers to read and comprehendhuman language. AI has been adoptedsuccessfully in many areas of business,and use cases continue to emerge. In arecent study conducted by BostonConsulting Group and MIT SloanManagement Review 84% of respondentssay AI will enable them to obtain orsustain a competitive advantage.

Know your customer: a processready for rpa and aiHighly valued by the corporate world,digital technologies are also exploited bysophisticated criminals who operateinternationally to move and laundermoney. Guided by international bodiessuch as the Financial Action Task Force,nations are enacting increasinglystringent regulations that guard theireconomies against financial crime.Assessing risk through due diligence inthe form of KYC (know your customer)and keeping records of these checks formthe foundation of these defences.

In a report commissioned by theChancellor of the Exchequer and

published in March 2015,5 Sir MarkWalport, the UK Government ChiefScientific Adviser, recognised thatincreasing regulation posed risk to thenation’s financial sector. Sir Markcomments: ‘There is the possibility thatfinancial regulation and requests forincreasing amounts of data are hinderingthe capacity of traditional financialinstitutions to operate and moreimportantly innovate. Regulation anddata requirements could benefit frombeing redesigned, simplified andautomated’.

The UK’s MLR2017 legislationextends the requirement to undertakerisk-based KYC to firms beyond thefinance sector to those providingprofessional services, including the legaland accounting sectors.

Many firms operating in financial,legal and accounting services rely onKYC processes that combine manual taskwith electronic communications, such asuse of email attachments. Such processesmake proving compliance to regulatorsdifficult and they tend to be slow tocomplete and expensive to operate.

In his report, Sir Mark observes:‘FinTech has the potential to be appliedto regulation and compliance to make

financial regulation and reporting moretransparent, efficient and effective –creating new mechanisms for regulatorytechnology, “RegTech”.’

assessing the KYC process forredesign and automationA high-level schematic of activitiesconstituting a KYC process is shown inFigure 1 and each activity is reviewed inthe table on the following page, ‘Activityreview’.

Many activities of a typical KYCprocess are candidates for automation.This is consistent with findings publishedin the June 2017 edition of McKinseyQuarterly: ‘McKinsey Global Institute(MGI) research suggests that companiescan automate at least 30 percent of theactivities in about 60 percent of alloccupations by using technologiesavailable today’.6

redesigning and automating theKYC process with rpa and aiAutomating business processes createsopportunities to optimise by assessingeach activity’s potential for redesignbased on current and emergingtechnologies. Figure 2 shows aredesigned and automated process.

LOW RISK CUSTOMER

figure 1: overview of KYC process


TECHNOLOGY

Robotic process automation and AI areapplied to activities shaded in grey. Theprocess design remains recognisablyfamiliar, a characteristic of successfulimplementations of RPA. Changesinclude a new activity of Codify KYCpolicy and automation which hasradically changed the productivity ofexisting activities.

In the old process, KYC policies existas business rules captured in paper orelectronic documents which guide thework of KYC operations. In practice, thisapproach creates risk to the firm as thesenior risk professionals responsible forcreating policies can only be certain theirpolicies are consistently applied in KYCoperations through constant oversight,and such policing proves impossible tomaintain, degrading to staff morale, andexpensive.

In the new process, KYC policiesdefined by the firm’s senior riskprofessionals are expressed in a newform, one that is readily understood byKYC professionals and by regulators, butalso codified as a set of instructions to

program a software robot. As well asautomating tasks, this approach ensuresthat a KYC policy can be defined onceand consistently enforced for every newcustomer. Additionally, policies are easyto amend, so the firm can respond withagility as regulations change.

The work of customer due diligencerequires a KYC analyst to downloadinformation from multiple sources,compare facts on companies,shareholders and beneficial ownersgleaned from each source and build anunderstanding that is comprehensive,consistent and accurate. This can bedifficult, as each new information sourcerequires the analysts to reassess and re-document their understanding. In thenew process, RPA automates this workby extracting information in real timefrom multiple sources via APIs, and thenanalyses and merges multiple instancesof the same legal entity (people andcompanies) represented in different datasources. Automation of this activity alonelifts the productivity of KYC analysts asdue diligence work that previously

consumed many hours is completed injust minutes by a software robot.

Professor Autor observes that ‘tasksthat cannot be substituted by automationare generally complemented by it’ and‘productivity improvements in one set oftasks almost necessarily increase theeconomic value of the remaining tasks’.These effects can be seen whereautomation of the activity of customerdue diligence greatly simplifies thefollowing activity when a KYCprofessional uses experience andjudgment to assess risk and assign a riskscore. Automated customer due diligencecreates an interactive chart that presentsa consolidated view of a company, itssubsidiaries, its parents, all directors andultimate beneficial owners; this chartserves as an invaluable aid to alldownstream activities within the processand other work requiring anunderstanding of a customer.

For customers assessed as high-risk,firms must apply enhanced customer duediligence measures and enhancedongoing monitoring. Driven by a codified

activity

Define KYC policy

Request identifying documentsfrom customer

Validate documents and formallyidentify customer

Verify customer identity andbeneficial owners

Assess risk and assign risk rating

EDD (enhanced due diligence)screening

Approve client for onboarding

description

A KYC policy prescribes how a firm conducts KYC.Its definition includes the independent, reliablesources of information that the company will usein due diligence. A KYC policy is defined once andthen applied multiple times as each new customeris considered for on-boarding.

For corporate customers this includes requests forarticles of association / incorporation.

Check the validity of documents and ensure theymatch the entity requesting a businessrelationship.

Regulations such as the UK’s MLR2017 instructfirms to use independent, reliable sources ofinformation to investigate corporate structure,directors, shareholders and beneficial owner(s).

New customers are typically scored as Low or Highrisk.

Customers assessed as high risk must be subjectto ongoing monitoring.

Customers scored as Low risk, or those High riskbut who satisfy EDD screening, are approved foronboarding.

potential for automation

Low – requires expertise and judgment of a seniorcompliance professional.

High – although many firms prefer face-to-facecontact with prospective customers.

High – involves validating electronic and physicalsecurity features of documents to establish proofof identity.

High – sources are available as digital informationand published via APIs (application programminginterfaces).

Medium – based on facts discovered in screening,risk ratings are automatically assigned. Regulatedfirms can be assigned a low rating while politicallyexposed persons (PEPs) are considered his risk.

High – sources of information on PEPs, sanctionslists and incidents of adverse media are digitisedand published via APIs.

Medium – penetrating customer due diligencecreates sufficient knowledge of customers to allowautomation.

activity review


TECHNOLOGY

policy definition, this activity isautomated to improve productivity inKYC and the updated interactive chartproduced facilitates the following task ofapproving a customer for onboarding.

KYC remediationEvolving criminal threats continue todrive new, increasingly stringentregulations. Firms operating in regulatedindustries are obliged to updatepromptly the KYC profiles of all existingcustomers in line with new requirements.Until this remediation is complete, firmsare exposed to regulatory risk as their

records reflect outdated or incompleteinformation – although experience showsthat the time and effort absorbed bylarge-scale manual projects can bringcompliance operations to a grinding halt.For a time, and in a bid to simplify theremediation challenge, rather than spendthe time and money needed forpenetrating KYC across their customerbook, financial institutions chose to de-risk entire industry sectors consideredhigh-risk by wholesale termination ofrelationships. Regulators sought tocurtail this trend, which had aparticularly severe impact on the FinTechsector where it threatened to stifle theinnovation so promising to banks lookingto improve processes and driveefficiency.

The daunting task of remediation is

simplified and its costs dramaticallyreduced when RPA is applied to KYCprocesses as hundreds or thousands ofexisting customers can be checkedagainst the requirements of the newregulation as a single task.

summary – benefitsThe Fourth Industrial Revolution hascreated the conditions for automation ofmuch of the work of KYC. Roboticprocess automation and AI reduce costsand improves productivity of activitiesinvolving rote repetition and adherenceto rules while freeing human experts toapply their experience and judgment toaccelerate customer onboarding whileprotecting firms against the risk of beingused by criminals intent on moneylaundering. n

Wayne Johnson is the CEO and co-founder of encompass, a

creator of know your customer (‘KYC’) automation for major

financial and professional service firms globally.

www.encompasscorporation.com

Links and notes1 www.weforum.org/agenda/2016/01/the-fourth-

industrial-revolution-what-it-means-and-how-to-respond/

2 www.mckinsey.com/global-themes/digital-disruption/harnessing-automation-for-a-future-that-works

3 https://economics.mit.edu/files/11563

4 www.investopedia.com/terms/r/robotic-process-automation-rpa.asp

5 www.gov.uk/government/publications/fintech-blackett-review

6 www.mckinsey.com/business-functions/operations/our-insights/what-does-automation-mean-for-ga-and-the-back-office

figure 2: KYC process automated with encompass rpa


DATA PRIVACY

the mosaic of data protection lawsin the United States is filled withvarious pieces – from federal to

state laws and regulations – which blendtogether to create the whole that invokesprivacy protection in the United States.Although there is no overarching federaldata protection law like the EuropeanUnion’s General Data ProtectionRegulation (‘GDPR’), the requirementssurrounding data privacy andcybersecurity are well developed andindustry specific. The United States hassome of the strictest data breachnotification standards in the world andthese standards have been in place farlonger than most other countries.

underpinnings of us data privacy LawPrivacy protections in the United Stateshave existed since the beginnings of therepublic. The Constitution enshrinesprotections against unlawful intrusioninto our homes and personal papers inthe Fourth Amendment and otherlimitations on government intrusion intoindividual privacy in the First, Ninth,and Fourteenth Amendments.

‘The Right to Privacy,’ a 15 December1890 article in the Harvard Law Reviewauthored by attorney Samuel D. Warrenand future US Supreme Court Justice,Louis Brandeis, became the first implicitdeclaration of a right to privacy in theUnited States. Privacy protections werefirst given to mail and then as new formsof communication developed,protections were extended to thetelephone, the computer, and eventuallyemail.

Over time, data protection in theUnited States became an intricate mosaic,with laws and regulations issued by boththe federal government (at the nationallevel) and state governments (at the statelevel). Federal law generally preemptsstate law on the same subject, thoughthere are instances where the state law isnot subject to federal preemption. Somelaws apply to certain types ofinformation (e.g., financial or healthinformation) and others apply to use ofinformation (e.g., telemarketing orcommercial emails). At the national level,the Federal Trade Commission (‘FTC’),

an independent agency authorised toenforce against ‘unfair and deceptivetrade practices’ has been the leader indeveloping and enforcing privacyprotections. At the state level, stateattorneys general lead the way withenforcing privacy and cybersecuritystandards.

In addition, there are many privateindustry groups that issue self-regulatory guidelines and frameworks,which have often been used as anenforcement framework for state andfederal regulators. The National Instituteof Standards and Technology (‘NIST’)

issued its first ‘Framework for ImprovingCritical Infrastructure Cybersecurity’ in2014. The framework continues to beupdated and tailored to fit specificindustries, and version 1.1 of the NISTCybersecurity Framework was releasedin 2018. The NIST CybersecurityFramework is often used as a benchmarkfor reasonable cybersecurity controls inboth enforcement actions and litigationmatters.

the ftCThe Federal Trade Commission Act(‘FTCA’)1 is a broad consumer protectionlaw that prohibits unfair or deceptivepractices. The FTC has used this act tobring enforcement actions againstcompanies failing to comply with postedprivacy policies, unauthorised disclosureof personal data, and failure to enforcereasonable cybersecurity policies. TheFTC’s ability to enforce reasonablecybersecurity protections as an unfairtrade practice was recently limited by theUS Court of Appeals for the Eleventh

A guide to US data protectionA mosaic of industry-focused federal data protection measures makes the United States’ regimeamong the strictest in the world, writes Michelle Reed.

The United States has some

of the strictest data breach

notification standards in the

world and these standards

have been in place far longer

than most other countries.


DATA PRIVACY

Circuit, which held that the lack ofdefined regulations in a cease and desistorder did not provide companies withsufficient notice for compliance.2 Despitethis limitation, the FTC continues to bethe preeminent regulator of privacy anddata protection in the United States.

industry regulationsData protection regulation in the UnitedStates varies by industry. Industries thathave a higher risk profile due to extensiveuse of personal data or unique risk ofcritical industries are more likely to betargeted by regulations.

HealthcareAs one of the longest standing areas ofregulation, health privacy andcybersecurity is governed primarily bythe Health Insurance Portability andAccountability Act (‘HIPAA’).3 Healthcare providers, data processors,pharmacies, and other businessassociates are all subject to HIPAA, whichdefines specific standards for privacy(‘the HIPAA Privacy Rule’) and security(‘the HIPAA Security Rule’).4 The HIPAABreach Notification Rule5 requiresHIPAA covered entities and theirbusiness associates to providenotification following a breach ofunsecured protected health information.

Such notification must be madewithout unreasonable delay and in nocase later than 60 days following thediscovery of a breach and must include,to the extent possible, a brief descriptionof the breach, a description of the typesof information that were involved in thebreach, the steps affected individualsshould take to protect themselves frompotential harm, a brief description ofwhat the covered entity is doing toinvestigate the breach, mitigate the harm,and prevent further breaches, as well ascontact information for the covered entityor business associate. California’sConfidentiality of Medical InformationAct (‘CMIA’) provides stronger privacyprotections for medical information thanHIPAA.6

Financial servicesBanks, securities firms, insurancecompanies, and other financial servicesorganisations serve a key role in theeconomy and accordingly the privacyand cybersecurity protections mandatedunder both federal and state law areextensive. The Financial ServicesModernization Act, more commonlyknown as the Gramm-Leach-Bliley Act(‘GLB’)7 is the principal framework for

collection, use, and disclosure of financialinformation.

GLB prohibits disclosure of non-public personal information, which ismore broadly defined than personallyidentifiable information and includes (1)any information an individual providesto obtain a financial product or service(e.g., name, address, income, socialsecurity number, or other information onan application); (2) any information aboutan individual from a transactioninvolving a financial product or service(e.g., the fact that an individual is aconsumer or customer, account numbers,payment history, loan or depositbalances, and credit or debit cardpurchases); or (3) any information aboutan individual in connection withproviding a financial product or service(e.g., information from court records orfrom a consumer report).

Companies subject to GLB are alsorequired to provide notice of theirprivacy practices and an opportunity fordata subjects to opt out of having theirinformation shared with third parties.

Various other federal agencies havealso promulgated data protection rulessuch as the Safeguards Rule, DisposalRule, and the Red Flags Rule forprotecting and ensuring safe disposal offinancial data.

In an attempt to force more rigoroussecurity controls, the New York StateDepartment of Financial Services(‘NYDFS’) passed its own cybersecurityregulations to apply to financial servicescompanies that operate in New York,effective March 2017.8 The NYDFS rules

impose some of the most stringentsecurity requirements of any state law orregulation, including a 72-hour databreach notification requirement, andhave caused many financial servicescompanies to take a deeper look atcompliance.

Credit reporting agenciesIn the United States, credit reportingagencies collect extensive informationabout the creditworthiness of consumers.These credit scores and reports can havea significant impact on access to creditand housing. In response to concernsabout proper protections governing sucha powerful tool, Congress passed the FairCredit Reporting Act (‘FCRA’)9, lateramended by the Fair and Accurate CreditTransactions Act. FCRA regulatesconsumer reporting agencies, companieswho use consumer reports (e.g., alender), and companies that provideconsumer-reporting information (e.g., acredit card company).

Following the data breach of 148million consumers’ information atEquifax – one of the largest consumerreporting agencies – there has beensignificant discussion of furtherregulation of consumer reportingagencies, though none has been enactedto date.

Marketing and advertisingThe FTC has been the primary regulatorfor marketing and advertising,encouraging companies to implementfour fair information practices: (1) givingconsumers notice of a website'sinformation practices; (2) offeringconsumers choice as to how theirpersonally identifying information isused; (3) providing consumers withaccess to the information collected aboutthem; and (4) ensuring the security of theinformation collected.

The FTC implies these principles fromits unfair and deceptive trade practicesjurisdiction through the FTCA. Therehave also been significant discussions inCongress about imposing additionalregulations.

Even more stringent requirements areimposed by the Children’s OnlinePrivacy Protection Act (‘COPPA’),10

which is enforced by the FTC. COPPArequires websites to obtain verifiableparental consent before collecting, using,or disclosing personal information fromchildren, including their names, homeaddresses, email addresses, or hobbies.The industry has also introduced self-regulatory principles for behavioural

Industries that have a higher

risk profile due to extensive

use of personal data or

unique risk of critical

industries are more likely to

be targeted by regulations.


DATA PRIVACY

advertising. As a general rule, ‘opt out’consent is generally consideredacceptable in the United States, withsome exceptions for special types of dataand classes of individuals.

States have also begun to regulatelarge data brokers. In May 2018, Vermontpassed legislation to regulate databrokers, effective 1 January 2019. Databrokers will be required to register withthe Vermont attorney general and pay a$100 registration fee; provide annualdisclosures to the Vermont attorneygeneral concerning data privacy practicesand data breaches; and develop,implement, and maintain acomprehensive written informationsecurity programme that containsadministrative, technical, and physicalsafeguards.

EnergySecurity has been the primary focus ofthe energy industry, with extensiveregulation for utilities. Electric gridregulations apply to utility companiesunder the Critical InfrastructureProtection (‘CIP’) Standards, issued bythe North American Electric ReliabilityCorporation (‘NERC’) and approved bythe Federal Energy RegulatoryCommission. Oil and gas companieshave not been subject to the same degreeof scrutiny, even though theimplementing recommendations of the

9/11 Commission Act of 200711 authorisesthe Department of Homeland Security’sTransportation Safety Administration(‘TSA’) to issue pipeline securityregulations if the TSA determines thatdoing so is necessary.

Privacy has also been an increasedfocus as many energy companies developsmart grid technologies. The Smart GridData Privacy Voluntary Code of Conduct(‘VCC’) Initiative began in 2012,undertaken in partnership with theFederal Smart Grid Task Force (a multi-stakeholder effort involving utilities,regulatory bodies, consumer and privacyadvocates, technology providers, andassociations). The initiative developedthe DataGuard Energy Data PrivacyProgram that provides utilities and thirdparties with a framework for handling

and protecting customers’ data and away to communicate that commitment tocustomers.

RetailThe retail industry has been the source ofsignificant privacy and cybersecuritythreats – from the Target breach, whichcost the company over $250 million, tothe previously undisclosed Uber databreach of millions of customers’ data,which caused a public relations crisis.

Regulation of credit card data in theUnited States is governed by the PaymentCard Industry Data Security Standard(‘PCI DSS’). This set of security standardsis designed to ensure that all companiesthat accept, process, store or transmitcredit card information maintain a secureenvironment. The enforcementmechanism is contractual – retailers havecontracts with the major card brands thatimpose significant penalties fornoncompliance.

Retailers also face close scrutiny fromthe FTC, particularly with the advent ofthe Internet of Things, which has furtherimplications for data privacy. Otherfederal regulations, such as the VideoPrivacy Protection Act (‘VPPA’),12

provide further limitations on thewrongful disclosure of video tape rentalor sale records [or similar audio visualmaterials, to cover items such as videogames and the future DVD format] andhave resulted in significant privatelitigation.

Government contractsGovernment contractors face significantprivacy and cybersecurity requirementsunder the Federal Acquisition Regulation(‘FAR’) and Defense Federal AcquisitionRegulation Supplement (‘DFARS’) forclassified information, controlledunclassified information, and covereddefence information. Detailed NIST 800-171 standards are contractually requiredto be implemented into the contractors’security programmes, depending on theregulations to which the contractor is

subject. The Department of Defenserequires that contractors rapidly reportany breaches within 72 hours.

The Department of Defense and othergovernment agencies have alsoannounced that they will continue toscrutinise contractors’ supply chainsecurity plans and programmes fromproposal submission to contract closeout.The 2019 National Defense AuthorizationAct as approved by Congress and DHSinitiatives highlight the government’sincreased focus on supply chain andcybersecurity requirements.

Other state and federal regulationsThere are a host of non-industry-specificregulations governing privacy. TheControlling the Assault of No-SolicitedPornography and Marketing Act (‘CAN-SPAM Act’)13 and the TelephoneConsumer Protection Act14 were passedby Congress to curb unsolicited emailand telephone calls, providing strictlimitations on commercial emails andtelephone calls to consumers. TheElectronic Communications Privacy Act15

and the Consumer Fraud and Abuse Act16

make it illegal to intercept electroniccommunications and tamper withcomputers.

data breach notificationrequirements

All 50 states and three territories

have imposed laws that require

notification of data breaches

involving personally identifiable

information. The standards are

similar, but also inconsistent. In

general, they require notification

in a reasonable time period

(which varies by state) of any

breach of data that could lead to

identity theft. Some generally

define personally identifiable

information and others provide

other, specific combinations of

data that require notice. Many,

but not all, require notification of

the state attorney general and

some require notification of

specific law enforcement

agencies. Although legislation to

enact a federal standard that

would preempt state notification

laws has been proposed in

Congress, it has never passed,

despite the transactional costs to

companies of complying with 50

different standards.

Privacy has also been an

increased focus as many

energy companies develop

smart grid technologies.


DATA PRIVACY

The Securities & ExchangeCommission (‘SEC’) also issued rulesregarding privacy and cybersecurity forpublic companies, broker dealers, andinvestment funds regulated by theindustry. The SEC adopted Commission-level guidance on cybersecuritydisclosures in 2018 and brought its firsthigh-profile enforcement action andsettlement for non-disclosure againstAltaba, formerly known as Yahoo, for $35 million.

At the state level, certain states haveimposed more stringent data protectionstandards. For example, theMassachusetts ‘Standards for TheProtection of Personal Information ofResidents of the Commonwealth’17

includes strict requirements for datasecurity: encryption of personal data;retention and storage of both digital andphysical records; network securitycontrols (e.g., firewalls); risk-management policies and practices;employee training; adequatedocumentation of data breaches;adequate documentation of any policychanges; and ensuring that anyassociated third-party providers whohave access to the data maintain the samestandards.

government law enforcement and anti-terrorism effortsThe law continues to evolve on thegovernment’s access to private records.The Patriot Act is a United States statutethat amended numerous existing laws togrant federal law enforcement andintelligence officers increased powers toobtain and share records for counter-terrorism purposes. Specifically, thePatriot Act allowed the Federal Bureau of

Investigation (‘FBI’), including when it isacting on behalf of the NSA (NationalSecurity Agency), to petition a ForeignIntelligence Surveillance Court (‘FISACourt’) for an order to obtain anybusiness records. The Patriot Act wasextended through 1 June 2015, but partsof the Patriot Act expired on 1 June 2015.The USA Freedom Act on 2 June 2015then restored the expired parts andrenewed them through 2019. While thegovernment’s ability to obtain recordshas been largely circumscribed bysubsequent law, these powers remain apoint of contention both in the UnitedStates and internationally.

The Supreme Court provided greaterhope to privacy advocates in its decisionin Carpenter v. United States,18 thelandmark decision concerning theprivacy of historical cellphone locationrecords. The court held, in a 5-4 decisionauthored by Chief Justice Roberts, thatthe government violates the FourthAmendment to the United StatesConstitution by accessing historicalrecords containing the physical locationsof cellphones without a search warrant.

new developmentsThe closest analog to the GDPR in theUnited States is the recently passedCalifornia Consumer Protection Act. InJuly 2018, one of the largest states in theUnited States – California – passed a statelaw that requires businesses to tellcustomers about the personal data theycollect, give consumers more control overhow companies use and share theirpersonal information, and provideconsumers with a way to request datadeletion. This law will not be effectiveuntil January 2020, and many anticipatethat it will be amended before it goes intoeffect. The CCPA creates the followingrights and enforcement mechanisms:

l Right to know all data collected onthem, including what categories ofdata and why it is being acquired,before it is collected, and any changesto its collection

l Right to refuse the sale of theirinformation

l Right to request deletion of their datal Mandated right to opt in before the

sale of information of children under16

l Right to know the categories of thirdparties with whom their data isshared, as well as those from whomtheir data was acquired

l Enforcement by the attorney generalof the State of California

l Private right of action should breachoccur, to ensure companies keep theirinformation safe

As currently drafted, the statuteapplies to ‘any business that earns $25 million in revenue per year, sells50,000 consumer records per year, orderives 50 percent of its annual revenuefrom selling personal information.’ Thisincludes businesses that collect or sellpersonal information from consumers inCalifornia, regardless of where thecompany itself is located. Based on themost recent census bureau data, it isestimated that more than a half a millioncompanies in the United States will besubject to the CCPA. California has longbeen a leader in data privacy protectionsand the passage of the CCPA is viewedby many as a presage of things to comein other states.

Other states have issued recent dataprotection guidance as well, withColorado enacting Colorado House Bill1128 in May 2018, which strengthensconsumer protections by requiringformal information security policies aswell as increased oversight of thirdparties.

ConclusionAlthough the United States is oftencriticised for the lack of a single federallaw governing privacy and cybersecurity,the mosaic of laws governing differentindustries and uses of data providedetailed and strong protections. Whilenew laws such as the CCPA will likelydrive the United States to similarprotections as the GDPR, it will be a longtime before any overarching dataprotection laws are implemented at thenational level. n

Michelle Reed is a partner in the Dallas office of Akin Gump

Strauss Hauer & Feld LLP, and is a co-leader of the firm’s

cybersecurity, privacy, and data protection practice.

[email protected]

Links and notes1 15 USC. §§ 41-58

2 LabMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6,2018)

3 42 USC. § 1301

4 45 C.F.R. §§ 160, 164

5 45 C.F.R. §§ 164.400-414

6 Cal. Civ. Code §§ 56-56.37

7 15 USC. §§ 6801-6827

8 23 N.Y.C.R.R. 500

9 15 USC. § 1681

10 15 USC. §§ 6801-6827

11 6 USC. § 1207(f)

12 18 US Code § 2710

13 15 USC. §§ 7701-7713, 18 USC. § 1037

14 47 USC. § 227

15 18 USC. § 2510

16 18 USC. § 1030

17 201 C.M.R. § 17.00

18 No. 16-402, 585 US ____ (2018)


ANTI-CORRUPTION

on 24 August 2018, the SecondCircuit handed down its long-awaited decision in United States

v. Hoskins,1 addressing the question ofwhether a non-resident foreign nationalcan be held liable for violating the FCPAunder a conspiracy theory, where theforeign national is not an officer, director,employee, shareholder or agent of a USissuer or domestic concern and has notcommitted an act in furtherance of anFCPA violation while in the US. In aword, the court held that the answer is‘no’, concluding that the governmentmay not ‘expand the extraterritorialreach of the FCPA by recourse to theconspiracy and complicity statutes.’2 Thecourt added, however, that the sameforeign national could be liable as a co-conspirator if he acted as an agent of aprimary violator.

While the ruling is undoubtedly animportant curb on some potentialsources of liability for foreign entitiesand individuals, the availability of agentliability may limit the practical impact ofthe decision for many non-residentforeign nationals. Unfortunately, thedecision did not address the scope ofagent liability under the FCPA, leavingthat issue open. As a result, furtherdevelopment in this and subsequentcases – especially with respect to themeaning of ‘agency’ under the FCPA –will necessarily be required before thefull impact of the Hoskins ruling becomesclear. However, the decision is likelygood news for foreign companies thatenter into joint ventures with UScompanies and some other classes ofpotential defendants, as it may be harderfor the US government to charge themwith FCPA violations.

factual and procedural historyIn December 2014, the US Department ofJustice (‘DOJ’) reached a settlement withFrench conglomerate Alstom S.A. andseveral of its subsidiaries regardingimproper payments to secure a

$118 million power project in Indonesia.3

The DOJ also brought charges against anumber of individuals, includingLawrence Hoskins, a British nationalwho was an officer of a British subsidiaryof Alstom. All of the other individualssettled;4 Hoskins did not.

The FCPA prohibits corruptlyoffering, giving, promising to give, or

authorising the giving of anything ofvalue to any foreign official in order toassist in obtaining or retaining business.The statute specifically sets out threecategories of entities or persons to which

it applies: (1) Section ‘dd-1’ applies toissuers of securities in the US, as well astheir officers, directors, shareholders,employees and agents; (2) Section ‘dd-2’applies to ‘domestic concerns’ (i.e., US-based companies, citizens or residents),as well as their officers, directors,shareholders, employees and agents; and(3) Section ‘dd-3’ applies to any foreignentity or non-US person (as well as theirofficers, directors, shareholders,employees and agents) who takes stepsin furtherance of a corrupt payment‘while in the territory of the UnitedStates’.5

The third superseding indictmentfiled against Hoskins charged him witheight counts of violating the FCPA andfour counts of violating the anti-moneylaundering laws. Hoskins moved todismiss count one of the indictment,which alleged that he had conspired withAlstom US and others to violate bothSections dd-2 (domestic concerns) anddd-3 (foreign nationals operating within

Second Circuit Curbs FCPA application tosome foreign participants in bribery

In a recent case, the court decided that the US government could not ‘expand the extraterritorialreach of the FCPA by recourse to the conspiracy and complicity statutes’. Kara Brockmeyer, Colby A. Smith, Bruce E. Yannett, Philip Rohlik, Jil Simon and Anne M. Croslow consider the ruling and its possible impact for non-US persons.

The decision is likely good

news for foreign companies

that enter into joint ventures

with US companies and

some other classes of

potential defendants.


ANTI-CORRUPTION

the US) of the FCPA. Hoskins argued thathe could not be held liable for violatingthe FCPA under a conspiracy theorybecause he was a foreign national whodid not meet the definition of a domesticconcern and had not himself acted whilewithin the territory of the US

The US District Court for the Districtof Connecticut granted Hoskins’s motionto dismiss the portion of count one thatalleged conspiracy,6 holding that a non-resident foreign national cannot becharged with conspiracy to violate theFCPA unless the government could showthat the defendant (a) acted as an agentof a domestic concern (under Section dd-2) or (b) committed the acts in questionwhile physically present in the US (asSection dd-3 requires).7 The district court,however, allowed the government toproceed to trial with the opportunity toprove that Hoskins was primarily liableas an agent of the US subsidiary ofAlstom. After its motion forreconsideration was denied in March2016, the DOJ appealed to the SecondCircuit and oral argument was heard on2 March 2017.8

the second Circuit’s decisionThe issue presented to the Second Circuitwas whether the government could useconspiracy to charge a defendant withviolating the FCPA, even if he was not inthe category of persons directly coveredby the statute.9 In an opinion by JudgeRosemary Pooler, joined by Chief JudgeRobert Katzmann and Judge GerardLynch, the court affirmed in part andreversed in part the district court’sdecision.

The Second Circuit upheld the districtcourt’s dismissal of part of count one,holding the FCPA’s ‘carefully-drawnlimitations’ do not permit thegovernment to use conspiracy or aidingand abetting theories to charge a foreignnational who is neither an employee noran agent of a domestic concern and didnot himself act while within the territoryof the US.10 However, the Second Circuitalso held that the conspiracy count couldproceed because count one alleged thatHoskins was an ‘agent’ of the UScompany.

Judge Pooler’s 73-page opinioncarefully analysed the Supreme Court’s1932 decision in Gerbardi v. United States11

and the Second Circuit’s 1987 decision inUnited States v. Amen,12 both of whichaddressed statutes where Congressdistinguished between those who couldbe charged with a violation and thosewho could not.13 Based on those cases, the

Second Circuit concluded that‘conspiracy and complicity liability willnot lie when Congress demonstrates anaffirmative legislative policy to leavesome type of participant in a criminaltransaction unpunished.’14

The court then considered thelegislative history of the FCPA inevaluating whether Congress hadintended to limit liability to a clearlydefined group of potential defendants.The court evaluated the history of theoriginal statute and a series ofamendments in 1998 that added Sectiondd-3 and were designed to conform theFCPA with the requirements of theOrganisation for Economic Cooperationand Development’s (‘OECD’) anti-corruption convention.15 Based on thisanalysis, the court concluded that theFCPA evinces ‘an affirmativeCongressional intent to exclude’ from

liability persons other than thosespecifically referenced in the text of thestatute.

In his concurring opinion, JudgeLynch reinforced this conclusion bynoting that it has become commonlyaccepted since the Fifth Circuit’s ruling inUnited States v. Castle16 that the recipientsof bribe payments could not be chargedwith a violation of the FCPA, because‘Congress was concerned aboutintruding too far into foreignsovereignty.’17 Judge Lynch wrote thatthough it was evident that the bribe

recipient is a necessary participant in theviolation, and could easily be charged asa conspirator, Congress made clear thatthe FCPA should not reach that far. Hetook this as another reason to heed thespecific delineations in the statute.

The court also considered whether theSupreme Court’s recent pronouncementson the extraterritorial application of USlaws supported the same conclusion.

Analysing both Morrison v. Nat’l Bankof Australia, Ltd.18 and RJR Nabisco, Inc. v.European Cmty.,19 the court determinedthat ‘[b]ecause some provisions of theFCPA have extraterritorial application,“the presumption againstextraterritoriality operates to limit th[ose]provision[s] to [their] terms.’”20 As JudgeLynch noted in his concurring opinion,the FCPA did ‘not evince an effort by theUnited States to rule the world, but ratheran effort to enforce American law againstthose who deliberately seek toundermine it.’21 He added: ‘In adoptingthe FCPA, Congress sought to criminalizewrongful conduct by Americans andthose who in various ways work withAmericans, while avoiding unnecessaryimposition on the sovereignty of othercountries whose traditions may differfrom our own.’22

Importantly, the Second Circuit didnot take the opportunity to hold thatconspiracy theory can never be used inFCPA cases. In fact, the Court explicitlyheld that if Hoskins is ultimately shownto have acted as an agent of a domesticconcern, then he can be held liable undera conspiracy theory for the actions of hisco-conspirators (namely, the USsubsidiary and the other individuals whowere employees and agents).23 Nor didthe court discuss what evidence wouldbe required to prove that Hoskins – theUK employee of a UK sister company toAlstom US – actually acted as an agent ofthe US subsidiary, stating in a footnotethat they ‘express no views on the scopeof agency under the FCPA.’24

takeaways

Narrow practical impact for manyforeign nationalsWith Hoskins, the Second Circuit haslimited the FCPA’s extraterritorial reachsomewhat, but has left the door open forconspiracy claims against a non-residentforeign national as long as thegovernment also establishes that theforeign national is an agent of an issuer,domestic concern, or another foreignnational who acted in furtherance of a

The issue presented to the

Second Circuit was whether

the government could use

conspiracy to charge a

defendant with violating the

FCPA, even if he was not in

the category of persons

directly covered by the

statute.


ANTI-CORRUPTION

bribe payment in the territory of the US.The number of individuals who fall in thegroup affirmatively beyond the scope ofthe FCPA after Hoskins may end up beingrelatively small.

Increased focus on the scope of‘agency’Left unresolved by this decision iswhether Hoskins was, in fact, an agent ofAlstom’s US subsidiary. The contoursand scope of agency in the FCPA contextwill likely be the subject of significantlitigation going forward. And while thereare specific legal elements required for ashowing of agency, it is an intenselyfactual inquiry, which could make itmore difficult (but not impossible) topersuade a court to address the issue atthe motion to dismiss stage. It could besome time before clarity is provided bysubsequent rulings.

Potential implication for foreign jointventure partnersOne place where the Hoskins decisionmay have significant impact is on the USgovernment’s ability to reach the conductof foreign companies that enter into jointventures with US issuers or companies.Historically, DOJ charged the foreign JVpartners with conspiracy to violate theFCPA.25 However, the Second Circuit’sdecision in Hoskins would clearlypreclude this, and require thegovernment to prove that the foreignnational acted as an agent of a US issueror domestic concern. Given thecomplexity of international JV structures,it likely will be difficult for thegovernment to prove that a JV partner

acted as an agent of its US joint venturepartner rather than of the JV itself.

Moreover, given the uncertainty infederal law as to the meaning of ‘agency’and the fact-specific nature of thatdetermination, contracting parties wouldbe well advised to include contractualprovisions specifying their intent not toform an agency relationship. Althoughcourts will look at the effective rather

than the formal relationship between theparties, such contractual language isrelevant evidence for a factualdetermination.

What’s next for Hoskins?It remains to be seen whether thegovernment will petition for rehearing enbanc or even appeal the decision directlyto the Supreme Court. While the practicalimpact of this ruling may be limited, thegovernment may pursue review in aneffort to overturn this decision, whichessentially requires a showing of agencyin order to hold certain non-residentforeign nationals liable directly or as co-conspirators for alleged FCPA violations.If the government does not seek furtherappellate review, it will be interesting tosee whether and how it establishes thatHoskins was an agent of the USsubsidiary. n

1 No. 16-1010-cr, 2018 WL 4038192 (2d Cir. 24 August2018).

2. Slip Op. at 70

3. See ‘The Year 2015 in Anti-Bribery Enforcement: AreCompanies in the Eye of an Enforcement Storm,’ FCPAUpdate, Vol. 7, No. 6 at 22 (January 2016). The DOJalleges that in his capacity overseeing the Alstom USunit’s hiring of consultants, Hoskins authorised paymentsto consultants in connection with a bribery scheme tosecure a $118 million construction project for Indonesia’sstate-owned electricity company for an Alstom USsubsidiary. Hoskins is alleged to have authorised thesepayments to Indonesian government officials retained bythe company as consultants for the purpose of payingbribes to the Indonesian government.

4. See United States v. Frederic Pierucci, Document No. 46,Plea Agreement, Case No. 3:12-cr-238(JBA) (filed July 29,2013), https://www.justice.gov/ criminal-fraud/case/united-states-v-frederic-pierucci-court-docket-number-12-cr-238-jba; United States v. William

Pomponi, Document No. 138, Plea Agreement, Case No.3:12-cr-00238(JBA) (filed July 17, 2013),https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2014/07/23/ pomponi-plea-agreement.pdf;United States v. David Rothschild, Document No. 8, PleaAgreement, Case No. 3:12-cr-00223(WWE) (filed Nov. 2,2012),https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2013/04/22/rothschild-guilty-plea.pdf.

5. 15 U.S.C. §§ 78dd-1, 78dd-2, 78d-3.

6. See FCPA Update, January 2016, supra n.3 at 25-26.

7. United States v. Hoskins, No. 3:12-cr-238-JBA, 2016 WL1069645 (D. Conn. March 16, 2016).

8. United States v. Pierucci (Hoskins), Case 16-1010, Noticeof Hearing Date (2d Cir. Jan. 13, 2017).

9. Slip Op. at 4 n.1. The Court assumed, for purposes of itsanalysis of conspiracy liability, that Hoskins was not an

agent of Alstom U.S.

10.Slip Op. at 2.

11. 287 U.S. 112 (1932).

12. 831 F.2d 373 (2d Cir. 1987).

13.In Gerbardi, the ruling was that the woman who hadbeen transported across state lines – whether voluntarilyor not – could not be a co-conspirator to violate theMann Act’s prohibition against transporting womenacross state lines for certain purposes, and in Amen theruling was that a so-called ‘kingpin’ statute that wasdesigned to mete out additional punishment to the headof a criminal enterprise could not become the basis for aconspiracy charge against underlings in the criminalenterprise. See I Slip Op. at 22-28.

14.Slip Op. 28.

15.Id. at 41-65.

16.925 F.2d 831 (5th Cir. 1991).

17.Con. Op. at 9.

18.Slip Op. at 66-69.

19. 136 S. Ct. 2090 (2016).

20.Quoting both RJR Nabisco, 136 S. Ct. at 2102, andMorrison, 561 U.S. at 265.

21.Con. Op. at 15.

22.Id. at 11.

23.Slip Op. at 71.

24.Id. at 4 n.1.

25.See, e.g., United States v. JGC Corp., Document No. 4,Deferred Prosecution Agreement at ¶ 1, Case No. 4:11-cr-00260 (S.D. Tex. Filed April 6, 2011) (acknowledgingcharge of conspiracy with domestic concern to violatethe FCPA), https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2011/04/27/04-6-11jgc-corp-dpa.pdf.

Links and notes

Kara Brockmeyer and Colby A. Smith are partners and Jil Simon and

Anne M. Croslow are associates in the Washington, D.C. office of Debevoise &

Plimpton. Bruce E. Yannett is a partner in the firm’s New York office and Philip

Rohlik is a counsel in the Shanghai office.

[email protected],

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

trade security Journal welcomes yourcontributions and comment.

Contact the editor [email protected]


NATIONAL SECURITY

the concept of offset, as understoodin the defence sector, primarilyaims to provide additional benefits

to the buyer of a product from a foreignsupplier. It can take various forms – fromhelping domestic industries withadditional works contracts, totransferring complicated technology tothe domestic industry. Since defenceprocurements involve a substantialamount of public money, it can be arguedthat the discharge of offset obligationshelps ensure that at least some of this isploughed back into the local economy.Historically most developing countrieshave always had some provisions ofoffset in the procurement process. In theIndian context, the issues surroundingoffset are complicated – and there aredifferent implications for players,depending on where they are in the valuechain.

India is the world’s greatest importerof defence goods – so the potential valueof offset is significant. If implementedcorrectly, the defence policy pertaining tooffsets can effectively change theindigenous defence industry and providea much-needed boost to the R&D sector,although this needs to be fitted into thecontext of domestic industry and itscapacity and capability to absorb suchbenefits. The current gap between thetechnology and infrastructure of thedomestic players compared to that of theforeign original equipmentmanufacturers (‘OEMs’) is quite stark.And as things stand, the massivepotential benefits from offset obligationsare mostly unrealised – in part becausedomestic industry, its infrastructure andcapacity, is mired in inefficiencies, theimpact of which is exaggerated by a lackof a vibrant and massive ecosystem ofprivate players around the defence sector.For a long time now, the sector has beendominated by the defence public sectorundertakings (‘DPSUs’).

Challenges in the offset regimeThe offset policy of India has beenshrouded in fog and riddled withregulatory and compliance issues since itsintroduction more than ten years ago.There are many operational challenges

that foreign OEMs face in the dischargeof their offset obligations – so much sothat foreign OEMs have reportedly paidpenalties worth US $2.4m in just twoprogrammes1 which effectively impliesthat the total offsets not discharged areover US $50m in only these twoprogrammes (given the maximumpenalty on offsets can only be 5%). Thisindicates the quantum of loss ofopportunity for the Indian defenceindustry to learn from foreign OEMs andreflects the failure of India’s policies to

achieve the country’s goals of substantiveself-reliance.

From our interactions with industrystakeholders, we find that a trendemerges:

l Foreign OEMs are very keen to supplydefence goods to the Indiangovernment, but the problem of beingstuck with an offset obligation whichthey are unsure how to discharge

prevents them from entering themarket in the quantum as they wouldhope.

l Legal bureaucracy and red tape havecaused these foreign OEMs to bebound by these obligations for a longperiod of time. This serves as a greathindrance to doing business.

l Additionally, the responsibility ofdischarging the offset obligations fallssolely on the foreign OEMs and not onthe Indian offset partner (‘IOP’) thatthey choose2. Failure to comply withany provisions, even by the IOP, is theresponsibility of the foreign OEMs,which may be penalised for the same.

The purpose of this article is to exploreIndia’s offset policy and to evaluate itseffectiveness.

india’s offset policy – historicalevolution and present formThe policy on offsets was first introducedas part of Defence ProcurementProcedure in 20053 (‘DPP 2005’) and overthe years it has been tweaked4 toincorporate various demands andchanges in the economy. For example:

l At the pre-contract stage, an option hasbeen given to vendors to submit

Understanding India’s offset policy India, the world’s largest importer of arms, would like to be self-sufficient in defence production.But to realise that ambition, the country needs greater investment and technology from abroad.Karishma Maniar explains new government offsets policies aiming to attract foreign involvement.

India is the world’s greatest

importer of defence goods –

so the potential value of

offset is significant.


NATIONAL SECURITY

detailed offset proposals at a laterstage. The vendor can finalise its IOPsand offset product details one yearprior to the intended offset dischargeor can even undertake the offsetactivity and submit claims thereafter.This will facilitate vendors finalising amore realistic offset offer.

l The threshold for the applicability ofoffsets has been increased from theearlier Rs 300 Crore to Rs 2,000 Crore[a crore or koti denotes ten million],meaning that only those foreign OEMswhich win contracts worth over Rs2,000 Crore will have to plough back atleast 30% of the contract value intoIndian enterprises as offsets. Dealswith contract values of less than Rs2,000 Crore will be exempt from theoffsets obligation.

l There has been an extension of theoffset policy from Buy (Global)purchases to Buy & Make purchases— also extending it to Indian firms ortheir JVs if their indigenous content isless than the offset value of the contract(typically 30%).

l Value addition norms are being clearlydefined to avoid any manipulation ofthe quantum of offsets beingdischarged.

l Penalty provisions have beenelucidated to ensure the onus of offsetdischarge is clearly put on the foreignOEMs and their tier-1 vendors.

l Foreign investment in projects of up to49% is now permitted automatically –up to 100% with governmentapproval.

In the Defence Procurement Procedureof 2016,5 the government laid down thevarious ways in which foreign OEMs candischarge their offset obligations thus:

1. Direct purchase of or execution ofexport orders for the eligible productsand services by Indian enterprises;

2. Foreign direct investment (‘FDI’) injoint ventures with Indian enterprises;

3. Investment in ‘kind’ in terms oftransfer of technology for eligiblegoods and services;

4. Investment in ‘kind’ in Indianenterprises in terms of provision ofequipment through the non-equityroute for the manufacture and/ormaintenance of eligible products andprovision of eligible services(excluding transfer of technology, civilinfrastructure and second-handequipment).

5. Provision of equipment and/ortransfer of technology to government

institutions and establishmentsengaged in the manufacture and/ormaintenance of eligible products andprovision of eligible services,including the Defence Research andDevelopment Organisation (as distinctfrom Indian enterprises)

6. Technology acquisition by the DefenceResearch and DevelopmentOrganisation in areas of hightechnology

Critical study of india’s offset policy

Technology transferThe main objective of India’s offset policyis to make the defence sector self-sufficient and not dependent on imports.The greatest problem Indian industryfaces to realising this dream is lack ofaccess to modern technology.

In order to manufacture indigenously,these enterprises must have the capabilityto manufacture, operate and test such

technologies so that they can producedefence equipment that is not outdatedand is capable of rivalling that of otherdeveloped countries. However, due to

lack of know-how, hardly any indigenouscompanies are able to effectively applythem to their own manufacturing process,as a result of which foreign OEMs areunable to find the right partners fortechnology transfer by which they candischarge their offset obligations in a cost-effective manner.

Thus, even though a few largeindigenous companies do possess thewherewithal to absorb technologies, dueto competitive bidding and pricebenchmarking, foreign OEMs prefermicro, small and medium enterprises(‘MSMEs’) to ensure the overall cost ofoffset discharge is minimal.

MSME sector – a critical stakeholderTo help discharge their offset obligations,MSMEs serve as a great potential IOP.According to industry experts,6 there hasbeen an increase in competition in thedomestic and export markets which hasresulted in such MSMEs adopting andimplementing the latest technologyavailable to them.

While these MSMEs are unable toabsorb the technology on a large scale dueto a lack of sufficient funds for research,design and development, andinfrastructure, they are characterised bytheir flexibility, diversity and low-costinput which makes them highlycompetitive in the defence market forforeign OEMs. Further, the constantavailability of knowledge and innovation,coupled with globalisation andnetworking, has reduced the gap that

The main objective of India’s

offset policy is to make the

defence sector self-sufficient

and not dependent on

imports.

offsets: a word of caution ‘Offset’ arrangements are generally understood as agreements by which

exporters/vendors of defence articles agree, when entering into procurement

contracts with government buyers, to undertake further investments or

undertakings as a condition of the main contract. The avowed intention of the offset

is generally that the procuring country obtains additional benefits in returned for its

sizeable purchase -- such as the creation of employment opportunities and/or

access to technology.

Direct offsets are understood as projects which have some connection with the

main contract; indirect offsets can be wholly unrelated. They can for example, help

finance the infrastructural or knowledge needs required to realise the opportunities

of the main purchase.

But by the very nature of offsets – which are sometimes opaque and complex –

they have frequently been linked to graft (for example, bribing individuals to win

defence contracts) and lawyers typically advise investors to undertake appropriate

due diligence prior to entering into such arrangements.

A Transparency International UK report from 2012 noted:

‘Offset transactions carry potentially high risks of corruption, not only due to the

high level of secrecy within the defence procurement as a whole, but because they

usually lack the scrutiny and monitoring of the corresponding acquisition contract.

Additionally, most offset transactions have few, if any, transparency and public

accountability requirements.’

That said, a well-articulated and transparent offset policy can create genuine

advantages for the procuring nation.


NATIONAL SECURITY

used to exist between the large companiesand these MSMEs. By partnering withsuch enterprises, a foreign OEM not onlygets an enthusiastic partner but will alsobe able to take advantage of the reducedprice of such contracts, which is highlycritical for discharge of offset obligations.However, risk of survival and qualityassurance can be an issue and thus thereis a tug of war in choosing large industryplayers or MSMEs as IOPs.

FDI limitsThe government has relaxed the FDIlimits for the defence sector by allowingforeign investment up to 49% under theautomatic route and foreign investmentbeyond 49% and up to 100% throughgovernment approval, wherever it islikely to result in access to moderntechnology or for other reasons to berecorded.7

The government also did away withthe clause that only ‘state-of-the-art’technology would be considered forstakes of more than 49%, thereby givingthe government more power to decide oninvestment proposals by foreign entities.8

Foreign OEMs were encouraged toenter the Indian market where they werepreviously discouraged – withgovernment approval, they would finallybe able to hold a majority stake in anyIndian company and not have to dependon an IOP whose decisions were bindingon them.

However, all of this does not appear tohave enticed foreign investors. In July2018, Minister of State for Defence, MrSubhash Bhamre informed the Lok Sabha(India’s parliament) that while 41 FDIproposals/joint ventures had beenapproved for manufacturing defenceequipment both in public and privatesectors, the total FDI received in thedefence industry sector from April 2000 toMarch 2018 was just US$ 5.13m or aboutRs 35 crores.

The government has also toutedincreasing the FDI limit to 74% in nichetechnology areas in the Draft DefenceProduction Policy of 2018,9 which wouldallow foreign OEMs to hold a majority inany Indian companies or joint ventures inthe defence sector. However, the proposalhas faced a huge backlash from Indianindustry.

Rigid contractual termsCurrently, the offset structure is veryrigid. As per our discussions withindustry officials, once a foreign OEMfinds an IOP, they can only change thatpartner with the approval of the Secretary

of Defence Production. Any change to anoffset contract or partner takes roughlyone-and-a-half to two years to beimplemented.

Further, a contract amendment cantake an additional one or two years to beapproved. As a result, any decision maderegarding a firm’s offset partner iseffectively final.

Many firms prepare to discharge theiroffsets only to find that their offset partnerdoes not have the capability to absorb thetechnology they are providing at areasonable cost.

All these factors serve to discourageforeign OEMs from entering India.

draft amendments to the offsetpolicy: ‘out-of-the-box’ thinking bythe government of indiaThe government has provided fornumerous ways in which foreign OEMscan discharge their offset obligations, andhave also gone one step further to providemultipliers for such discharge, meaningthat foreign OEMs will be able to incur amuch lesser amount as offsets than acontract might stipulate.

In May 2018, the government

introduced a draft amendment to its offsetguidelines which provides furtheradditional ways in which foreign OEMscan discharge their obligations and ateven higher multipliers. This amendmentalso provides for ‘defence industrycorridors’, which will enable the setting

up of defence production facilities, as wellas SEBI (Securities and Exchange Board ofIndia)-regulated funds which can be usedfor the discharge of offset obligations at ahigh multiplier.

Equity investments in defencecompaniesThe policy proposes to open up anyinvestment in equity in the defence sector

Many firms prepare to

discharge their offsets only to

find that their offset partner

does not have the capability

to absorb the technology

they are providing at a

reasonable cost.

Comparison with other countries Other countries, including Saudi Arabia, Japan, Brazil and Israel, have already

started reaping the benefits of their respective offset policies and have moved ahead

of India in leaps and bounds.10 The reason for the progress of these countries

requires analysis of their offset policies. Some, such as Saudi Arabia, have

recognised that they must not only be able to use the technology but also carry it

forward before it becomes obsolete. For this reason, their offset programme has

progressively stressed the transfer of medium, commercial exploitable technology,

rather than ‘high’ technology, promoting the growth of commercial and dual-use

products with wider markets.

Israel has spent large sums promoting research and development (roughly 3% of

its GDP) which is at par with the most advanced economies of the world. This,

coupled with a highly skilled workforce, has helped Israel to advance its defence

sector. Its offset arrangements have resulted in additional investment, new jobs and

technology transfer, which the Israeli economy was in a very good position to

absorb.

Japan obtained its technology via technology transfer from western countries and

subsequently overtook them by constantly striving for self-sufficiency and

undertaking licensed production of high-tech military equipment to build up a

sizeable military industrial complex of its own. By observing these countries’ success

with their offset policy, a number of lessons can be learned. Indian companies must

look to not just acquire modern technology but to develop a way of retaining and

advancing such technology themselves.

Further, the amount spent on R&D needs to be increased so that India can be in

touch with other developed countries and not just rely on transferred technology.

Without any R&D of its own, the defence sector will constantly remain outdated no

matter how much technology it receives. Additionally, it must be noted that India

ranks very poorly on the Ease of Doing Business and Corruption Perception Index of

the world11 which makes it an unattractive destination for investment (despite

projections that it would have the second-highest offsets in the world from 2016-

2021, only behind Saudi Arabia).

Steps must be taken to ensure complete transparency in operations involving

offsets as well as a more convenient way in which foreign OEMs can carry out their

business.


NATIONAL SECURITY

by a foreign OEM as an avenue for thedischarge of offset obligations. Whileentering into joint ventures has been oneof the favourite ways for foreign OEMs toinvest in technology transfer and creationof capacity in the country, a recent datapoint quoted by the Minister of State forDefence noted that since 2000, only US$5.13m worth of FDI has been receivedunder 41 proposals for FDI/JVs that areapproved.12 This clearly reflects thepreference foreign OEMs have to formJVs, but the actual investment under theJVs is paltry, implying no technologytransfer or capability creation. Theopportunity to take an equity investmentas a way to discharge offsets should act asan added incentive to increase the actualinflow of FDI, provided other operationalrequirements can be ironed out. If thegovernment proposal of increasing theFDI limits for defence to 74% is indeedapproved, this will be the most attractiveavenue for discharge of offsets in a long-term perspective.

Defence corridorThis amendment is still pending final

approval but it shows the intention (somesay ‘desperation’) of the government toencourage investment by foreign OEMsinto India by effectively reducing theiroffset obligation or giving them a lenientopportunity to discharge their offsetobligations. Also, as per the Draft DefenceProduction Policy of 2018, defenceindustry corridors will be set up incollaboration with states to provide state-of-the-art infrastructure and facilities forsetting up defence production facilities.These defence corridors will enjoy ahigher multiplier as compared to otherareas with regard to the discharge ofoffsets.

Introduction of defence fundsThe government has introduced SEBI-regulated funds for defence, aerospaceand internal security. By investing in suchfunds, a firm’s offset obligation not onlyends there but is also considerablyreduced, thanks to the proposedmultiplier of 3. Further, discharge ofoffsets through such a route means thatthe foreign OEM does not have to carryout a meticulous search for an IOP. SuchSEBI-regulated funds, which are expectedto be run by industry professionals andveterans, are to be used to encourage thedevelopment of technology through R&Dalong with giving impetus to the defencesector of India. It is observed that usuallyoffset obligations have only been writtenoff and have not been fulfilled asexpected.

With the introduction of such a fund,the government can keep proper tabs onthe amount of money the foreign OEMhas invested in India and there iscomplete transparency in operations.

In addition to providing a multiplier of3 on investment, these funds are a muchmore convenient and practical way ofdischarging offsets and serve as the wayforward in the defence industry, at leastin the short term. The Indian governmentis already facing flak from some industrysections for effectively reducing offsetobligations of foreign OEMs throughthese means. Whether or not these ‘out-of-the-box’ ideas will be implemented ornot, is yet to be seen.

ConclusionThe sheer volume of defence imports byIndia provides the country with a hugekitty of offset which has enormouspotential to be used for the developmentof the defence sector in India. However,due to certain historical and structuralissues, the domestic industry is notalways in a position to properly utilisethe opportunities. Indian OEMs areincapable of manufacturing the requisitequality and quantity of defence goodsthat are being demanded. They lack therequisite know-how and are unable toabsorb the technology that is transferredto them in the most cost-effectivemanner. In such an environment, foreignOEMs are relied upon more than ever tonot only meet the country’s defencerequirements but to also assist theindigenous sector so that India can bemore self-sufficient.

At the same time, legal and regulatoryrequirements have caused a chillingeffect for foreign players, especiallynewcomers, looking to operate in India.While expert advice can mitigate muchof the risk, foreign OEMs also requiresupport and assurance from thegovernment policies.

In this respect, the amendmentproposed by the government of India in2018 should go a long way. Theamendment proposes major game-changing ideas and concepts. Theeffective use of multipliers to incentivisethe defence corridors would benefitwhile the concept of a defence fund todischarge offset obligations wouldmitigate some of the risks that come withdealing with a domestic player directly.

While some sections of the industryare opposing these ideas (and in the longterm, rightfully so), in the short-term,India needs immediate access totechnologies, funds and professionals todeploy these funds in the right mannerto help become a self-sustaining militarypower house.

All of these objectives can be met withthis proposed amendment to offsetpolicy, without prejudice to India’srights to revisit its policies in the comingtimes. n

Karishma Maniar is an associate director in the Mumbai office of

Economic Laws Practice (ELP) where she advises on defence and

aerospace matters.

[email protected]

1 http://pib.nic.in/newsite/PrintRelease.aspx?relid=144966

2 Foreign OEMs do have a contractual protection in lawto ensure the Indian offset partner delivers; however,it’s their reputation and overall contract (which ismuch bigger) that is on the line. Offset policy puts nocap on penalties if the offsets are not discharged inthe main contract of the MoD with the foreign OEM sothe stakes are much higher for the foreign OEM thanfor Indian offset partners.

3 Available at:http://cdarndhyd.gov.in/manuals/DPP2005CA.pdf

4 Indian Defence Review of Offset Policy. Available at:http://www.indiandefencereview.com/news/the-offset-policy-a-decade-in-retrospect/

5 Defence Procurement Procedure 2016. Available at:https://mod.gov.in/sites/default/files/dppm.pdf_0.pdf

6 Enhancing Role of SMEs in Indian Defence Industry,available at:http://www.cii.in/webcms/Upload/Enhancing%20role%20of%20SMEs%20in%20Indian%20defence%20industry1.pdf

7 Press Note on FDI in Defence Sector, available at:http://pib.nic.in/newsite/PrintRelease.aspx?relid=160287

8 Economic Times article, available at:https://economictimes.indiatimes.com/news/defence/no-change-in-defence-fdi-limits-but-state-of-art-technology-not-needed-for-investments-over-49/articleshow/52843171.cms

9 Draft Defence Production Policy 2018 -https://ddpmod.gov.in/sites/default/files/Draft%20Defence%20Production%20Policy%202018%20-%20for%20website.pdf

10 Successful Offset Experiences Worldwide, available athttps://idsa.in/jds/3_1_2009_ASurveyofSuccessfulOffsetExperiencesWorldwide_AMitra

11 OECD Global Anti-Corruption and Integrity Forumreport, available at:https://www.oecd.org/cleangovbiz/Integrity-Forum-2017-Beraldi-Broecker-offsets-public-procurement.pdf

12 https://economictimes.indiatimes.com/news/defence/total-fdi-in-the-defence-sector-from-2000-18-is-rs-35-crore/articleshow/65038196.cms and FDI in Defence, available at:https://idsa.in/idsacomments/making_fdi_count_in_defence_lkbehera_220616

Links and notes


NATIONAL SECURITY

in August of this year, the Germangovernment issued an authorisationto prohibit the acquisition of a

Germany target (Leifeld) by a non-European investor (China’s YantaiTaihai). This is not only a first in thehistory of German investment control butalso represents a milestone in an ongoingpolicy shift towards tighter control offoreign investments in Germany.

significance of the decisionJust over a year ago, the Germangovernment passed amendments thatwould expand the scope of application ofthe German Trade and PaymentsOrdinance (Außenwirtschaftsverordnung,‘AWV’), resulting in an increase inexaminations conducted by the GermanFederal Ministry for Economic Affairsand Energy (Bundeswirtschafts -ministerium, ‘BMWi’) of 30% between2016 and 2017 alone. The Leifeld case is anew peak in a development that hasgained momentum after the certificate ofnon-objection was revoked in the Aixtroncase, and the German government’sactive intervention to prevent theintended acquisition of a minority stakein 50Hertz, which due to its not meetingthe current threshold for control couldnot be reviewed. However, thegovernment has never before authorisedthe BMWi to block an acquisition attemptby a non-European buyer.

Background to the caseThe acquirer, Yantai Taihai is a privateundertaking based in China that soughtto take over Leifeld Metal Spinning, amedium-sized company withapproximately 200 employees based innorth-western Germany. Leifeld isamong the leading manufacturers ofmechanical engineering products for theautomotive and aviation industries,whose products may also find use in thenuclear industry. In response to Yantai

Taihai’s request for a certificate of non-objection, the BMWi initiated across-sectoral investigation. An in-depthexamination of the transaction laterensued, the result of fears that sensitive

know-how be transferred to China andtechnology be used for militarypurposes.

Moreover, the BMWi disregardedstatements from Leifeld’s managementaffirming that it had no experience in thenon-civil, i.e., military, nuclear industry.Indeed, Leifeld’s business does notdiscernibly fall into one of the categoriesdefined by section 55 para 1 sent. 2 AWV,which could prima facie pose a risk topublic order or safety.

The government’s decision to blockthe takeover attempt is all the moresignificant as the acquirer hadwithdrawn its application for acertificate of non-objection evenbefore the BMWi formallydecided on the case.

greater scrutiny on thehorizonSaid authorisation decision isbased on the AWV, pursuant towhich any acquisition of Germantargets by non-Europeaninvestors may be prohibited ifthe acquisition jeopardises the‘public order or security’ of theFederal Republic of Germany.Whilst this is the case for allindustries, targets operating in

so-called critical infrastructures aresubject to particular scrutiny.

Against the background of theongoing developments in this field, andthe recent Leifeld decision in particular,it is not surprising that Germany’sFederal Minister of Economic Affairs andEnergy, Mr Peter Altmaier, is said to beconsidering lowering the currentthreshold for review from 25% to a mere15% of the voting rights where sensitivebusiness areas are concerned – whichexplicitly includes defence-relatedbusinesses, critical infrastructures, andcivil security-related technologies. This ismeant to account for low attendance ratesat general meetings, which couldeffectively turn a minority stake into defacto decisive influence. Rumour ingovernment circles has it that even athreshold of as low as 10% of the votingrights is being discussed. Whether thiswill materialise remains to be seen. Whatis already clear at this stage, though, isthat such changes will result in an evengreater number of notifications.

This is besides potentially longerreview periods. As of now, the BMWimay grant a certificate of non-objection insimple cases within a period of just twomonths. Should an in-depth examination

Tightening the screws on FDIs: The Leifeldcase and projected developments inforeign direct investments in GermanyThe decision of the German government to issue an authorisation blocking the purchase of amechanical engineering company by a Chinese bidder is a milestone in a policy shift towards tightercontrol of foreign investments in Germany, writes Dr. Dimitri Slobodenjuk.

In practice, the new

regulations will most likely

lead to a significant increase

in the number of

notifications and have far-

reaching ramifications.


NATIONAL SECURITY

ensue, the period will be extended byanother four months. In future, the reviewperiod shall automatically be prolongedby another three months if the BMWiseeks the government's authorisation toissue a prohibition decision. In such acase, the whole procedure could take upto nine months, and the transactionwould factually be on hold.

Due to its nature as an ordinance, anychanges to the AWV do not requireparliamentary consent and may hence beintroduced relatively quickly. It istherefore not unlikely that the respectivechanges could enter into force as early asautumn of this year.

meaning for foreign investorsIn practice, the new regulations will mostlikely lead to a significant increase in thenumber of notifications and have far-reaching ramifications.

Firstly, in light of a larger workload onthe part of the relevant authorities, reviewperiods will tend to be longer, whichshould be accounted for at an early stageof the acquisition process and better bereflected in corresponding SPAprovisions.

Secondly, a bidder’s offer may be putin an unfavourable light if it is subject tosuch investment control. Non-EUbidders will hence have to make theiroffers sufficiently attractive tocompensate for the administrativeburden accepting their offer wouldnecessarily entail.

Thirdly, experience shows that theauthorities now have a tendency torequire certain remedies in the form ofpublic law contracts as a prerequisite fora clearance decision. Against thisbackground, acquirers ought toanticipate the German government’sdemands and be prepared to offerreasonable remedies.

Finally, the review process and theultimate decision-making is also political

in nature. The decisions are neitherpublished nor open to judicial review.This uncertain variable should thereforebe borne in mind right from the start andbe reflected in the negotiations.

The proposed changes and the recentdecisions in particular are a function ofthe political forces at work. Theamendments discussed above are not yeteffective and given the dynamic natureof the process, it is all the more importantthat those looking to invest keep track ofthe developments and in any case moveinvestment control issues higher up theagenda. Be that as it may, clearerguidance on the part of the legislatorwould indeed help all parties involvedachieve greater certainty and manageexpectations. n

Chambers USA Chambers Global Legal 500 Best Lawyers

trade security? let’s talk.

CROWELL.COM/INTERNATIONAL-TRADE

Dr. Dimitri Slobodenjuk, LL.M., is a counsel in the Düsseldorf

Office of Clifford Chance Deutschland LLP. He is a qualified

attorney in Germany and advises a wide range of national and

international clients on all areas of European and German

antitrust law and foreign investment rules.

[email protected]

Trade Security Journal is published by D.C. Houghton Ltd.

© D.C. Houghton Ltd 2018. All rights reserved. Reproduction in whole or inpart of any text, photograph, or illustration without express written permission of the publisher is strictly prohibited.

ISSN 2514-2453. Refer to this issue as: Trade Security Journal [009]

D.C. Houghton Ltd is registered in England and Wales (registered number7490482) with its registered office at 20-22 Wenlock Road, London, UK

Information in Trade Security Journal is not to be considered legal advice.Opinions expressed within Trade Security Journal are not to be consideredofficial expressions of the publisher. The publisher assumes noresponsibility for errors and omissions appearing within. The publisherreserves the right to accept or reject all editorial and advertising matter.The publisher does not assume any liability for unsolicited manuscripts,photographs, or artwork.

*Single or multi-site: Do you have the correct subscription? A single-sitesubscription provides Trade Security Journal to employees of thesubscribing organisation within one geographic location or office. A multi-site subscription provides Trade Security Journal to employees of thesubscribing organisation within more than one geographic location oroffice. Please note: both subscription options provide multiple copies ofTrade Security Journal for employees of the subscriber organisation (in oneor more office as appropriate) but do not permit copying or distribution ofthe publication to non-employees of the subscribing organisation withoutthe permission of the publisher. For full subscription terms and conditions,visit http://www.tradesecurityjournal/terms-conditions

For further information or to change your subscription type, please contactMark Cusick - [email protected]

tsJ editorial BoardBarbara Linney, Miller & Chevalier, Washington, DC

[email protected]

Richard Tauwhare, Dechert, London

[email protected]

Roger Matthews, Dechert, London

[email protected]

Glen Kelley, Jacobson Burton Kelley PLLC, New York

[email protected]

tsJ Contact detailsGeneral enquiries, advertising enquiries, press releases,

subscriptions: [email protected]

Editor, Tom Blass: [email protected] tel +44 (0)7930405003

Publisher, Mark Cusick: [email protected] tel: +44 (0)7702289830

Contributing reporter: Katharine Freeland

Correspondence address:

D.C. Houghton Ltd, Suite 17271, 20-22 Wenlock Road, London N1 7GU, England

trade securityJournal