Compliance Is No Longer Just Local – It’s Now

Global!Michele Honomichl

October 8, 2015 – 9:00am

Michele HonomichlFounder, Executive Chairman & Chief Strategy OfficerCelergo Global Payroll

Speaker

EU Data Privacy Safe Harbor Office of Foreign Assets Control (OFAC) Foreign Corrupt Practices Act (FCPA) United Kingdom (UK) Bribery Act The Move to Automated Compliance (E-

Filing)

Agenda

Global Operations = High Exposure Payroll compliance is often treated as

just a local country problem; it is not Organizations need to gain control over

risk and compliance processes

The Global Compliance Challenge

#PAYCON

EU Data Privacy

European Union directive adopted in 1995 which regulates the processing of personal data within the European Union.

Personal data should not be processed at all, except when certain conditions are met.

EU Data Privacy: The Directive

Based on 7 Principles: ◦ Notice◦ Purpose◦ Consent◦ Security◦ Disclosure◦ Access◦ Accountability

EU Data Privacy Principles

Why is EU Data Privacy Critical to Global Compliance? It applies to anyone collecting data on EU

Citizens. Employers doing business in Europe need to

ensure they are compliant with the EU Directive.

EU Data Privacy: Global Compliance

How to Ensure EU Data Privacy Compliance? Follow the 7 Outlined Principles. Encryption is often agreed to be the best

data security measure available as it renders the data unintelligible to unauthorized parties in cases of data loss.

EU Data Privacy Compliance

Requires security policies Policies are tested regularly Compliance programs are reviewed every 2

years Explicit consent

EU Data Privacy Updates

What are the current penalties? $1M EUR or up to 2% of revenue

What are the proposed penalties Fines of up to €100 million or 5% annual

turnover

EU Data Privacy Penalties

#PAYCON

Safe Harbor

Safe Harbor is the name of a policy agreement established between the United States Department of Commerce and the European Union (E.U.) in November 2000 to regulate the way that U.S. companies export and handle the personal data (such as names and addresses) of European citizens. 

What is Safe Harbor?

Notice Choice Onward Transfer Access Security Data Integrity Enforcement

 What Are the Basic Requirements of Safe Harbor?

Eliminates the need for prior approval to begin data transfers or provides for automatic approvals

Flexible privacy regime Enforcement will be conducted in the United

States vs Europe

Benefits of Safe Harbor

Go to www.export.gov/safeharbor Read the requirements Create an account Complete the documentation Send a check for $200

How Do I Register For Safe Harbor?

Safe Harbor Website

Self-certify each year Comply with the 7 requirements Ensure data is secure and accurate Maintain a compliance program

How Do I Comply With Safe Harbor?

High Court of Ireland sent Schrems vs. Facebook to the Court of Justice Of the European Union (CJEC)

The CJEC ruled on Tuesday October 6th that Safe Harbor is not valid

Issue is that US Companies cannot comply with EU Data Privacy due to the nature of the NSA’s ability to access data on US soil

So What Happened?

EU Privacy Principles still Exist Each Country Can Now Determine Its Own Data

Privacy Requirements Non-European businesses may be opened up to

significantly more scrutiny from regulators within Europe.

Countries can choose to suspend the transfer of data to the US — forcing companies to host user data exclusively within the country.

If the Safe Harbor rules in place since 2000 are done away with, each country in the European Union could potentially set is own privacy rules and regulations

What Happens Now?

Watch this space Review everywhere your company

potentially has Personal Data on EU citizens – HR Systems, Payroll, Accounting, Paper

Determine compliance regimes

What Do We Do Next?

Explicit Consent Data Hosting in the EU Encryption Model Contracts, Standard Contractual

Clauses and Binding Corporate Rules

Alternatives to Safe Harbor??

#PAYCON

The Office of Foreign Assets Control (OFAC)

Enforced by US Dept. of the Treasury Based on US foreign policy and national

security goals Specially Designated Nationals and Blocked

Persons list ("SDN List") includes:◦ Foreign countries and regimes, Terrorists…etc.

What is OFAC?

Why is OFAC Critical to Global Compliance? Need to ensure Global Personnel and

Foreign companies conducting business with are not on SDN List

Critical if carrying out payment transactions◦ Banks will run Beneficiaries through OFAC◦ Hit = Watch List

OFAC: Global Compliance

How to Ensure OFAC Compliance? Personnel Data is Required:

◦ Legal First and Last Name, DOB, City of Origin Run Personnel/Company against OFAC’s

SDN List In case “Hit” need to take due diligence

steps as outlined in Treasury Dept. site

OFAC Compliance Programs

OFAC Website

OFAC Search

Bridger Results

Take no action Request more information Issue Letter urging improved compliance Finding of Violation letter Impose civil penalty Making a criminal referral

OFAC Penalty Levels

What are the penalties? $1000 to $250,000 More if willfully involved

How do I reduce potential penalties? Prove compliance program Self report

OFAC Penalties

#PAYCON

Foreign Corrupt Practices Act (FCPA)

Foreign Corrupt Practices Act (1977) Prohibits payment of bribes to foreign officials to

assist in obtaining/retaining business Since 1998 extends to publicly traded companies

including foreign firms (directors, employees, stockholders…)

Securities and Exchange Commission (SEC) & Department of Justice (DOJ) responsible for enforcement

What is FCPA?

Why is the FCPA Critical to Global Compliance? Enforcement has shown increase in cross-

border collaboration Applies to any act by US businesses,

foreign corp. in the US, US nationals, citizens, and residents acting in furtherance of a foreign corrupt practice whether or not they are physically present in the US

Meaning of “foreign official” is broad

FCPA: Global Compliance

How to Ensure FCPA Compliance? Keep books/records that accurately reflect the

transactions Devise and maintain an adequate system of

internal accounting controls Ensure global personnel is aware of FCPA

regulations even if bribery is “commonly accepted” locally

Questions on conduct, use the Department of Justice’s Foreign Corrupt practices Act Opinion Procedure

FCPA Compliance

FCPA Website

What are the Penalties? In 2014, the DOJ and SEC resolved FCPA

cases with 10 companies for a whopping total of $1.56 Billion.

Siemens settled FCPA offenses with the DOJ and SEC in 2008 by paying $1.6 billion. The settlement is the biggest FCPA enforcement action.

FCPA Penalties

#PAYCON

United Kingdom (UK) Bribery Act

What is the UK Bribery Act? “The toughest anti-corruption legislation in

the world” 2010 Act criminalizes bribery, being

bribed, the bribery of foreign public officials, and the failure of a commercial organization to prevent bribery on its behalf

Serious Fraud Office (SFO)

UK Bribery Act

Why is the UK Bribery Act critical to Global Compliance? The Act has a near-universal jurisdiction,

allowing for the prosecution of an individual or company with links to the United Kingdom, regardless of where the crime occurred.

Failure of a commercial organization to prevent bribery is an offence

UK Bribery Act: Global Compliance

How to Ensure UK Bribery Act Compliance? Certify the identification of the Directors of

any company doing business with:◦ Certified copy of photo ID◦ Certified copy of proof of home address

Ensure global personnel is aware of UK Bribery regulations even if bribery is “commonly accepted” locally.

UK Bribery Act Compliance

What are the Penalties? A maximum of 10 years' imprisonment,

along with an unlimited fine, and the potential for the confiscation of property, as well as the disqualification of directors

UK Bribery Act Penalties

FCPA applies only to the corruption of foreign officials, the UK Bribery Act catches bribes offered or given to any person.

It is an offence under the UK Bribery Act to request, to agree to receive, or to accept a bribe. Whereas the FCPA only applies to persons giving or offering a bribe and not to those accepting one.

FCPA vs UK Bribery Act

#PAYCON

The Move to Automated Compliance (E-Filing)

Why? Local Governments are looking to

streamline Tax Reporting/Filing◦ Centralize & Standardize

Growing need for real time information Reduce red tape Reduce manual processes

The Move to Automated Compliance

United Kingdom – Real Time Information (RTI)

France -Déclaration Sociale Nominative (DSN)

Brazil – E Social Australia - SuperStream

Where is this happening?

Real Time Information Required by October 2013 Provide data directly to the HRMC after each

payroll run versus at the end of the year No longer will companies need to submit

P14, P35, P38A or P45s to the HRMC forms Companies will still need to submit P60's,

P9D, P11D forms

UK RTI

Déclaration Sociale Nominative DSN will replace and automate the manner in

which all Social Declarations are filed◦ a. Employee Hires: (Fixed term, must provide end date

of contract)b. Medical Leave: (Send within 3 days after leave to record for sickness, maternity, and paternity.)c. Leaving of an Employee: (Send within 3 workdays before the leave date)

◦ d. Monthly Changes: (Provide bonuses/premiums with dates of execution)ie. Other Impacts:i. Employees on parental/sabbatical leave need a pay slip

Required by January 2016

France DNS

Goal of eSocial is to gradually replace obligations like CAGED, RAIS, SEFIP and GFIP (labor and social security withholding forms) ◦ Streamlines data sent to the government regarding payroll,

labor, social security and tax obligations, and other information

◦ Ensures social security and labor rights are guaranteed for workers;

◦ Simplifies compliance with obligations◦ Improves the quality of information sent

Employer obligations are not changing, they are just being submitted in a standard, consolidated, automated format

Completed by September 2016

Brazil – e-social

Automation of Superannuation payments by employers

Employee must provide details of his or her selected pension program

Standard interface for all programs All companies must comply by June 30,

2016

Australia SuperStream

What does this mean for Employers? Investment into required software if in-

house Stringent Deadlines Revisions to payroll/filings almost

impossible Adherence to new protocols

What does it mean?

Global Compliance is often overlooked if operations locally are compliant; it can’t be.

Companies with US and Global Operations need to implement protocols with regards to OFAC, FCPA and any applicable local regulations.

Conclusion

Thank you and please remember to complete your evaluation for this session.