News

Overview

The concept of compliance is far beyond the scope of day-to-day corporate legal business such as contract review, labor relations management, etc. In Western countries, compliance is gradually becoming a business category independent of legal services. Its connotations include: employee management, anti-bribery, anti-money laundering and financing of terrorism, business competition (competition law), reporting obligations to market regulators, social image and environmental protection (ESG), data privacy protection (such as GDPR), Cyber security, business sustainability, etc. The following will briefly introduce some common features of some key areas in Europe and the United States.

1. Anti-money laundering and terrorist financing

Introduction

Companies engaged in the Fintech and financial industries should first consider anti-money laundering and anti-terrorism financing. In response to this risk, the EU has successively issued MLD4, MLD5 and other laws and regulations; FATF has also issued guidelines. Non-compliance may result in enforcement action and fines by competent authorities.

Main Risks

The main scenarios where money laundering risks may occur include but are not limited to:

(1) Doing business with persons with political backgrounds and other public officials

(2) Doing business with customers in countries and regions with high money laundering and terrorist risks

(3) Transactions with clients whose actual control rights are unclear, shareholding structures and their complexities

(4) Transactions with shadow banks or financial institutions with high money laundering risks

(5) Transactions with anonymous attributes or transactions with agents

(6) Conducting transactions related to government procurement

(7) Large cash transactions

(8) Unusual small number of transactions in the form of multiple times

(9) Transactions that do not conform to business logic

Compliance methods

(1) Carrying out a strict self-risk assessment, establish a risk response mechanism and internal control policies

(2) Selecting a person with professional knowledge background to serve as a compliance officer

(3) Providing anti-money laundering training to employees in a timely manner

(4) Conducting customer due diligence on each customer and business partner

(5) Strengthening due diligence on high-risk customers and business partners

(6) Keeping all records and data related to anti-money laundering and anti-terrorist financing

(8) Disclosing money laundering risks to regulatory agencies in a timely manner, and abide by the policies of local regulatory agencies

(9) Applying for relevant licenses if required by law

2. Anti-bribery

Introduction

Bribery risk refers to the risk of offering, paying or accepting a bribe, either directly through an officer, employee or subsidiary, or indirectly through an intermediary or any third party (individual or company) acting on behalf of the organization. At present, special legislations have been introduced in various countries to regulate bribery. Failure to comply with local anti-bribery laws, rules or regulations can result in civil and criminal liability, personal or company fines, reputational damage and cancellation of government-related contracts. Moreover, since most foreign-related companies are settled in US dollars, even commercial bribery in a third country may be subject to the long-arm jurisdiction of the US judicial department, resulting in serious damage to the company.

Main Risks

(1) Bribing others: It is against the law for any person to offer, promise or give, directly or indirectly, a monetary advantage to another person.

(2) Bribery: It is against the law for any person to agree to accept or accept a financial or other advantage in order to improperly perform a function or activity.

(3) Bribery of a foreign government official: A person commits this crime if he/she intends to influence a foreign official. Unlike bribing a private person, the person being bribed is not required to have any improper performance of the relevant functions.

(4) Failure of a business establishment to prevent bribery: It is an offence for a person who has a relationship with the relevant business establishment to bribe another person with the intent to obtain or retain a business or commercial advantage for that establishment. This corporate offense applies to all companies operating locally, as well as locally registered companies.

Compliance Methods

(1) Identifying and assessing risks

(2) Designing anti-bribery strategies and procedures

(3) Implementing internal anti-monopoly control

(4) Due diligence on third-party business partners

(5) Considering being a whistle-blower when you are at risk of bribery (some countries have a legal policy of not punishing whistle-blowers)

(6) Strict supervision and financial audit

(7) Conducting external investigations

3. Data Privacy Protection

Introduction

Different from the legal practice in mainland China in the past few decades, European and American countries have very strict legislation on the privacy protection of users' personal data. For example, both the EU GDRP and the US CCPA require that any data collected from users must indicate the type of data collected and the user's express consent. Customers have the right to request not to agree to one or more data collections. The use of any data must also be subject to the consent of the user, and user data will not be used outside the scope of the purpose notified in advance. The customer has the right to request access, correction or erasure of data at any time and to request the operator to stop using the data or to stop using the data for certain purposes, even with fully automated data processing. In addition, the data collected by the operators cannot be easily disclosed to third parties. If the relevant companies are not compliant, they will not only face fines from regulators, but also face high civil litigation claims.

Compliance Methods

(1) Assessing internal and external risks, especially data system risks

(2) Developing internal control procedures

(3) Formulating a detailed user privacy policy, placing it at the entrance of all data services, and expressly agree with the user

(4) Properly saving all user data and establishing a data sandbox

(5) Conducting due diligence on third parties that may exchange data

(6) Designating a person with professional knowledge and skills as the person in charge of data compliance

4. Commercial Competition

Introduction

Strict competition laws are an important feature of the EU legal system. Articles 101 and 102 of the TFEU address monopoly agreements and abuse of market competition, while the EUMR imposes requirements on the concentration of undertakings. Various European countries (including some non-EU countries) have incorporated TFEU and EUMR into their national laws. As long as a company's market share in a certain industry in a certain region exceeds a certain percentage, it will face competition law compliance pressure.

Main Risks

(1) Monopoly agreement: As long as the company's market share in a certain industry in a certain region exceeds 10%, it may face the risk of forming a monopoly agreement. Under the EU's legislative framework, the scope of interpretation of a monopoly agreement is quite large. As long as the two companies exchange commercially sensitive information such as price, business strategy, and cost, even if it is reached in an implied way or even in the way of automatic tracking and analysis by the AI system. This exchange of information, which affects the company's independence in making business judgments, is considered a monopoly agreement. A monopoly agreement includes two or more companies in a product market and two or more companies at different supply chain levels. Once the regulatory agency finds non-compliance, it will not only face fines of up to 10% of annual revenue and various temporary fines, but also face civil claims from consumers or customers.

（2) Abuse of market position: As long as the company has a market share of more than 40% in a certain industry in a certain region, it may face the risk of abusing its market position. For enterprises with absolute advantages in the market, EU legislation imposes additional obligations on them, that is, they cannot take the initiative to reduce the intensity of competition in the market in which they operate, even if their actions are all legal. Under this legislative framework, advantageous enterprises in certain industries, even if they exclusively use their own legally owned infrastructure or intellectual property. The exclusive use of their own properties is illegal as long as the use of those properties is necessary for other market participants.. In addition, behaviors such as bundling, exclusive deals, malicious price cuts to seize the market, price promotions on the condition of exclusive sales, and refusal to deal are also the focus of market regulators. In addition, for Internet services, the European Union has specially issued a digital market law to regulate the behavior of large Internet portal companies. Once the regulatory agency finds non-compliant behavior, not only will they face a huge amount of fines and a variety of temporary fines, but also face civil claims from consumers or customers, and sometimes even consumers in different countries for the same behavior. Class action lawsuit, resulting in huge civil damages.

(3) Concentration of Operators: If the revenue of two or more companies in the EU exceeds a certain amount (taking EUMR as an example, it reaches 250 million Euros), they must file a concentration declaration with the supervisory authority. No actual concentration can be done until it is approved, including the implementation of consistent commercial arrangements that do not involve equity and are only contractually agreed. Those who violate the regulations will not only be fined, but also forcibly split up the companies that have been merged.

(4) Compliance Methods

1) Formulating policies to strictly control employees' disclosure of business information, including low-level employees

2) Regularly evaluating the company's market position and market share

3) Formulating specialized competition law compliance personnel to monitor the business operations of enterprises

4) Supervising the use of company emails by employees to communicate externally

5) Strictly controlling commercially sensitive information

6) Considering being a whistleblower when caught in the risk of compliance with monopoly agreements. Generally, no penalties are taken against whistleblowers within the EU, but it should be noted that if you do business in multiple countries, you need to report to the regulatory agencies in multiple countries at the same time.

7) If penalties are unavoidable, consider working with regulators to seek mitigation.

5. Reporting Obligations

Introduction

When the scale of the company reaches a certain level, it is obliged to submit reports on finance, market strategy, environmental protection and other aspects to the market supervision agencies of various countries on a regular basis. If it is a listed company, it also needs to submit a special report to the market supervision department in accordance with the requirements of the governance rules of listed companies in various countries, and publish it on the homepage of its website.

Compliance Methods

(1) Scale requirements for companies with reporting obligations in the location of verification

(2) Establishing a sound internal control mechanism

(3) Improving the decision-making mechanism of the company's authority, properly preserve the resolutions of the board of directors, the shareholders' meeting, and the opinions of independent directors or the board of supervisors

(4) Regularly performing reporting obligations as required

6. Employee Management

Introduction

When monitoring employees, employers must ensure compliance with laws and regulations. Failure to do so could result in claims by affected employees, or enforcement action and fines by the relevant Information Commissioner's Office, adverse reputational and other consequences for the business.

Main Risks

(1) According to Article 8 of the European Convention on Human Rights (ECHR), individuals have the right to respect for private and family life and correspondence.

(2) According to the EU's General Data Protection Regulation (GDPR), the processing of employee personal data needs to comply with relevant regulations.

(3) Treatment of LGBT groups

(4) Supervision and management of anti-discrimination against female employees

(5) When dismissing employees, it is necessary to pay attention to the regulations on fair and malicious dismissal

(6) Compliance with relevant employment discrimination laws

(7) Confidentiality obligations for employee labor contracts

Compliance Methods

(1) Establishing a sound labor relationship management mechanism

(2) Establishing internal management policies, including information system usage policies, video surveillance policies, and privacy policies

(3) Actively communicating with employees and focus on work-life balance

(4) If possible, try to maintain the diversity of employee background, gender and race

Statement:

This article was originally created by lawyers of JAVY Law Firm, and only represents the author's own views, and should not be regarded as a formal legal opinion or suggestion issued by JAVY Law Firm or its lawyers. If you need to reprint or quote any content of this article, please indicate the source.