Compliance has turned into an increasingly relevant yet complicated issue in the services sector. As business operations become more interconnected, carving a truly global marketplace, governments the world over pay more attention to what’s happening beyond their territories.
Compliance has yet to catch up entirely with Nearshore services providers, but its step can be felt as it draws nearer to the region, marching in parallel to the growth of the Nearshore market in the US.
In the following Q&A, we spoke with three experts in compliance as it is understood in the Americas: Delfina Chain, Founder and CEO of due diligence automation firm Chaindots; Gabriel Caballero, partner at Holland & Knight; and Roderick Schwarz, Senior Executive Consultant at CSMB. All three are involved in compliance learning platform Risk Hub (co-founded and directed by attorney and risk management expert Victoria Rodriguez Carmona) and provide insights into what compliance actually entails, how it is applied in B2B contracts and how it should be navigated when it involves third party providers.
NSAM: When we mention compliance, what are we speaking of, exactly? Is it the same thing as due diligence?
Roderick Schwarz: Due diligence is part of compliance. It is any effort which aims to meet the objectives conceived by a compliance frame. Due diligence is a component [of compliance]; not the same thing, but a part of it.
Gabriel Caballero: Compliance can mean different things to different people. For me, it means complying with the law in the financial and other regulated sectors. It implies, in our world, to obey anti-money laundering laws, but it also includes crypto and other virtual assets. Compliance also includes having the documentation and licenses necessary to operate, which varies from jurisdiction to jurisdiction.
If we speak of global compliance, I guess opinions will differ, just like norms differ from country to country. And one has to take into account global organizations which develop best practices. It is a complicated term to define.
Delfina Chain: When we think of compliance, one can’t conceive it as a thing that works from the outside to the inside of the organization. Companies have their own standards, norms and values. Organizations comply not only with external mandates, but also with their inner values.
Roderick Schwarz: Compliance includes all the efforts made to obey the law, as well as inner policies, norms and procedures imposed by an institution’s own governance, whether they aim to obey the law or the organization’s own standards.
NSAM: Given the complexity that comes with defining compliance, how does it works in global contracts? Is the term included and defined explicitly on paper or is it addressed through detailed standards and practices?
Delfina Chain: There are globally accepted international standards, depending on the topic. There’s ISO in information security. In relation to money laundering, organizations can comply with the norms established by the Financial Actions Task Force (FATF). Depending on the area where your organization finds itself, you will have to comply with internationally accepted standards.
Are the rules carved in stone? No. But some of these standards are accepted globally, as part of a consensus, and we use them to do business.
Roderick Schwarz: Many of these standards come from United Nations (UN) conventions, which define how countries can adapt them to their own laws. Differences can exist, depending on each jurisdiction, but all those who try to comply aim for the same UN conventions.
Some global standards aren’t defined by the UN, but by other [internationally recognized] groups.
NSAM: Generally speaking, not complying with these standards can have legal consequences?
Roderick Schwarz: In some cases, yes; when a country has adopted international conventions and codified them into law. But when there are no laws involved, not complying can have an impact on reputation, which can directly hit a brand. That, in turn, can affect your liquidity and your organization’s capacity to operate in the market.
Organizations comply not only with external mandates, but also with their inner values—Delfina Chain, Founder & CEO at Chaindots
NSAM: When we speak of compliance, people tend to link it to environmental and labor standards, and usually applied to manufacturers of goods. Is compliance also relevant for service providers?
Delfina Chain: A hundred percent. Cybersecurity is a critical topic for the services sector. If you provide tech services, you have to meet certain standards for information security. There are also standards to prevent money laundering.
I would say that standards transcend industries, but some will have to pay more attention to certain practices. In the case of software services, there are three major ones: cybersecurity, data privacy and third-party risks.
It must be noted that software providers tend to work with third parties. We are speaking of supply chain risks here, and measuring third-party risks is important. Complying is getting harder and harder.
Gabriel Caballero: These three examples that were mentioned, independently of actual law violations, can land you in a situation where your organization is responsible for damages or losses suffered by the client or a third party.
On the topics of software and technology, I would add the following. Global sanctions imposed by different countries, like the US and EU, apply not only to the financial sector. They can also hit the import and export of technology services. We’re seeing that now. Historically, those civil and criminal cases involved mostly financial institutions. Now traditional exporters of goods and services are being dragged in. Big tech companies are exposed for exporting to certain countries. The US, for example, has many restrictions on the export of tech to Iran, or even for the use of technology developed in those countries. Disobeying those restrictions can lead to frozen accounts, fines and other penalties.
NSAM: In contracts which involve third parties, who is responsible when standards or laws are broken?
Roderick Schwarz: That can be a case of solidary liability. Both the contractor and its client could be liable in a civil case. Criminal law is different, because it is very personal, but civil liability can be shared. There’s a reputational impact too, of market value, when one hires the services of a company that violates the rights of others.
Delfina Chain: Due diligence also involves third party risk. If a company is acting incorrectly, they are directly responsible for those actions, for sure. But there might be a company which also hired the first company as a service provider. What’s the role of the client in that case? That company, as part of its due diligence, should have investigated under which conditions the contractor provides its services.
In the supply chain, liability falls not only on the organization that is directly responsible. It also reaches the company that chose that service provider without doing due diligence.
Gabriel Caballero: In certain contexts, liability can be delegated, but not eliminated.
Roderick Schwarz: Take a look at the British American Tobacco [BAT] case. The company hired a third party, a firm from Singapore, which illegally sold cigarettes to North Korea, where they were re-sold in the local market. Those sales procured funds to the North Korean coffers, which could have been fed into the government’s program for the creation and proliferation of weapons of mass destruction.
One could argue that the company from Singapore was directly responsible. Nevertheless, BAT had to pay US$629 million as part of a settlement to avoid criminal charges because they didn’t do due diligence and made sure that their products weren’t being sold to an entity sanctioned by the US government. It was demonstrated that they were aware of the situation, to some extent, and allowed it. Pay attention to those verbs: allowed, authorized, conspired.
In certain contexts, liability can be delegated, but not eliminated—Gabriel Caballero, Partner at Holland & Knight
Delfina Chain: There’s this phrase I really like: We are all someone else’s third party. We are all connected.
Roderick Schwarz: That’s what we call administration of contagion risks. The problem is yours, but I’m working with you… It’s like the flu.
NSAM: I guess a similar situation happens with subsidiaries. I’m thinking specifically of a Walmart case in which executives from several of its subsidiaries paid off local officials to allow the company to grow in those markets.
Gabriel Caballero: Those are complex situations; not black and white entirely. Sometimes you do have rogue employees; someone that acted independently and violated the law or the company’s internal policies without management or company executives knowing about it.
In those cases, there’s an issue of company culture: are employees and leadership being trained properly on what is acceptable, what the law says and what is prohibited? That’s an important question.
Another thing we’re noticing is that, in the realms of criminal and civil law, the line is being redrawn over and over when it comes to knowledge of the law. It’s not about what you knew, but about what you should have known.
That’s why due diligence is important; that’s why monitoring and supervision matter. If you don’t do proper monitoring and supervising, you won’t be able to identify problematic situations in your organization, and you might get involved in complicated cases.
Roderick Schwarz: Another topic that must be addressed in compliance is extraterritorial reach. Corruption of public officials in foreign countries is contemplated within US law. Even if it happens outside the US, in a subsidiary, a company might be involved in a criminal case connected to the corrupt actions of a foreign public official.
Same thing goes for money laundering. If an illegal act takes place and the US’ financial system is used, maybe because a transaction was made in dollars or because it used banking services in the US, that could call for a criminal case; it doesn’t matter that the action took place in another country. It works the same way in Europe, the UK, etc.
NSAM: How vigilant is the US government of illegal activity taking place in other countries?
Gabriel Caballero: There are international agreements which mandate the sharing of information between governments, including information related to corruption probes. The US has many tools to access documents and financial information outside of its territory. Some of its laws allow for the soliciting of documents or personal information belonging to non-US citizens regarding their activities outside of the US.
If these requirements are not met, US authorities can force the closing of accounts located in its territory. For US-based institutions, their options are: a) disobey data privacy laws or b) lose their entire business, being left out of the financial system in the US, in Europe.
There’s not always an ideal option. One chooses the best of the worst.
Delfina Chain: The reality today is that, if a company does something illegal or wrong, it’s not certain that it will be found out. But the world is very interconnected. Those actions will come out; perhaps later, rather than sooner, but they will come to light.
Roderick Schwarz: In today’s world, there’s no place to hide.