Colum Bancroft, Managing Director, AlixPartners, argues that companies should prepare for the increasing compliance risks resulting from the ever-changing regulatory environment and economic downturn.

Hong Kong’s economy is in recession and is entering a period of further challenges. Donald Trump has just signed the Hong Kong Human Rights and Democracy Act (the Act), part of which brings renewed focus on sanctions compliance and potentially even putting Hong Kong’s special trade status at risk. Uncertainty over the status of the trade deal between the Mainland of China (the Mainland) and the US has been compounded by the impact of sustained social unrest over the last six months.

Meanwhile in the Mainland, in addition to the trade issues with the US, the impact of the government’s deleveraging campaign (to curb the excessive borrowing of local governments, financial institutions, businesses and individuals in the Mainland) continues to weigh on growth, with the National Bureau of Statistics reporting 6% GDP in the third quarter of 2019, the slowest growth rate in over 25 years.  The ongoing trade talks mean that companies continue to live with uncertainty on key supply chain risks. The current environment also brings about additional challenges as multinationals operating in the Mainland are reporting increased regulatory pressure.

Many companies in the region will be forced to review business and investment plans and adjust accordingly. All of these factors present heightened compliance risks.

What are the possible implications?

In particular, the Act will require attention in relation to provisions focusing on Hong Kong’s compliance with both US export regulations regarding sensitive dual-use items (those items which have both commercial and military or proliferation applications) and US and United Nations sanctions, particularly regarding Iran and North Korea. Any perceived weaknesses of Hong Kong’s compliance with these regulations could mean the remote but significant risk that the US Government will revoke the special treatment afforded Hong Kong by the US Hong Kong Policy Act of 1992.

A 2017 CNN report identified Hong Kong as a base for trade with North Korea. The Act potentially gives the US Government new powers to enforce the US sanctions regime. While it is difficult to predict how the US will exercise the new powers under the Act, or the short- and longer-term outcome of the ongoing trade negotiations between the US and the Mainland, even the most optimistic forecasters are resigned to the fact that a long-term solution is unlikely to be found any time soon, meaning that companies operating in the region will be facing significant uncertainty for the foreseeable future. 

What are the risks in this environment?

Fraud or compliance issues are more likely to arise when individuals or entities are subject to increased pressure. As economic pressure mounts, one can expect to see a re-emergence of classic financial statement fraud issues, as well as more sophisticated schemes designed to pacify regulators, attract and retain investment, and maintain access to liquidity. Managed earnings, as well as aggressive and fraudulent accounting practices, are likely to be an increasing reality in the region.

Bribery and corruption risks in the region have been the focus of attention for regulators for many years. While investment in compliance programmes and awareness of these issues has undoubtedly raised standards in this area, significant risks remain. A survey by the American Chamber of Commerce in China released last year shows that nearly half of their member companies are experiencing an increase in non-tariff barriers, including increased inspections, slower customs clearance and increased bureaucratic oversight or regulatory scrutiny. Cutting corners or offering bribes to government officials could be seen as one of the solutions to minimise the impact of the added tariff and non-tariff barriers.

How can companies try to proactively manage the increasing risks?

1. Conduct a holistic risk assessment of operations

The environment has changed, which means the risks have changed. Companies should undertake a review to identify emerging or heightened risks, including geopolitical and regulatory risks, and work to put in place appropriate mitigation measures. This exercise needs to be done with appropriate rigour and frequency, and a mindset that recognises the economic and regulatory enforcement environments are changing at a rapid pace. Maintaining compliance in an ever-evolving landscape of tariff and non-tariff barriers, trade sanctions and other issues presents considerable challenges and requires vigilance. The situation requires organisation-wide, that is top-down as well as bottom-up, commitment and critically requires buy-in from the front-line business and not just those functions tasked with controls implementation or oversight on a day-to-day basis. 

2. Ensure robust measures are in place to identify and deter fraud risk

The organisation’s most recent fraud risk assessment should be reviewed and updated to ensure that the full landscape of fraud risks, including new and emerging risks, have been considered, and each risk appropriately weighted in terms of likelihood and severity of occurrence. Data analytics procedures should be applied to assist in identifying potential anomalies or outliers in key areas of heightened fraud risk, and identified control gaps or weaknesses appropriately remediated. Attention should also be given to ensuring that there is sufficient employee awareness of key fraud risk indicators and behavioural red flags to shore up the company’s front-line defenses against illicit or otherwise inappropriate activity, which can have severely adverse financial, regulatory and reputational, not to mention employee morale, implications.

3. Conduct or update due diligence on intermediaries and third parties

The majority of compliance cases arise through intermediaries or third parties working in conjunction with company employees. A risk-based due diligence and monitoring programme is critical to mitigating risk of third party schemes. An appropriate level of screening and due diligence procedures are required to understand the profile, business affiliations and operating history of business partners in order to assign appropriate risk ratings. One area where companies commonly fall short in this area is that efforts are focused on on-boarding third parties without performing ongoing checks or responding to changes in the circumstances of either the company or the third party itself.

4. Review and update your existing compliance programme

In determining a penalty, many regulators will consider a number of factors. In addition to a well-designed and -executed compliance programme, regulators will look at whether companies provide an effective and trusted mechanism by which employees can anonymously or confidentially report allegations of misconduct, as well as the company’s response to such allegations and complaints when they arise. Therefore, companies should have an appropriate policy and relevant procedures in place for handling such allegations and complaints. This includes the scoping of investigations, identification of personnel responsible for the investigation and procedures to ensure investigations are conducted in a confidential, independent and objective manner.

Colum Bancroft, Managing Director

Edward Boyle, Director

Selena Tsang, Senior Vice-President