Global compliance is of crucial importance to firms operating across borders. In this article, we explain what global compliance is, why it matters, and how you can best manage it when joining the global marketplace.
What Does ‘Global Compliance’ Mean?
‘Global compliance’ means the position or goal of an organization in following the laws, regulations, rules and standards that apply to that organization across the globe. The meaning of global compliance is captured in the two distinct elements set out below.
(A) Local Compliance in Every Location of the Enterprise
It is increasingly common for ambitious companies to expand their business across jurisdictions. Within a country or state, this means compliance with the laws and rules that apply there: It is required that businesses comply with the employment, payment, anti-corruption and commercial laws that apply in that country. We consider various examples of this type of global compliance in significant detail below under the heading ‘Which global compliance rules exist in every country?’.
(B) Compliance with International Laws, Regulations and Standards
Some rules that apply to businesses apply not just within one country or state/province/territory, but across international borders. For example, data protection and financial payment rules often apply across borders. We explain these in greater detail below under the heading ‘Which rules apply to companies across international borders?’.
Which Global Compliance Rules Exist in Every Country?
While laws differ substantially in different countries and jurisdictions, there are also commonalities across the world. We consider some of the most crucial compliance areas that may affect your international expansion below.
In most jurisdictions (though not all – see, for example, Hong Kong), employers must withhold payroll taxes on behalf of their employees, and remit them to the tax authorities.
Corporate or company taxes, in light of the OECD model tax convention, apply to any business that has a ‘permanent establishment‘ in a given jurisdiction: That is, a fixed place of business where the company ‘carries out’ its business activities.
Note also, that many countries are now beginning to apply ‘digital services taxes’ to online businesses that make significant revenue in a country. These apply even when a business has no official or permanent residence in that country.
In most countries, a set of minimum employee entitlements are set out by law. Minimum employee entitlements often include minimum wage, breaks, annual vacation leave and sick leave.
In some countries, this also includes paid parental leave, insurances, pension contributions and protection from unfair dismissal.
Equal Employment Protections
Most countries now have laws in place which prohibit discriminating against staff on various specified grounds. These anti-discrimination laws are often referred to as ‘Equal Opportunity‘ laws.
Prohibited grounds of discrimination vary by country but usually include gender, gender identity, ethnicity, sexual orientation, age and disability.
Anti-Money Laundering Regulations
Anti-money launder and counter-terrorism financing (AML/CTF) laws and regulations now apply in most countries. These are the rules that are set out in legislation such as the Bank Secrecy Act 1970 in the USA and the Sanctions and Anti-Money Laundering Act in 2018 in the UK. These laws and regulations require:
- An AML/CTF program for monitoring large financial transactions;
- A system of reporting to regulators; and
- Training for employees in AML/CTF protections.
Which Rules Apply to Companies Across International Borders?
Financial Payment Standards
When accepting payments, and making bank transfers, there are a range of rules that apply internationally. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security rules for organizations that handle major credit cards. This applies to businesses, no matter where they are located in the world, as a requirement of credit card companies for using their services. All major credit cards including Visa, Mastercard and American Express require businesses to comply with the PCI DSS.
The PCI DSS requires businesses to carry out a range of steps in order to keep credit card data secure, including maintaining a secure network, implementing strong access control measures and regular testing of networks.
There is a validation and monitoring framework for compliance with this standard. Non-compliance can result in significant fines and penalties being applied from the card companies.
Sometimes financial transaction standards are enshrined in law in a particular jurisdiction. For example, several U.S. states require compliance with the PCI DSS (such as Nevada and Washington).
Similarly, the international Legal Entity Identifier (LEI) Framework applies in many countries across the world, as it is captured in local laws, regulations and securities exchange rules. The LEI framework is a consistent system for identifying counterparties to financial transactions across borders and is mandated by many legal systems, including the European Union and the US.
International Service and Product Standards
Have you ever wondered who decided what the ‘A4’ paper size is and what ensures that ‘A4’ paper size in one factory is the same as the ‘A4’ paper in another factory? It is the operation of a product standard (German standard DIN 476, to be exact).
Various standards have been developed by international organizations in order to ensure a certain quality and consistency in the creation of certain products and performance of certain services and products.
International standards cover various matters, such as:
- assurance practices within organizations (e.g., risk management, compliance management);
- information security and cybersecurity;
- technical specifications for products.
Many of these standards are set by the International Organization for Standardization (ISO), but other important sources of such standards include the International Electrotechnical Commission (IEC) and the International Telecommunication Union (ITU).
Adhering to these international standards is not always required by legislation or regulations. However, it is often a requirement of contracts and licenses. For example, in sub-contracting, it is common for a business to be required to commit to these standards as part of their contract (particularly risk management, compliance and information security standards). Failing to comply with standards in this situation may constitute a breach of contract and make the business liable to pay damages.
Data Protection Laws
The most significant source of global compliance obligations in data protection is the European Union’s General Data Protection Regulation (GDPR). This law requires that any business that controls or processes the personal data of EU customers adhere to a range of data security obligations and afford customers a range of data protection rights. Core elements include:
- personal data may only be processed for a specified lawful purpose;
- as little personal data as possible should be collected, processed and kept (‘data minimization’);
- a customers right to be informed of what their data is being used for;
- a customer right to erase their personal data (under some circumstances) and to ensure that it is accurate;
- the carrying out of data protection impact assessments in certain situations.
Note, the GDPR applies to both businesses based in the EU, and any business outside the EU that is ‘doing business’ with EU customers. Therefore, consideration of the GDPR is essential for virtually all companies doing business online, no matter where they are based in the world.
California’s new data protection legislation, the California Consumer Privacy Act (CCPA) also applies outside its own territory. Any company ‘doing business’ with customers in California needs to comply with the requirements of the CCPA, whether or not the business is itself located in California.
The United States’ Foreign Corrupt Practices Act (the FCPA) prohibits corporations and their officers from bribing foreign officials and punishes them accordingly. Notably, this applies to activities occurring outside the United States, as long as the corporation in question has a ‘sufficient degree of connection’ to the United States. Recently, under this law, Goldman Sachs group and its Malaysian subsidiary admitted to conspiring to violate the FCPA and agreed to pay $2.9 billion as part of a resolution with investigators and regulators across various countries. The behavior in question occurred outside the United States.
Sadly, slavery and serious exploitation of workers still exists in the modern world. The United Kingdom was the first country in recent years to implement extensive anti-slavery legislation, and other countries are following suit (e.g., Australia in 2018).
These laws require businesses to investigate, monitor and assure the public that slavery and worker exploitation is not part of their supply chain.
The UK’s Modern Slavery Act 2015 also has application to businesses based or operating outside the UK as long as an entity in their broader group structure (such as a subsidiary) is ‘carrying out business’ in the UK.
The Consequences of Global Compliance Failure
When you have a business with multiple locations across country and state/province/territory borders, you need to consider how you are going to manage your global compliance.
Compliance failures can have significant consequences for an international business. We set out some of the possible consequences below.
Devastating Civil Fines and Penalties
For example, in 2020, Google and Amazon were fined $120 million and $42 million respectively by the French data protection authorities. These penalties were applied for failing to gain customer consent to drop non-essential cookies.
Failure to comply with the criminal law (such as prohibitions on bribery, money laundering and fraud) can result in imprisonment and other criminal penalties for the officers of corporations.
Breach of Contract
Compliance is often a requirement of various B2B contracts. A failure to comply with these compliance requirements may be considered a material breach of contract. This means the breach could result in the termination of the contract, court injunctions, and an obligation to pay damages.
Loss of Licenses or Approvals
In many industries, businesses are required to hold certain licenses or approvals/authorities approved by regulators (for example, financial services licenses). Compliance failures can result in a revocation of such licenses and approvals.
A reputation for global compliance failures will quickly make you a ‘cowboy’ of your industry. It is crucial for your future business prospects that you avoid at all costs the reputational sting of non-compliance.
How to Best Manage Global Compliance
The potential consequences of global compliance failures mean that you need to have steps in place to manage your compliance program. Some important steps to include are set out below.
Build Compliance into Business Processes
Compliance should not be an afterthought for your business: Do not start by developing the optimal business process, and then check that it meets compliance requirements. Instead, consider the compliance requirements as you develop your business approach. For example, ‘privacy by design‘ is a requirement of the GDPR. This means that all businesses need to consider how they will compliantly collect and protect customer personal data when they first consider implementing a new process.
Appoint Responsible Staff
Ensure that, within your organization, the ‘compliance lead’ is clearly identified. This individual (who may also hold another role such as ‘chief legal officer’ or ‘head of risk management’) is responsible for keeping up with compliance changes as they arise, as well as putting processes in place to monitor compliance.
In any company, the board of directors has ultimate oversight of the business. Governance processes need to prioritize compliance. In larger companies, good practice requires:
- establishing a compliance sub-committee of the board responsible for compliance oversight;
- running allied assurance functions, such as risk management and internal audit. All these areas need to be overseen by the Board in a consistent and coherent manner;
- an adequate allocated compliance budget.
A Global Compliance Partner
When you have business operations spread throughout the world (or you are planning an expansion in the future), it may be extremely difficult for you to keep on top of all your compliance obligations. By engaging a global compliance partner, such as a Global Professional Employer Organization (Global PEO), you can ensure that compliance is taken care of.
A Global PEO can take on all of the legal and compliance responsibilities of an employer in every country in which you carry out business. This means that they take on all the legal and tax obligations and liabilities, as well as providing ongoing payroll and HR support for your workforce.
The Global Compliance Take-Home Message
Global compliance means ensuring that you comply with all the international laws and rules, as well as the local laws and rules, in every country in which you operate. As cross-border business and trade increases, so does the quantity and complexity of global compliance obligations.
Alongside design, management and governance processes, the best way of managing global compliance is with a recognized compliance partner. New Horizons Global Partners is a Global PEO that takes care of global compliance for any business interested in a global expansion.