1. What is the definition of ‘compliance’? ‘Compliance’ is the situation where an organization meets all its obligations and commitments.
2. What is the definition of ‘global compliance’? ‘Global Compliance’ means an organization is meeting all its obligations and commitments, both locally and internationally.
3. Global compliance includes, but is not limited to, compliance with tax, financial reporting, employment, anti-money laundering, payment, product safety, data protection, anti-slavery and trade standards and laws.
4. Consequences of non-compliance can be serious, and may include criminal or civil penalties, breach of contract, loss of licenses and reputational damage.
5. To manage global compliance, international businesses should consider building compliance into their business operations, introducing strong governance processes, appointing responsible staff, regular training, a robust compliance audit program, and joining forces with an international compliance partner.
Global compliance is of crucial importance to firms operating across borders. In this article, we explain what global compliance is, why it matters, and what you can do to ensure you remain globally compliant when joining the global marketplace.
Compliantly hire anywhere with Horizons EOR services.
What is compliance?
Before we can answer the question ‘what is global compliance?’, we must answer the question ‘what is compliance?’. Dictionary definitions offer up something like ‘adherence to a rule or request’. However, in an organizational context, it usually means something more precise.
The most authoritative definition of compliance in this context is given by the International Standards Organization (ISO) in its standard, ‘Compliance management systems — Guidelines (ISO 19600:2014). There, compliance is defined as the state where an organization is meeting all its obligations and commitments (see 3.17 and 3.16).
Sometimes in a business context, the related terms ‘regulatory compliance’ and ”corporate compliance’ are used. Regulatory compliance means following all the laws, regulations, standards and policies that apply to a particular business. These may be set out in legislation or regulations, or they may be set out in frameworks that a business has agreed to (such as the conditions of a financial services license).
Corporate compliance means the strategies and programs that a business has in place to ensure regulatory compliance. Companies sometimes have a ”Compliance Officer’ who is in charge of corporate compliance. Often this individual is the same person as the Chief Legal Counsel/Chief Legal Officer/General Counsel.
Corporate compliance often sits within a company alongside other related functions such as internal audit and risk management, and is classified under the general umbrella term ‘Governance, Risk Management and Compliance’. [Read here about how to limit compliance risk by ensuring employees hired can pass an international background check]
What does global compliance mean?
‘Global compliance’ is the situation where an organization follows all the laws, regulations, rules and standards that apply to that organization across the globe. The meaning of global compliance is captured in the two distinct elements set out below.
- Local Compliance in Every Location of the Enterprise
- It is increasingly common for ambitious companies to expand their business across jurisdictions. Within a country or state, this means compliance with the laws and rules that apply there: It is required that businesses comply with the employment, payment, anti-corruption and commercial laws that apply in that country. We consider various examples of this type of global compliance in significant detail below under the heading ‘Which compliance rules apply in most countries?’
- Compliance with International Laws, Regulations and Standards
- Some rules that apply to businesses apply not just within one country or state/province/territory, but across international borders. For example, data protection and financial payment rules often apply across borders. We explain these in greater detail below under the heading ‘Which rules are global compliance rules?’
Which compliance rules apply in most countries?
While laws differ substantially in different countries and jurisdictions, there are also commonalities across the world. We consider some of the most crucial compliance areas that may affect your international expansion below.
In most jurisdictions (though not all – see, for example, Hong Kong), employers must withhold employee income taxes on behalf of their employees, and remit them to the tax authorities.
Corporate or company taxes, in light of the OECD model tax convention, apply to any business that has a ‘permanent establishment‘ in a given jurisdiction: That is, a fixed place of business where the company ‘carries out’ its business activities.
Note also, that many countries are now beginning to apply ‘digital services taxes’ to online businesses that make significant revenue in a country. These apply even when a business has no official or permanent residence in that country.
Financial reporting and accounting standards
Every country has standards, usually set by law, which set out how financial statements of a company are to be prepared. Many countries have adopted International Financial Reporting Standards (IFRS) and International Accounting Standards (IAS) which are an internationally standardized set of principles and rules for preparing and presenting financial information.
Note, however, there are variations in how IFRS and IAS are applied in each country that has adopted them. Note, also that several significant countries have not adopted IFRS, such as the United States (which applies Generally Accepted Accounting Principles or ‘GAAP’).
For more information see What are International Accounting Standards?
In most countries, a set of minimum employee entitlements are set out by law. Minimum employee entitlements often include minimum wage, breaks, annual vacation leave and sick leave.
In some countries, this also includes paid parental leave, insurances, pension contributions and protection from unfair dismissal.
Equal employment protections
Most countries now have laws in place which prohibit discriminating against staff on various specified grounds. These anti-discrimination laws are often referred to as ‘Equal Opportunity‘ laws.
Prohibited grounds of discrimination vary by country but usually include gender, gender identity, ethnicity, sexual orientation, age and disability.
Anti-money laundering regulations
Anti-money laundering and counter-terrorism financing (AML/CTF) laws and regulations now apply in most countries. These are the rules that are set out in legislation such as the Bank Secrecy Act 1970 in the USA and the Sanctions and Anti-Money Laundering Act in 2018 in the UK. These laws and regulations require:
- An AML/CTF program for monitoring large financial transactions;
- A system of reporting to regulators; and
- Training for employees in AML/CTF protections.
Which rules are global compliance rules?
Some compliance rules and standards are, by their very nature, global compliance rules: They apply across international borders.
Financial payment standards
When accepting payments, and making bank transfers, there are a range of rules that apply internationally. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security rules for organizations that handle major credit cards. This applies to businesses, no matter where they are located in the world, as a requirement of credit card companies for using their services. All major credit cards including Visa, Mastercard and American Express require businesses to comply with the PCI DSS.
The PCI DSS requires businesses to carry out a range of steps in order to keep credit card data secure, including maintaining a secure network, implementing strong access control measures and regular testing of networks.
There is a validation and monitoring framework for compliance with this standard. Non-compliance can result in significant fines and penalties being applied from the card companies.
Sometimes financial transaction standards are enshrined in law in a particular jurisdiction. For example, several U.S. states require compliance with the PCI DSS (such as Nevada and Washington).
Similarly, the international Legal Entity Identifier (LEI) Framework applies in many countries across the world, as it is captured in local laws, regulations and securities exchange rules. The LEI framework is a consistent system for identifying counterparties to financial transactions across borders and is mandated by many legal systems, including the European Union and the US.
International service and product standards
Have you ever wondered who decided what the ‘A4’ paper size is and what ensures that ‘A4’ paper size in one factory is the same as the ‘A4’ paper in another factory? It is the operation of a product standard (German standard DIN 476, to be exact).
Various standards have been developed by international organizations in order to ensure a certain quality and consistency in the creation of certain products and performance of certain services and products.
International standards cover various matters, such as:
- Assurance practices within organizations (e.g., risk management, compliance management);
- Information security and cybersecurity;
- Technical specifications for products.
Many of these standards are set by the ISO, but other important sources of such standards include the International Electrotechnical Commission (IEC) and the International Telecommunication Union (ITU).
Adhering to these international standards is not always required by legislation or regulations. However, it is often a requirement of contracts and licenses. For example, in sub-contracting, it is common for a business to be required to commit to these standards as part of their contract (particularly risk management, compliance and information security standards). Failing to comply with standards in this situation may constitute a breach of contract and make the business liable to pay damages.
Data protection laws
The most significant source of global compliance obligations in data protection is the European Union’s General Data Protection Regulation (GDPR). This law requires that any business that controls or processes the personal data of EU customers adhere to a range of data security obligations and afford customers a range of data protection rights. Core elements include:
- Personal data may only be processed for a specified lawful purpose;
- As little personal data as possible should be collected, processed and kept (‘data minimization’);
- A customer right to be informed of what their data is being used for;
- A customer right to erase their personal data (under some circumstances) and to ensure that it is accurate;
- The carrying out of data protection impact assessments in certain situations.
Note, the GDPR applies to both businesses based in the EU, and any business outside the EU that is ‘doing business’ with EU customers. Therefore, consideration of the GDPR is essential for virtually all companies doing business online, no matter where they are based in the world.
California’s new data protection legislation, the California Consumer Privacy Act (CCPA) also applies outside its own territory. Any company ‘doing business’ with customers in California needs to comply with the requirements of the CCPA, whether or not the business is itself located in California.
The United States’ Foreign Corrupt Practices Act (the FCPA) prohibits corporations and their officers from bribing foreign officials and punishes them accordingly. Notably, this applies to activities occurring outside the United States, as long as the corporation in question has a ‘sufficient degree of connection’ to the United States. Recently, under this law, Goldman Sachs group and its Malaysian subsidiary admitted to conspiring to violate the FCPA and agreed to pay $2.9 billion as part of a resolution with investigators and regulators across various countries. The behavior in question occurred outside the United States.
Sadly, slavery and serious exploitation of workers still exist in the modern world. The United Kingdom was the first country in recent years to implement extensive anti-slavery legislation, and other countries are following suit (e.g., Australia in 2018).
These laws require businesses to investigate, monitor and assure the public that slavery and worker exploitation is not part of their supply chain.
The UK’s Modern Slavery Act 2015 also has application to businesses based or operating outside the UK as long as an entity in their broader group structure (such as a subsidiary) is ‘carrying out business’ in the UK.
Global trade compliance rules
Extensive rules cover the import and export of goods and services. These rules can relate to tariffs, licenses and permits, export controls, and the valuation of goods.
Learn more about global trade compliance rules in the helpful explainer video below from Paul Diedrich, the President and Chief Operating Officer for STTAS, a UPS Company.
What happens if you are not compliant?
When you have a business with multiple locations across country and state/province/territory borders, you need to consider how you are going to manage your global compliance.
Compliance failures can have significant consequences for an international business. We set out some of the possible consequences below.
1. Devastating civil fines and penalties
For example, in 2020, Google and Amazon were fined $120 million and $42 million respectively by the French data protection authorities. These penalties were applied for failing to gain customer consent to drop non-essential cookies.
2. Criminal sanctions
Failure to comply with the criminal law (such as prohibitions on bribery, money laundering and fraud) can result in imprisonment and other criminal penalties for the officers of corporations.
3. Breach of contract
Compliance is often a requirement of various B2B contracts. A failure to comply with these compliance requirements may be considered a material breach of contract. This means the breach could result in the termination of the contract, court injunctions, and an obligation to pay damages.
4. Loss of licenses or approvals
In many industries, businesses are required to hold certain licenses or approvals/authorities approved by regulators (for example, financial services licenses). Compliance failures can result in a revocation of such licenses and approvals.
5. Reputational damage
A reputation for global compliance failures will quickly make you a ‘cowboy’ of your industry. It is crucial for your future business prospects that you avoid at all costs the reputational sting of non-compliance.
How to become globally compliant
The potential consequences of global compliance failures mean that you need to have steps in place to manage your compliance program. Some important steps to include are set out below.
1. Build compliance into business processes
Compliance should not be an afterthought for your business: Do not start by developing the optimal business process, and then check that it meets compliance requirements. Instead, consider the compliance requirements as you develop your business approach. For example, ‘privacy by design‘ is a requirement of the GDPR. This means that all businesses need to consider how they will compliantly collect and protect customer personal data when they first consider implementing a new process.
2. Appoint responsible staff
Ensure that, within your organization, the ‘compliance lead’ is clearly identified. This individual (who may also hold another role such as ‘chief legal officer’ or ‘head of risk management’) is responsible for keeping up with compliance changes as they arise, as well as putting processes in place to monitor compliance.
3. Provide ongoing compliance training
Global compliance rules regularly change. Ensure that your staff are on top of their latest obligations with regular training programs, whether online or in-person.
4. Design appropriate governance processes
In any company, the board of directors has ultimate oversight of the business. Governance processes need to prioritize compliance. In larger companies, good practice requires:
- Establishing a compliance sub-committee of the board responsible for compliance oversight;
- Running allied assurance functions, such as risk management and internal audit. All these areas need to be overseen by the Board in a consistent and coherent manner;
- An adequate allocated compliance budget.
5. Implement regular compliance audits
Every organization should have a structure in place for internal audit — that is an independent assurance process, within the organization.
Global compliance needs to be part of the regular compliance audit to ensure, periodically, that the company is meeting its compliance obligations.
6. Appoint a global compliance partner
When you have business operations spread throughout the world (or you are planning an expansion in the future), it may be extremely difficult for you to keep on top of all your compliance obligations. By engaging a global compliance partner, such as a Global Professional Employer Organization (Global PEO), you can ensure that compliance is taken care of.
A Global PEO can take on all of the legal and compliance responsibilities of an employer in every country in which you carry out business. This means that they take on all the legal and tax obligations and liabilities, as well as providing ongoing payroll and HR support for your workforce.
The global compliance take-home message
Global compliance means ensuring that you comply with all the international laws and rules, as well as the local laws and rules, in every country in which you operate. As cross-border business and trade increases, so does the quantity and complexity of global compliance obligations.
Alongside design, management, and governance processes, the best way of managing global compliance is with a recognized compliance partner. Horizons is a Global PEO that takes care of global compliance for any business interested in a global hire or expansion.
Frequently asked questions
Global compliance is important as the failure to follow international rules and regulations puts your business at serious risk of civil and criminal sanctions, as well as reputational damage.
Global trade compliance is the requirement for companies to adhere to the rules and regulations that apply to the import and export of goods across nations.