Global compliance is of crucial importance to firms operating across borders. In this article, we explain what global compliance is, why it matters, and how you can best manage it when joining the global marketplace.
1. What is the definition of ‘compliance’? ‘Compliance’ is the situation where an organization meets all its obligations and commitments.
2. What does ‘global compliance’ mean? ‘Global Compliance’ means an organization is meeting all its obligations and commitments, both locally and internationally.
3. Global compliance includes, but is not limited to, compliance with tax, financial reporting, employment, anti-money laundering, payment, product safety, data protection and anti-slavery standards and laws.
4. Consequences of non-compliance can be serious, and may include criminal or civil penalties, breach of contract, loss of licenses and reputational damage.
5. To manage global compliance, international businesses should consider building compliance into their business operations, introducing strong governance processes, appointing responsible staff and joining forces with an international compliance partner.
What is Compliance?
Before we can answer the question ‘what is global compliance?’, we must answer the question ‘what is compliance?’. Dictionary definitions offer up something like ‘adherence to a rule or request’. However, in an organizational context, it usually means something more precise.
The most authoritative definition of compliance in this context is given by the International Standards Organization (ISO) in its standard, ‘Compliance management systems — Guidelines (ISO 19600:2014). There, compliance is defined as the state where an organization is meeting all its obligations and commitments (see 3.17 and 3.16).
Sometimes in a business context, the related terms ‘regulatory compliance’ and ”corporate compliance’ are used. Regulatory compliance means following all the laws, regulations, standards and policies that apply to a particular business. These may be set out in legislation or regulations, or they may be set out in frameworks that a business has agreed to (such as the conditions of a financial services license).
Corporate compliance means the strategies and programs that a business has in place to ensure regulatory compliance. Companies sometimes have a ”Compliance Officer’ who is in charge of corporate compliance. Often this individual is the same person as the Chief Legal Counsel/Chief Legal Officer/General Counsel.
Corporate compliance often sits within a company alongside other related functions such as internal audit and risk management, and is classified under the general umbrella term ‘Governance, Risk Management and Compliance’.
What Does Global Compliance Mean?
‘Global compliance’ is the situation where an organization follows all the laws, regulations, rules and standards that apply to that organization across the globe. The meaning of global compliance is captured in the two distinct elements set out below.
Which Global Compliance Rules Exist in Every Country?
While laws differ substantially in different countries and jurisdictions, there are also commonalities across the world. We consider some of the most crucial compliance areas that may affect your international expansion below.
In most jurisdictions (though not all – see, for example, Hong Kong), employers must withhold payroll taxes on behalf of their employees, and remit them to the tax authorities.
Corporate or company taxes, in light of the OECD model tax convention, apply to any business that has a ‘permanent establishment‘ in a given jurisdiction: That is, a fixed place of business where the company ‘carries out’ its business activities.
Note also, that many countries are now beginning to apply ‘digital services taxes’ to online businesses that make significant revenue in a country. These apply even when a business has no official or permanent residence in that country.
Financial Reporting and Accounting Standards
Note, however, there are variations in how IFRS and IAS are applied in each country that has adopted them. Note, also that several significant countries have not adopted IFRS, such as the United States (which applies Generally Accepted Accounting Principles or ‘GAAP’).
What are International Accounting Standards?
In most countries, a set of minimum employee entitlements are set out by law. Minimum employee entitlements often include minimum wage, breaks, annual vacation leave and sick leave.
In some countries, this also includes paid parental leave, insurances, pension contributions and protection from unfair dismissal.
Equal Employment Protections
Most countries now have laws in place which prohibit discriminating against staff on various specified grounds. These anti-discrimination laws are often referred to as ‘Equal Opportunity‘ laws.
Prohibited grounds of discrimination vary by country but usually include gender, gender identity, ethnicity, sexual orientation, age and disability.
Anti-Money Laundering Regulations
Anti-money launder and counter-terrorism financing (AML/CTF) laws and regulations now apply in most countries. These are the rules that are set out in legislation such as the Bank Secrecy Act 1970 in the USA and the Sanctions and Anti-Money Laundering Act in 2018 in the UK. These laws and regulations require:
Which Rules Apply to Companies Across International Borders?
Financial Payment Standards
When accepting payments, and making bank transfers, there are a range of rules that apply internationally. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security rules for organizations that handle major credit cards. This applies to businesses, no matter where they are located in the world, as a requirement of credit card companies for using their services. All major credit cards including Visa, Mastercard and American Express require businesses to comply with the PCI DSS.
The PCI DSS requires businesses to carry out a range of steps in order to keep credit card data secure, including maintaining a secure network, implementing strong access control measures and regular testing of networks.
There is a validation and monitoring framework for compliance with this standard. Non-compliance can result in significant fines and penalties being applied from the card companies.
Sometimes financial transaction standards are enshrined in law in a particular jurisdiction. For example, several U.S. states require compliance with the PCI DSS (such as Nevada and Washington).
Similarly, the international Legal Entity Identifier (LEI) Framework applies in many countries across the world, as it is captured in local laws, regulations and securities exchange rules. The LEI framework is a consistent system for identifying counterparties to financial transactions across borders and is mandated by many legal systems, including the European Union and the US.
International Service and Product Standards
Have you ever wondered who decided what the ‘A4’ paper size is and what ensures that ‘A4’ paper size in one factory is the same as the ‘A4’ paper in another factory? It is the operation of a product standard (German standard DIN 476, to be exact).
Various standards have been developed by international organizations in order to ensure a certain quality and consistency in the creation of certain products and performance of certain services and products.
International standards cover various matters, such as:
Many of these standards are set by the ISO, but other important sources of such standards include the International Electrotechnical Commission (IEC) and the International Telecommunication Union (ITU).
Adhering to these international standards is not always required by legislation or regulations. However, it is often a requirement of contracts and licenses. For example, in sub-contracting, it is common for a business to be required to commit to these standards as part of their contract (particularly risk management, compliance and information security standards). Failing to comply with standards in this situation may constitute a breach of contract and make the business liable to pay damages.
Data Protection Laws
The most significant source of global compliance obligations in data protection is the European Union’s General Data Protection Regulation (GDPR). This law requires that any business that controls or processes the personal data of EU customers adhere to a range of data security obligations and afford customers a range of data protection rights. Core elements include:
Note, the GDPR applies to both businesses based in the EU, and any business outside the EU that is ‘doing business’ with EU customers. Therefore, consideration of the GDPR is essential for virtually all companies doing business online, no matter where they are based in the world.
California’s new data protection legislation, the California Consumer Privacy Act (CCPA) also applies outside its own territory. Any company ‘doing business’ with customers in California needs to comply with the requirements of the CCPA, whether or not the business is itself located in California.
The United States’ Foreign Corrupt Practices Act (the FCPA) prohibits corporations and their officers from bribing foreign officials and punishes them accordingly. Notably, this applies to activities occurring outside the United States, as long as the corporation in question has a ‘sufficient degree of connection’ to the United States. Recently, under this law, Goldman Sachs group and its Malaysian subsidiary admitted to conspiring to violate the FCPA and agreed to pay $2.9 billion as part of a resolution with investigators and regulators across various countries. The behavior in question occurred outside the United States.
Sadly, slavery and serious exploitation of workers still exists in the modern world. The United Kingdom was the first country in recent years to implement extensive anti-slavery legislation, and other countries are following suit (e.g., Australia in 2018).
These laws require businesses to investigate, monitor and assure the public that slavery and worker exploitation is not part of their supply chain.
The UK’s Modern Slavery Act 2015 also has application to businesses based or operating outside the UK as long as an entity in their broader group structure (such as a subsidiary) is ‘carrying out business’ in the UK.
The Consequences of Global Compliance Failure
When you have a business with multiple locations across country and state/province/territory borders, you need to consider how you are going to manage your global compliance.
Compliance failures can have significant consequences for an international business. We set out some of the possible consequences below.
Devastating Civil Fines and Penalties
For example, in 2020, Google and Amazon were fined $120 million and $42 million respectively by the French data protection authorities. These penalties were applied for failing to gain customer consent to drop non-essential cookies.
Failure to comply with the criminal law (such as prohibitions on bribery, money laundering and fraud) can result in imprisonment and other criminal penalties for the officers of corporations.
Breach of Contract
Compliance is often a requirement of various B2B contracts. A failure to comply with these compliance requirements may be considered a material breach of contract. This means the breach could result in the termination of the contract, court injunctions, and an obligation to pay damages.
Loss of Licenses or Approvals
In many industries, businesses are required to hold certain licenses or approvals/authorities approved by regulators (for example, financial services licenses). Compliance failures can result in a revocation of such licenses and approvals.
A reputation for global compliance failures will quickly make you a ‘cowboy’ of your industry. It is crucial for your future business prospects that you avoid at all costs the reputational sting of non-compliance.
How to Best Manage Global Compliance
The potential consequences of global compliance failures mean that you need to have steps in place to manage your compliance program. Some important steps to include are set out below.
Build Compliance into Business Processes
Compliance should not be an afterthought for your business: Do not start by developing the optimal business process, and then check that it meets compliance requirements. Instead, consider the compliance requirements as you develop your business approach. For example, ‘privacy by design‘ is a requirement of the GDPR. This means that all businesses need to consider how they will compliantly collect and protect customer personal data when they first consider implementing a new process.
Appoint Responsible Staff
Ensure that, within your organization, the ‘compliance lead’ is clearly identified. This individual (who may also hold another role such as ‘chief legal officer’ or ‘head of risk management’) is responsible for keeping up with compliance changes as they arise, as well as putting processes in place to monitor compliance.
In any company, the board of directors has ultimate oversight of the business. Governance processes need to prioritize compliance. In larger companies, good practice requires: