Risk and Compliance Apr-Jun 22

risk &
RC & compliance
APR-JUN 2022
www.riskandcompliancemagazine.com
Inside this issue:
FEATURE
Deputising banks - FinCEN acts
to tackle environmental crime
EXPERT FORUM
Anti-corruption compliance
in Latin America
HOT TOPIC
Developments in European
anti-money laundering
MINI-ROUNDTABLE
2 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

CONTENTS
RC
&
004 FOREWORD 021 EXPERT FORUM
007
Anti-corruption compliance in Latin America
FEATURE Demarest; Prías Cadavid Abogados; Siqueira Castro
Deputising banks: FinCEN acts to tackle Advogados; Steptoe & Johnson LLP; Womble Bond
environmental crime Dickinson (US) LLP
014 FEATURE 038 PERSPECTIVES

Screening banks: managing climate-related Maximising the impact of the UK’s net-zero
financial risk strategy – making every pound count and
133
counting every pound
EDITORIAL PARTNERS FTI Consulting
043 PERSPECTIVES
Anti-corruption enforcement trends in
Editor: Mark Williams M&A: are the past four years a prologue to
Associate Editor: Fraser Tennant
Associate Editor: Richard Summerfield decreased enforcement?
Publisher: Peter Livingstone
Thompson Hine
Publisher: James Spavin
049
Production: Mark Truman
Design: Karen Watkins
MINI-ROUNDTABLE
Risk & Compliance
Published by Financier Worldwide Ltd Operational resilience and compliance in the
First Floor, Building 3
Wall Island, Birmingham Road financial services sector
Lichfield, WS14 0QP
United Kingdom KPMG
056
+44 (0)121 600 5910
riskandcompliance@financierworldwide.com
www.riskandcompliancemagazine.com MINI-ROUNDTABLE
ISSN: 2056-8975 The loan lifecycle in the new normal
SAS Institute Inc.
© 2022 FINANCIER WORLDWIDE LTD
062
All rights reserved.
No part of this publication may be copied, reproduced, transmitted ONE-ON-ONE INTERVIEW

or held in a retrievable system without the written permission of the
publishers. Whilst every effort is made to ensure the accuracy of all Solving complexity with robust taxonomy
material published in Financier Worldwide, the publishers accept no
responsibility for any errors or omissions, nor for any claims made as Wolters Kluwer
066
a result of such errors or omissions. Views expressed by contributors
are not necessarily those of the publishers. Any statements
expressed by professionals in this publication are understood to be
general opinions and should not be relied upon as legal or financial MINI-ROUNDTABLE
advice. Opinions expressed herein do not necessarily represent the
views of the author’s firms or clients. Why insurance companies should review
Financier Worldwide reserves full rights of international use of
their operating models
all published materials and all material is protected by copyright. FTI Consulting
Financier Worldwide retains the right to reprint any or all editorial
material for promotional or nonprofit use, with credit given.
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 1

CONTENTS
072 PERSPECTIVES 095 PERSPECTIVES

Risk and compliance in 2022: do not unfasten Managing cyber risk in a digital world –
your seat belt just yet practical applications of zero trust
SAS Microsoft
077 PERSPECTIVES 099 PERSPECTIVES

How to scale risk and control self-assessment Privacy and cyber security: immediate
across institutional silos convergence is a necessity
ISACA Vishal Chawla
081 PERSPECTIVES 105 MINI-ROUNDTABLE

The gravity of compliance Competition and antitrust challenges in the
Patrick Henz life sciences sector
085
Ashurst LLP; Hogan Lovells
ONE-ON-ONE INTERVIEW
Establishing ESG strategy and human values 113 PERSPECTIVES
at board level Ethics and compliance in clinical trials: next
Society of Corporate Compliance and Ethics & Health Care generation
Compliance Association Novartis Research & Development
089 PERSPECTIVES 119 HOT TOPIC

Four steps to safeguarding corporate Developments in European anti-money
reputation laundering
Henley Business School Mayer Brown; Norton Rose Fulbright LLP; Pestalozzi; Quinn
Emanuel Urquhart & Sullivan LLP

Upcoming global
XXX MINI-ROUNDTABLE
SCCE events
Supporting compliance practitioners across the globe
SCCE is proud to offer a variety of global compliance and ethics conferences to help you learn about current hot topics, network
with colleagues, earn CEUs, and get insights and solutions on how to better develop and maintain your compliance programme.
Conducting Compliance Investigations

10th Annual European Compliance & Ethics Institute
27–28 April 2022 • Virtual (CEST)
22–23 March 2022 • Virtual (CET)
16–17 June 2022 • London, England
Hear from today’s compliance and ethics leaders on 6–7 October 2022 • Singapore
the latest solutions to your challenges, strategies to
Get guidance and insights from experienced
mitigate risk, and ways to improve your organisation’s
investigators on the core principles of conducting
compliance programme.
effective compliance investigations.
Basic Compliance & Ethics Academy Regional Compliance & Ethics Conferences
20–23 June 2022 • Amsterdam, Netherlands 15 July 2022 • Singapore
11–14 July 2022 • Singapore
Get updates on the latest news in regulatory
Receive three-and-a-half days of classroom-style requirements, enforcement, and strategies for
training in the essentials of managing a compliance developing and maintaining an effective compliance
and ethics program. and ethics program.
Get more information

corporatecompliance.org/international
FOREWORD
F O RE WO R D
Welcome to the thirty-eight issue of Risk

& Compliance, an e-magazine dedicated to the latest
developments in corporate risk management and regulatory
compliance. Published quarterly by Financier Worldwide, Risk &
Compliance draws on the experience and expertise of leading
experts in the field to deliver insight on the myriad risks facing global
companies, the insurance solutions available to mitigate them, and
the in-house processes and controls companies must adopt to
manage them.
In this issue we present features on FinCEN’s efforts to tackle
environmental crime and on screening banks to manage climate-
related financial risk. We also look at: anti-corruption compliance in
Latin America; maximising the impact of the UK’s net-zero strategy;
anti-corruption enforcement trends in M&A; operational resilience
and compliance in the financial services sector; embedding analytics
in every financial decision; solving complexity with robust taxonomy;
why insurance companies should review their operating models; risk
and compliance in 2022; the gravity of compliance; establishing ESG
strategy and human values at board level; four steps to safeguarding
corporate reputation; managing cyber risk in a digital world;
developments in European anti-money laundering; and more.
Thanks go to our esteemed editorial partners for their valued
contribution: FTI Consulting; KPMG; Pestalozzi; SAS; the Society of
Corporate Compliance and Ethics (SCCE); Wolters Kluwer; and ISACA.
– Editor

FOREWORD

MINI-ROUNDTABLE

FEATURE
FEATURE
DEPUTI SI N G B A N K S :
F INCE N ACTS T O TAC K L E
ENVIR O N M E NTA L C R I M E
BY FRASER TENNANT
E
nvironmental crime is the third largest illicit either for farming, building or real estate speculation;
activity across the globe, estimated to generate (iii) forestry crime, which is an umbrella term to
hundreds of billions in illicit proceeds annually, describe criminal activity in the forestry sector
according to the Financial Action Task Force covering the entire supply chain, from harvest and
(FATF). In its 2021 report ‘Money Laundering from transportation to processing and selling, including
Environmental Crime’, the FATF outlines the scale, illegal logging and land clearance; (iv) illegal mining,
nature and typologies of environmental crimes, the which refers to mining activity that is undertaken
summation of which causes significant and illegal without state permission (in absence of land
degradation of the environment. rights, mining licences and exploration or mineral
According to the report, these crimes, among transportation permits) or mining activity with state
others, include: (i) illegal logging, which involves permission obtained through corruption; and (v)
the harvesting, processing, transporting, buying or waste trafficking, which includes the illegal export or
selling of timber in contravention of domestic and illicit disposal of electronic waste (e-waste), plastics
international laws; (ii) illegal land clearing, which and hazardous substances, among others.
concerns the illegal acquisition and clearing of land

DEPUTISING BANKS: FINCEN ACTS TO TACKLE ENVIRONMENTAL... FEATURE
The FATF report also suggests that government “The Notice recited Interpol’s estimate of a
interventions are not proportionate to the severity 5 percent per year increase in the proceeds of
of this issue – which sees global crimes generating environmental crime, faster than the growth of
up to $281bn per year – and spells out the pivotal worldwide GDP and behind only counterfeiting and
role financial institutions (FIs) and lawmakers have drug trafficking,” observes Thomas K. Potter, III, a
to play in combating money laundering crimes in an partner at Burr & Forman, LLP. “FinCEN also noted
environmental context. the close association of environmental crimes with
“While governments have sought to counter conflict finance.”
environmental crime, they have not yet identified Underpinning FinCEN’s edict is the Biden
the financial flows associated with crimes to the administration’s overall strategy to implement
same extent,” says Paige Berges, counsel at Ropes & its environmental justice agenda – the ‘whole
Gray. “Illicit groups are likely to turn their attention to of government’ approach to climate issues,
whichever products are the most profitable and the which includes a particular emphasis on tackling
least likely to be detected – which may explain some environmental, social and governance (ESG) issues.
of the rise.” “Environmental crimes are not new, but they have
In the US, in a bid to tackle such activity, the not previously been prioritised by FinCEN,” affirms
Financial Crimes Enforcement Network (FinCEN) Jamal EI-Hindi, former deputy director of FinCEN
issued its first-ever advisory Notice on environmental and counsel at Clifford Chance. “The agencies’
crimes in November 2021 (FIN-2021-NTC4) – a present push is consistent with pronouncements
proclamation which tasked FIs with scrutinising from the Biden administration with respect to the
transactions that may be linked to illegal logging, environment and corruption as national security
fishing and mining and the trafficking of wildlife, issues.
waste and hazardous substances. “FinCEN notes that the current amount of
In addition to the typologies set out by the FATF, environmental crime reporting is low when
FinCEN characterises environmental crimes as compared with perceived illicit activity,” he
encompassing illegal activities that harm human continues. “By providing FIs with more information
health, and harm nature and natural resources by about the crimes and existing indicators surfacing
damaging environmental quality, including increasing in current reporting, FinCEN hopes to get more
carbon dioxide levels in the atmosphere, driving information from the financial sector. It is an iterative
biodiversity loss and causing the overexploitation of process.”
natural resources.

Resetting priorities terrorism (CFT) priorities in June 2021. In fact, the list
That FinCEN has now set its sights on prioritising contains only passing references to environmental
the fight against environmental crime is something crime in the ‘transnational criminal organisation
of an eye opener in the view of many, given the activity’ category.
bureau’s traditional focus on crimes such as “FinCEN’s Notice does, however, link to the
terrorism, corruption and drug trafficking. priorities by citing the ‘strong association’ of
Certainly, environmental crime was not among environmental crimes with corruption and
the categories – listed as corruption, cyber crime, transnational criminal organisations, two of FinCEN’s
terrorist financing, fraud, transnational criminal key priorities,” says Mr Potter. “The increased focus
organisation activity, drug trafficking, human on an ‘environmental crime’ subset of those broader
trafficking and proliferation financing – highlighted categories is aligned with decades-long efforts
in FinCEN’s first government-wide list of anti-money by Interpol and other international organisations,
laundering (AML) and countering the financing of

including the United Nations Interregional Crime and “The Notice instructs FIs to be aware and to make
Justice Research Institute (UNICRI), and the FATF.” authorities aware when they file suspicious activity
By aligning itself, and its recently expressed reports that there is suspicion of environmental
priorities, with such organisations,
not to mention following in the recent
steps of the FATF, the FinCEN Notice
seeks to harness financial intelligence
provided by FIs to ‘follow the money’ “The FinCEN Notice seeks to harness
associated with environmental crimes financial intelligence provided by FIs
more closely.
“FinCEN’s AML and CFT regulatory
to ‘follow the money’ associated with
jurisdiction extends only to covered FIs, environmental crimes more closely.”
defined as financial institutions required
by Bank Secrecy Act (BSA) regulations
to maintain an AML programme,”
adds Mr Potter. “However, the bureau
has sought to add investment advisers to that list. crimes, to help provide authorities with information
That list and other publications by various bureaus on where and how the profits of these crimes are
within the State Department may assist covered being moved,” explains Ms Berges. “This, of course,
FIs in identifying conflict zones and other locations, requires FIs to make themselves aware of relevant
transaction markers or persons at heightened risk of typologies of environmental crimes.”
transactions involving environmental crime.” Drilling down, the Notice states that SAR filings are
“crucial to identifying and stopping environmental
Key instructions crimes and related money laundering”, and advises
FinCEN’s Notice, although offering little guidance at that FIs, in conjunction with effective implementation
an operational level, does provide FIs with extensive of their BSA compliance requirements, implement a
suspicious activity report (SAR) instructions when number of measures, as listed below.
filing within any of the enumerated environmental Keyword. FIs should reference only the Notice
crime categories. The Notice also describes each in SAR field 2 using keyword ‘FIN-2021-NTC4’. This
category in considerable detail. keyword should also be referenced in the narrative
portion of the SAR to indicate a connection between

the suspicious activity being reported and the places where the reported individuals or entities are
activities highlighted in the Notice. operating.
Associated activity types. FIs should select SAR
field 38(z) as the associated suspicious activity type Collating and reporting challenges
to indicate a connection between the suspicious With FinCEN’s Notice tasking FIs with establishing
activity being reported and environmental crimes, a direct connection between suspicious activity
and use the most relevant keyword for suspicious typologies and economic crime activities, the
activity, such as ‘wildlife trafficking’, ‘illegal logging’, difficulties in collating and reporting such data
‘illegal fishing’, ‘illegal mining’, or ‘waste trafficking’. are considerable – particularly when detailed
If the suspicious activity involves multiple potential information on such crime is limited and reportable
offences, filers should include all relevant keywords. incidents are often difficult to ascertain, given the
Information sharing. FIs may consider sharing commingling of such activity and its proceeds with
information on suspected environmental crimes legitimate trade.
offences under Section 314(b) for the purposes of “Suspicious activity indicators share themes
identifying and reporting money laundering activity. with ‘traditional’ money laundering: use of front
FIs should also provide all available details – companies and shell companies, unexplained
names, identifiers and contact information, as well wealth that outsizes the legitimate or purported
as internet protocol and email addresses and phone business, and significant purchases of real estate
numbers – regarding: (i) any actual purchasers or or luxury goods,” observes Ms Berges. “But one
sellers of the illicit product, plant, waste or waste unique difficulty with environmental crime is that
disposal services, as well as intermediaries or illegal products can be commingled with legal
agents; (ii) the volume and dollar amount of the products and legitimate business activity related to
transactions involving an entity that is, or may be that product, which is clearly not the case in drug
functioning as, a supplier of illicit products, plants, trafficking or people smuggling.
waste or waste services; and (iii) any beneficial “Another difficulty is that the typologies of
owners of involved entities, such as shell companies. environmental crime are also vast,” she continues. “It
In addition, in the case of illicit waste, FIs should could be the type of the product, where the product
provide all available details and specific descriptions was sourced from, how it was sourced, or the end
of the waste product and any known details about use and destination.”
its origin, transportation and destination. If known,
information should also be provided about the

Appetite for enforcement For Mr EI-Hindi, once illicit activity is confirmed,

In most cases, environmental crimes are relatively enforcement is key. “As governments and the
low-risk activities with high rewards as enforcement financial sector develop and share greater
efforts are limited, demand for the products and awareness of the characteristics particular to
services generated by such crimes is high, and financial flows involving environmental crime,
criminal penalties are not as severe as for other reporting from FIs will get better in terms of quantity
illicit activities – a reality FinCEN’s Notice seeks to and quality,” he contends. “FIs will make it harder for
address. illicit actors to move their money, and governments
However, although optimistic, Mr Potter believes need to take enforcement action against the
the Notice only goes so far. “It almost seems culprits.”
more aspirational than practical,” he contends. Ultimately, FinCEN’s Notice must be seen as a
“Nevertheless, it can only but improve efforts to good start – a concerted effort by the bureau, its
identify and combat environmental crime and regulatory and law enforcement partners, and
related money laundering. Stepping back, it is useful aided by FIs, to call attention to an upward trend in
to recognise that the effort, like much AML activity, environmental crimes and associated illicit financial
is designed to be principles-based regulation, not activity – with the enforcement of robust penalties
prescriptive.” the desired endgame. RC
&

XXX MINI-ROUNDTABLE

FEATURE
FEATURE
SC REE N I N G B A N K S :
MANAG I N G CL I M AT E-
R EL AT E D F I N A N C I A L R I S K
BY RICHARD SUMMERFIELD
I
n the coming decades, the increased speed of predicts that advanced Asian economies will see
climate change will continue to cause catastrophic GDP decline 3.3 percent if temperatures rise less
disruption through higher temperatures and more than 2 degrees Celsius, with a 15.4 percent drop
extreme weather events. Aside from the devastating if the temperature rise is more severe. ASEAN
physical damage and potential loss of life resulting countries are forecast to see drops of 4.2 percent
from such events, there are also financial losses to and 37.4 percent respectively. China is at risk of
consider. According to the World Economic Forum, losing nearly 24 percent of its GDP in a severe
the global economy could lose 10 percent of its total scenario, compared to forecast losses of 10 percent
value by 2050 due to climate change. for the US, Canada and the UK, and 11 percent for
Swiss Re Institute warns that if global Europe.
temperatures rise by 3.2 degrees Celsius, it could As concerning as these forecasts are, it is
wipe up to 18 percent of GDP off the world economy abundantly clear that climate change is not just a
by 2050. Its Climate Economics Index stress tests future threat – its impact is already being felt across
how global warming will affect 48 countries – the world. Rising temperatures are causing more
representing 90 percent of the world economy. It frequent weather events such as hurricanes, fires,

SCREENING BANKS: MANAGING CLIMATE-RELATED FINANCIAL RISK FEATURE
floods, droughts, extreme heat and extreme cold. screened for climate risk as part of their periodic
In the US, the frequency of high-cost climate and stress tests. Mr Hsu said the OCC was working on
weather disasters has jumped significantly over the the guidance in collaboration with other banking
past four decades, according to the National Oceanic regulators to help lenders navigate the physical and
and Atmospheric Administration.
Many sectors – including agriculture,
infrastructure, tourism and financial
services – are already being affected
by the regularity of extreme weather
“Banks will continue to face rising
events. Without action, climate change pressure to protect themselves from the
could upend the financial system. impact of climate change and to align with
Given the immediate and evolving the global sustainability agenda.”
threat posed by climate change,
mitigation efforts are needed. Climate
change mitigation means avoiding
and reducing emissions of heat-
trapping greenhouse gases into the atmosphere to transition risks climate change poses to the financial
prevent the planet from warming to more extreme system. He added that the agency’s own regulatory
temperatures. Adaptation measures require people approach was focused on maintaining the safety and
to alter their behaviours, systems and ways of life to soundness of the financial system.
protect the environment and in turn the economy. “Climate change poses an existential risk to
More must be done to reduce greenhouse gas society and the associated financial risks pose safety
emissions, phase out fossil fuel subsidies and foster and soundness risk to banks,” said Mr Hsu during
green investment. a speech in September 2021. “To safeguard trust,
banks and regulators must begin to take action now.”
US regulatory response Mr Hsu’s comments suggest that the US
In a significant effort to incorporate the risks government is potentially considering the
posed by rising temperatures into financial rules, introduction of more expansive guidance which
Michael Hsu, the acting head of the US’s top would impact a wider number of lenders in the US
banking regulator, the Office of the Comptroller and the companies they do business with. While
of the Currency (OCC), has called for banks to be guidance does not carry the same legal weight as

a formal rule, it is often as effective and can

be implemented much faster. It is also
indicative of a broader direction of travel
toward greater legislative action to
address the issue.
To that end, the Biden
administration has made addressing
climate change a top priority across
the government, with US financial
regulators now taking steps to
translate that broad policy into concrete
initiatives.

In May 2021, the administration issued Executive term approach, considering how climate-related
Order 14030, ‘Climate-Related Financial Risk’, risks might impact all aspects of the risk profile.
which directed Janet Yellen, the secretary of the Specifically, the PRA expects to see that a firm’s
Treasury, in her role as chair of the Financial Stability board understands and assesses the financial risks
Oversight Council (FSOC), to consider how to combat from climate change that affect the company, and
climate change, especially as it affects the financial take steps to address and oversee these risks in
sector. The executive order specifically cited the line with its business strategy and risk appetite. The
potential impact on the stability of the US financial PRA also expects firms to allocate responsibility
system. The FSOC subsequently issued a report for identifying and managing financial risks
which included concrete recommendations to associated with climate change to the relevant
help member agencies assess the financial risks of senior management functions within the company’s
climate change, enhance climate-related data and organisational structure and risk profile.
disclosures, and build expertise to address climate Furthermore, the PRA wants firms to use stress
change. testing and scenario analysis to inform risk
In addition, a White House report issued pursuant identification and to help understand the short
to the executive order aimed to “usher in a new era and long term financial risks that climate change
where climate-related financial risks are thoroughly presents to their business models. Material
understood — where they are measured, disclosed, exposures to climate risks should be included within
managed, and mitigated across the economy”. the Internal Capital Adequacy Assessment Process
(ICAAP) or Own Risk and Solvency Assessment
The UK approach (ORSA).
In 2019, in the UK, the Prudential Regulation To meet the PRA’s expectations, boards have a
Authority (PRA) set out its expectations for how crucial governance role to play. They need the right
banks, insurers and the broader financial system knowledge and tools to oversee climate change risk
should manage climate-related financial risks. As management. A clear line of accountability should
explained in ‘SS3/19: Enhancing banks’ and insurers’ extend throughout the company and specifically
approaches to managing the financial risks from within the board and subcommittees. Designated
climate change and PS11/19’, the PRA expects firms individuals need to be sufficiently qualified or trained
to take action in specific areas. It wants to see the in climate risk. In order to perform their duties,
firms it supervises take a strategic, holistic and long- senior management will need to supply boards with
sufficient high quality, relevant information.

Transition risks financial stability reports and special publications.

Efforts to mitigate climate change, whether Regulators are formalising new rules for climate-risk
through government policies, new technologies or management, and banks should expect to undergo
changes to consumer and investor behaviour, also demanding stress tests in the years ahead.
present ‘transition’ risks. Over time, there may be Financial services firms should approach climate
a dramatic knock-on effect to how certain assets, risk as they would any other financial risk, across
industries or properties are valued, for example. all three lines of defence. They will be expected to
Industries and assets related to fossil fuels will be identify, measure, monitor, manage and report on
under pressure in the push for green, sustainable exposure to climate risk. Part of the process requires
alternatives. The imposition of government policies scenario analysis to inform strategy setting and risk
designed to reduce greenhouse gas emissions, identification. In this way, companies can draw on
such as an increase in the carbon tax, along with the accumulated information when adjusting their
high-profile fund divestments from fossil-fuel operations to endure climate impacts, including the
related stocks, or a widespread consumer switch global shift toward lower carbon emissions. Taking
to alternative sources of utilities or transportation, a wider view, scenario analysis also helps to build
can all lead to sharp repricing of associated financial a picture of whether the financial system is robust
assets. enough to withstand a wide variety of climate-
According to McKinsey, sectors that will bear the related shocks.
brunt of these challenges include oil & gas, real Going forward, senior leaders in the financial
estate, automotive and transport, power generation, services industry will need to set the tone on
and agriculture. In oil & gas, for example, demand climate-risk governance. Banks should nominate a
could fall by 35 percent over the next decade. The leader responsible for climate risk, typically the chief
good news, of course, is that these changes should risk officer (CRO).
also precipitate a sharp decline in carbon emissions. Climate-risk considerations need to be factored
in across the risk management framework,
Rising pressure including capital allocations, loan approvals,
Banks will continue to face rising pressure to portfolio monitoring, and reporting. Data will be
protect themselves from the impact of climate key. If financial services firms are to understand
change and to align with the global sustainability the fundamentals of climate change, as well as
agenda. Central banks are including assessments its impact on their activities, they will need data
of financial risks related to climate change in their

on pricing, credit risk and client-relationship value, and set a platform for future growth. They may,
management. for example, reduce their exposure to traditional
Currently, however, the lack of generally agreed- energy sources and instead support assets that are
upon models makes it challenging for organisations addressing the climate shift, such as renewable
to measure systemic climate-related financial energy, electric vehicles, and carbon capture and
risk. In time, this process will likely become easier storage, among other emerging opportunities.
as modelling techniques are developed and the In the short term, the financial and reputational
necessary databases are built. benefits of embracing the transition to a lower
Though climate risk and regulation may be carbon economy are clear, however the long-term
daunting, there are opportunities for organisations prospects of survival on this planet are perhaps
to differentiate themselves from the competition, more valuable. RC
&
demonstrate that they are protecting stakeholder

MINI-ROUNDTABLE
FTI Consulting is an independent global business

advisory firm dedicated to helping organizations
manage change, mitigate risk and resolve disputes:
financial, legal, operational, political & regulatory,
reputational and transactional.
www.fticonsulting.com
©202022 FTI&Consulting,
RISK COMPLIANCE Inc. Apr-Jun
All rights2022
reserved. www.riskandcompliancemagazine.com
EXPERT FORUM
E X P E RT FORU M
ANTI-CORRUPTION
COMPLIANCE IN LATIN
AMERICA

ANTI-CORRUPTION COMPLIANCE IN LATIN AMERICA EXPERT FORUM
PANEL EXPERTS
Fabyola En Rodrigues Fabyola En Rodrigues is a partner and leads Demarest’s white-collar

Partner crime practice. With more than 20 years of experience and a high level of
specialisation, she has presented seminars on civil liability of managers
Demarest before boards of national and multinational groups and has lectured on civil
T: +55 (11) 3356 1738 and criminal liability in environmental matters, anti-corruption law, money
E: frodrigues@demarest.com.br laundering, insider trading and compliance. She holds a PhD in corporate
criminal law and an MA in criminal law from Pontifícia Universidade Católica
de São Paulo, as well as a specialisation in corporate crime from Fundação
Getulio Vargas.
Paula Cadavid Paula Cadavid graduated from the Universidad Javeriana in 1993. She
Founding Partner specialised in criminal law at the Universidad Externado de Colombia
(1995) and gained an LLM in criminal law at the Universidad de Barcelona
Prías Cadavid Abogados – Universidad Pompeu Fabra, Spain. For the past 17 years, she has been
T: +57 7430620 dedicated to litigation and advice on criminal matters, especially in economic,
E: pcadavid@priascadavid.com business, financial and public services crimes. She is currently partner at Prias
Cadavid Abogados. She previously served as an adviser at the Republic’s
Congress and the Consulate General of Colombia in Barcelona.
João Daniel Rassi João Daniel Rassi is a criminal lawyer with more than 25 years of
Partner experience in criminal litigation and consultation, working with themes such
as environmental, tax, financial and capital markets, intellectual property,
Siqueira Castro Advogados antitrust and consumer law crimes, besides protection against corporate fraud
T: +55 11 96356 0231 and compliance programmes. He has PhDs in criminal law and in procedural
E: rassi@siqueiracastro.com.br criminal law, both from the University of São Paulo (USP).
Lucinda A. Low Lucinda Low’s practice includes representing audit committees, boards of
Partner directors, and companies in internal, government and international financial
institution audits, investigations and enforcement matters involving fraud,
Steptoe & Johnson LLP bribery, corruption and other compliance issues. She is recognised by
T: +1 (202) 429 8051 Chambers market commentators for her “incredible technical proficiency,
E: llow@steptoe.com spectacular advocacy skills, and cultural know-how”. She has particular
authority in matters involving the US Foreign Corrupt Practices Act (FCPA) and
other anti-bribery and anti-corruption laws, and other international business
compliance issues.
Luke Cass Luke Cass defends corporations and individuals against federal criminal
Partner allegations, including the Foreign Corrupt Practices Act (FCPA). He served as
a federal prosecutor for a decade with the Public Integrity Section of the US
Womble Bond Dickinson (US) LLP Department of Justice’s Criminal Division and as an assistant United States
T: +1 (202) 857 4426 attorney in the Financial Fraud and Corruption Unit of the US Attorney’s Office
E: luke.cass@wbd-us.com for the District of Puerto Rico.

R&C: What do you consider to be the lower-income countries. Every country in LATAM,
main corruption trends in Latin America except for high-income jurisdictions, is ranked
over the past 12 months or so? How 63rd or worse in the Rule of Law Index’s Worldwide
would you describe current corruption Absence of Corruption category. Weaknesses
levels? within democratic institutions facilitate corruption,
and corruption dents the strength of democratic
Rodrigues: Public procurement was an important institutions in a seemingly never-ending cycle. The
corruption trend last year, particularly
against the backdrop of the coronavirus
(COVID-19) pandemic. Indeed, authorities
faced significant issues pertaining to “LATAM’s approach to anti-corruption
irregular bids and purchases, most often enforcement is mixed, ranging from
through the waiving of competitive bid non-existent to relatively robust in
requirements for medical supplies. In
places like Chile.”
Brazil, similar discussions took place, not
only at a judicial level, which gave rise
to proceedings in different spheres –
such as criminal prosecutions for active Luke Cass,
and passive corruption, bid rigging and Womble Bond Dickinson (US) LLP
other crimes – but also at the legislative

level, with the launch of a Parliamentary Inquiry COVID-19 pandemic does not seem to have curtailed
Commission, one of the ways in which legislative the various types of corrupt practices, only intensified
power exercises its supervisory function. Therefore, them. The urgent demands related to the pandemic
2021 experienced an important corruption trend have impacted public procurement and loosened
linked to government purchases in the context of the controls over bids and contracts. This situation,
COVID-19 pandemic. However, although corruption along with the deepening of the economic crisis and
levels are not necessarily decreasing, companies are the overload of cases in the judiciary, has created
attempting to mitigate related risks. favourable conditions for malicious actors over the
last 12 months. Historically, most corrupt practices in
Rassi: Corruption is a structural problem in Latin the region relate to bribing public officials in order to
America (LATAM) which is particularly harmful in

rig bids and public procurement, as well as bribing in some reports on issues arising in procurement
legislators. of medical supplies and in economic stimulus.
Current corruption levels in LATAM broadly are
Low: Transparency International has characterised very high. While the region has some bright spots,
the Americas as “a region in crisis” as of 2021, notably Uruguay and Chile, it is also home to some
with numerous countries in LATAM
experiencing either no improvement or
declines in their perceived corruption “The region’s four largest economies
levels, as measured by the Corruption
– Brazil, Mexico, Argentina and
Perceptions Index. In early 2021, president
Jair Bolsonaro of Brazil ended ‘Operation
Colombia – all saw their Transparency
Car Wash’. While this has not meant the International Corruption Perceptions
complete cessation of anti-corruption Index scores worsen last year.”
enforcement in Brazil, LATAM’s largest
economy, the picture there is now more
complex. Meanwhile, in the region’s Lucinda A. Low,
Steptoe & Johnson LLP
second-largest economy, Mexico, there
has been a notable failure to make
advances against corruption despite the current of the more corrupt nations on earth, according
president, Andres Manuel Lopez Obrador, having to Transparency International, in Nicaragua and
been elected in 2018 with a pledge to end corruption. Venezuela. While Foreign Corrupt Practices Act
The Cuadernos – Notebooks – scandal in Argentina (FCPA) actions were down in 2021, LATAM accounted
has also yielded fewer results than initially thought. for most of the bribery schemes subject to FCPA-
In other parts of this large and diverse region, the related investigations: five out of the nine identified
picture is mixed, with worsening corruption and by authorities. The seriousness of the issue of
weaker institutions in some countries, but brighter corruption in LATAM is made apparent by the Biden
spots in others. administration focusing its anti-corruption efforts on
LATAM, specifically the ‘Northern Triangle’ of LATAM –
Cass: Corruption in LATAM continues to be a Guatemala, Honduras and El Salvador.
significant issue. Over the last year we have seen
that play out in pandemic-related graft, specifically

Cadavid: Over the past year, the main corruption by this, since most criminal organisations work
trends in LATAM have related to health systems and transnationally. Therefore, enforcement of anti-
insurance, the COVID-19 vaccination process and corruption laws is still a challenge in most LATAM
state contracts concerning those matters. There has countries, which makes it significantly harder
also been corruption related to election processes. for companies to guarantee the integrity of their
However, the main corruption trends evident in South activities.
America have not been confined to the public realm;
corruption levels in the private sector are also high. Low: Recent years have seen significant
Corrupt practices are socially acceptable in many developments in terms of homegrown efforts to fight
LATAM countries for a number of reasons, including corruption, in many cases accompanied by initiatives
a lack of sanctions, a lack of respect for the interests to collaborate with US authorities, with Brazil’s
of others, and a general acceptance that companies ‘Operation Car Wash’ serving as the standard bearer
will use any means necessary to achieve their goals. in this regard. These efforts included some significant
Thus, corrupt practices are everywhere. institutional changes, such as the passage of new
fraud and corruption-related statutes, compliance
R&C: How would you characterise Latin incentives and regulations, as well as prosecutors’
America’s approach to anti-corruption use of cooperator statements and corporate leniency
compliance and enforcement? agreements when building cases, which was not
traditional in the predominantly civil law region.
Rassi: With the rise of anti-corruption legislation Allegations of misuse of these tools and other
internationally, companies are adjusting and gradually misconduct on the part of prosecutors and judges in
implementing compliance policies. Multinational ‘Operation Car Wash’ and reversals of key ‘Operation
companies in different economic sectors set an Car Wash’ convictions, such as that of former
example to the smaller ones on the implementation president Luiz Inácio Lula da Silva, have created
of better compliance policies. LATAM does not have significant uncertainty as to how the region’s largest
a unified regional approach to anti-corruption, unlike economy will approach anti-corruption compliance
the European Union (EU), for example. There is no and enforcement in the coming years.
international legislation specific to LATAM countries,
only nonbinding recommendations. The effectiveness Cass: LATAM’s approach to anti-corruption
of investigations and the overall improvement of enforcement is mixed, ranging from non-existent
anti-corruption efforts in the region may be harmed to relatively robust in places like Chile. Many South

American nations have an FCPA analogue statute, or Corruption Perceptions Index, where corruption is
at least maintain similar prohibitions on transnational calculated between zero and 100, a score of zero
bribery in their anti-corruption regimes. The reality of indicates a high perception of corruption, and a
anti-corruption efforts in the region is perhaps better value of 100 means that it is not perceived at all, the
represented by the Northern Triangle, in the three regional score for LATAM overall is 41. Venezuela is
years since 2019, allowing to expire or terminating the most corrupt country and Uruguay is the least.
bodies designed to root out public corruption in
their governments. These include the International Rodrigues: LATAM’s efforts in terms of anti-
Commission Against Impunity in Guatemala, the corruption compliance are increasingly on the
Mission to Support the Fight Against Corruption agenda of private entities and public authorities,
and Impunity in Honduras, and the International especially with several US companies operating
Commission Against Impunity in El Salvador, which subsidiaries in the region. Across the board, the
led the region’s approach to anti-corruption. These challenge is to implement and maintain an effective
commissions were stood up with international compliance programme. From a public perspective,
support ostensibly to serve as watchdogs and root increasing cooperation between authorities
out government corruption. Instead, they were through international agreements, allied with fast
ultimately not independent of those they oversaw, and efficient use of technology, is enabling a rapid
and were in effect decommissioned. exchange of relevant evidence between competent
authorities, which contributes greatly to the outcome
Cadavid: LATAM governments have improved of investigations. That said, some LATAM countries
their oversight in the fight against corruption, have major political issues to contend with when
but enforcement is still limited. The strategy in enforcing anti-corruption laws – a significant hurdle
the region has focused on the legal ramifications given the extent to which the fight against corruption
of compliance and enforcement rather than relies on public and governmental policies, as well as
educational and practical measures. Punishment economic growth.
is often prioritised over prevention. Implementing
additional preventative measures would mean a R&C: How would you gauge the
higher cost for politicians who could lose alliances effectiveness of the legal and regulatory
with elite members of society, which has led to a loss response to corruption in the region?
of legitimacy for anti-corruption efforts in several What are the enforcement priorities of
LATAM countries. On Transparency International’s Latin American authorities, and are there

signs of success in reducing activity released indicate that the pandemic not only
levels? provided opportunities for graft but led to diminished
anti-corruption efforts in the region. So, in one sense
Low: The effectiveness of responses to corruption it appears efforts in the region are proving less
in the region has been mixed, and the long-term effective. Not all is bleak, however. Anti-corruption
outlook for corruption efforts is uncertain. The bills are progressing in Chile and Colombia, there
region’s four largest economies – Brazil, Mexico, appear to be some improvements in Panama and
Argentina and Colombia – all saw their
Transparency International Corruption
Perceptions Index scores worsen last “Risk assessments, employee training,
year. There were some counterpoints in
third-party compliance and reporting
the region, however. Uruguay remained a
regional leader in terms of relatively low
are all essential components of any
levels of corruption. Ecuador saw some compliance programme, which are
worsening in terms of the perception of required by many LATAM countries.”
corruption levels, but in 2020 and 2021
also saw criminal prosecutions of a former
president, and a former vice president, João Daniel Rass,
Siqueira Castro Advogados
for corruption-related crimes. Meanwhile,
Chile saw a significant corruption
prosecution of a former senator, and the legislature Ecuador in terms of those countries’ ability to
is currently considering a new constitution that deal with white-collar crime, and there have been
includes anti-corruption measures. Many countries significant improvements in anti-money laundering
are focused on infrastructure and public contracts, (AML) efforts in the region. Several issues continue
while in Central America, corruption is closely linked to hinder efforts in the region, including in countries
to drug trafficking and other organised crime activity. identified as bright spots. The issues include funding
and budgetary issues and fractured internal politics.
Cass: The pandemic has had a negative effect on Resources may be the single biggest challenge,
the overall effort to combat corruption in LATAM. however.
Corruption in the region still represents a significant
portion of FCPA actions in 2021. Several reports

EXPERT FORUM
Rodrigues: The effectiveness of the legal and

regulatory response to corruption comes not only
from the legislation itself, but also from administrative
measures aimed at facilitating the applicability
of the law. In Brazil, the federal government has
implemented its so-called ‘Anti-corruption Plan’,
which aims to structure and execute actions
to improve the prevention and detection of, as
well as accountability for, corruption. The plan is
being advanced in compliance with extant anti-
corruption legislation and in line with international
recommendations. Furthermore, authorities are
coordinating their AML activities to facilitate the
exchange of evidence and aid prosecution in parallel
spheres. Brazil currently holds sixth position in the
‘Capacity to Combat Corruption Index’, which is
testament to LATAM’s ability to detect, punish and
prevent corruption.
Cadavid: To gauge the effectiveness of the legal

and regulatory response to corruption, we must
analyse the level of regulation applied and if it has
changed in recent years. The priorities for LATAM
authorities have been preventing terrorism financing
and money laundering. In Colombia, for example,
a key enforcement priority has been international
bribery. International bribery became a crime in
2011. Law 1778, which entered into force in 2016,
issued rules on the liability of legal persons for acts
of transnational corruption, among other provisions
in the fight against corruption. We do not believe

there has been a high success rate in the fight

against corruption to date in LATAM. Over the last
few years, several public and private corruption
cases have affected social and economic conditions
in the region, and low-level corrupt practices remain
present in all economic sectors.
Rassi: At least on a national level, LATAM

countries are taking measures to counter corruption
and diminish the harm it can cause. In Brazil,
measures have included the Anti-Corruption Bill and
the implementation of plea bargaining-like measures
designed to incentivise and reward whistleblowing.
‘Operation Car Wash’ was designed to enforce anti-
corruption laws – even though the operation itself
ultimately failed. However, according to the Capacity
to Combat Corruption index, the effectiveness
of anti-corruption efforts in low-income LATAM
countries has declined during the pandemic. The
relative youth of LATAM democracies, along with the
recent rise in authoritarian-leaning rulers and ideas
in the region, have made the fight against corruption
less effective in recent years. There are signs that
efforts are being made to intensify anti-corruption
practices, with a particular focus on bribery, but the
weakness and lack of autonomy of investigation
and prosecution offices makes it very difficult to
effectively investigate and punish corruption-related
activities.

R&C: What recent corruption cases in Several governments, political parties and high-profile
Latin America are worth highlighting? companies in LATAM were involved in paying $349m
What lessons can companies learn from between 2013 and 2016 in order to gain advantages
compliance transgressions and resultant in different projects. In exchange, Obredecht made
penalties, in order to enhance their own around $1.9bn through the contracts obtained
anti-corruption framework?
Cass: 2021 was a slow year for FCPA “It is important to extend the company’s
enforcement actions and resolutions. Out
compliance mechanisms to prevent
of the limited number of resolutions, two
of those involved companies operating
corruption and tax issues from occurring.
in South America, specifically in Brazil. Making these mechanisms more explicit
Both were charged with alleged violations helps to build a prevention structure.”
of the FCPA’s anti-bribery, books and
records, and internal control provisions.
Both cases involved the alleged payment Paula Cadavid,
of bribes, and in the case of one matter, Prías Cadavid Abogados
the parent company was accused of

failing to promptly and adequately respond to as a result of its corrupt practices, in one of the
warning signs of corruption or control failures in biggest corporate corruption cases in history. The
its subsidiary. In addition, recently disclosed FCPA Obredecht scandal has certainly had an impact on
investigations allegedly involved companies in the political stability in LATAM and has demonstrated
Northern Triangle. The takeaways are clear, robust to companies the cost of breaking the law and will
compliance programmes must cover and include hopefully show companies that it is more productive
active monitoring of activities of subsidiaries, and and profitable in the long term to follow the rules.
prompt responses to warning signs of corruption are AML measures and regulatory obligations in place in
necessary to head off issues, especially considering Colombia have now been extended to many non-
the US’s narrowing focus on the region. financial sectors and are helping to open a path for
companies to make decisions about implementing
Cadavid: The Obredecht case was one of the strong compliance and anti-corruption practices.
most noteworthy corruption cases in LATAM recently.

Rassi: One of the latest corruption scandals financial resources to be able to sign agreements
in Brazil relates to the acquisition of COVID-19 with authorities – demonstrating that, in this context,
vaccines. Allegedly, Jair Bolsonaro’s government it is more expensive not to implement an effective
hired a company to import over 20 million Covaxin compliance programme, than to do so. Furthermore,
vaccines. What raised suspicion was the swiftness both cases emphasise the importance of a culture
of the negotiation process and the fact that the of integrity, supported by senior management, to
individual price of each dose was higher than the prevent negative media exposure, which can cause
prices of vaccines offered by Pfizer, AstraZeneca serious reputational damage.
and CoronaVac. The contract also required that the
government pay $45m in advance to a different Low: The role of third-party agents in the Amec
company that was not part of the deal. The case is Foster Wheeler case is notable. In that case, the
still under investigation. Companies should have company allegedly paid bribes through an Italian
a strict procedure when it comes to contracts. agent who was allowed to work on a project
They should be reviewed thoroughly by a specialist unofficially, despite failing Amec Foster Wheeler’s
team. Also, there must be standardised clauses – a due diligence process. The unofficial agent worked
multidisciplinary team should analyse any request to in conjunction with a Brazilian agent that was hired
include new clauses. It is also crucial to have specific officially, and whose engagement was used to cover
training for employees who work directly with the the Italian agent’s involvement. Companies have long
public sector, and to actively discourage bribery. identified relationships with third-party sales agents
as posing perhaps the greatest degree of compliance
Rodrigues: Recent corruption cases worth risk, but as bad actors in the region become more
highlighting involve international cooperation knowledgeable about corporate compliance
between Brazil and the US. Two in particular are the programmes, companies should also be alert to
leniency agreements signed by Technip/Flexibras, sophisticated efforts to circumvent existing controls.
which agreed to pay BRL1.13bn to public authorities,
and Braskem S.A., which is expected to pay a total R&C: What steps can companies
of BRL2.87bn. Since signing the leniency agreement operating in Latin America take to keep
in 2017, Braskem has undergone independent up to date with new and emerging
monitoring carried out by specialised professionals. corruption risks?
Moreover, due to compliance transgressions, both
companies were required to contribute significant

Rassi: Companies should work to implement an liability risks in M&A transactions. Hence, companies
effective compliance programme, aiming for a shift of should be alert to the risks they are exposed to. This
culture that will, eventually, prevent all kinds of illicit means, for example, sufficient contractual protection
activities. Compliance programmes should provide with strong anti-corruption provisions, as well as
training, preferably with a top-to-bottom approach, the performance of anti-corruption due diligences,
to ultimately include every employee in the company, not only before signing a deal but throughout the
including third parties, and training should be execution of a contract.
periodic and constantly updated. It is also crucial that
companies have specific training programmes based Low: Local debarment lists and ongoing media
on the laws of each country where they do business. monitoring can help companies stay abreast of
That is particularly important if the company’s or a emerging corruption risks in the region. In Brazil, for
specific sector’s activities require involvement with example, the Controladoria-Geral da União (CGU)
the public sector. Anti-corruption must become the actively maintains a list of companies and individuals
core value for companies, and cultural change takes that are restricted from contracting with the federal
time. government. The high-profile nature of corruption
scandals in the region has led local media to actively
Rodrigues: In general, it is advisable to maintain report on corruption issues. This reporting, although
an effective compliance programme, including not always reliable, can provide valuable insights
regular risk assessments, policy reviews and into potential corruption issues. The Organisation for
training of personnel according to seniority. In Economic Co-operation and Development (OECD)
addition, companies are increasingly tasking specific Working Group on Bribery’s country reports can also
departments to deal with environmental, social and give companies a more granular understanding of
governance (ESG) issues. To this end, well-structured country-level corruption risk. The implementation
internal procedures – including board composition, of the OECD Anti-Bribery Convention is monitored
audit committee structure, codes of corporate through a peer review process with experts from
conduct, relationships with governmental entities, different member countries evaluating other member
politicians and public agents, and the existence of a countries. Working Group reports are available on
whistleblower hotline – assist good governance and Anti-Bribery Convention member countries, including
help mitigate corruption risks. Furthermore, it is worth the region’s largest economies.
mentioning that there has been a growing demand
for due diligence, particularly in light of criminal

Cadavid: Companies should strengthen and escalate and cause serious issues for the company.
constantly update their compliance programmes This includes when companies are contemplating
according to the specific requirements and investment in LATAM. Pre-investment due diligence
characteristics of the economic sector
they operate in, to identify potential
corruption risks within the company. “The effectiveness of any corporate
Companies should establish compliance anti-corruption programme relies on the
departments and ensure that they have
commitment of senior management to
professionals who are experts in their
fields to oversee the company’s operations
implement a culture of compliance from
and determine if any employees might be top to bottom.”
involved in a corrupt act. It is important
to extend the company’s compliance
mechanisms to prevent corruption and Fabyola En Rodrigues,
Demarest
tax issues from occurring. Making these
mechanisms more explicit helps to build a
prevention structure. Additionally, being aware of the is key and should include interface with local counsel
prevailing economic and social circumstances of the and other trusted sources.
country in which the company operates can help to
determine how the company can get involved in anti- R&C: Could you outline the key
corruption efforts. components of a robust sanctions and
anti-corruption compliance programme?
Cass: The Biden administration has been clear What are the main challenges for
that the region is a major focus and has not been shy companies looking to establish such a
about discussing its intentions and anti-corruption programme?
efforts. Practitioners and compliance professionals
should keep up with the latest risks and enforcement Cadavid: The main challenges for companies
trends. But more important is a robust compliance looking to establish a sanctions and anti-corruption
department and monitoring, which will increase compliance programme are designing a programme
the likelihood that risks are addressed early and which is adjusted to the company’s reality, its
that compliance issues do not have the chance to weaknesses and its needs, as well as the market in

which the company operates. And implementing that Rodrigues: According to the Comptroller
programme within the company’s wider structure General of the Union’s 2015 handbook, there are
can often be difficult. Communicating the anti- five pillars to an effective compliance programme.
corruption programmes and the compliance rules First, commitment and support from a company’s
and consequences to the entire organisation is also senior management. Second, assigning an internal
very important. Companies must create a culture of figure or department responsibility for developing,
anti-corruption which everyone in the company can implementing and monitoring the AML programme.
take on board. Third, comprehensive profile and risk analysis. Fourth,
structuring appropriate rules and instruments, such
Low: In addition to the US Department of Justice as codes of conduct. Finally, implementing strategies
(DOJ) and the Securities and Exchange Commission to continuously monitor the AML programme. The
(SEC), enforcement authorities in Argentina, Brazil, effectiveness of any corporate anti-corruption
Chile, Colombia, Costa Rica, Mexico and Peru programme relies on the commitment of senior
have issued their own anti-corruption compliance management to implement a culture of compliance
programme guidance, as have international from top to bottom, in conjunction with employee
organisations such as the World Bank, United engagement, the authority given to employees to
Nations (UN) and the OECD. Regarding sanctions act and sufficient resources. An important challenge
compliance, in 2018 OFAC issued ‘A Framework that should be considered is that of data protection,
for OFAC Compliance Commitments’, outlining the particularly in light of increasing legislation in this
five essential components that should be part of area. Ultimately, companies need to implement and
any sanctions compliance programme. Although maintain regular processes for using information,
there are unique aspects to sanctions and anti- as well as providing a safe digital environmental
corruption compliance guidance from these various unsusceptible, as far as possible, to cyber attacks.
bodies, there are notable areas of convergence.
For example, each stresses the importance of Cass: Risk assessments, employee training, third-
compliance programmes being implemented in party compliance and reporting are all essential
practice rather than existing only on paper and that components of any compliance programme, which
senior management must provide clear leadership on are required by many LATAM countries. While the
implementation. components are important, building a culture of
compliance and operating accordingly is vital.
Employees need to know who to contact, how to

contact them and what to watch for in terms of suspicious activities, and employees should feel
potential red flags that would trigger a compliance protected and unafraid of breaching secrecy. Also,
programme intervention. One of the main obstacles rewards can be granted for whistleblowers, albeit
to creating these programmes is employee training cautiously to avoid incentivising false reports. Internal
– taking the time out of busy schedules to provide investigations should follow a detailed procedural
effective training that sticks. Effective compliance code and be as transparent as possible without
requires buy-in from employees and will come at a exposing the parties involved. Sanctions must be
cost to companies in terms of lost ‘productive’ time applied regardless of seniority, and there should be a
and training material costs. Creating a culture of zero-tolerance policy for illegal activities.
compliance may be difficult in organisations where
such programmes have not previously existed, and R&C: What is the outlook for anti-
in regions where corruption and graft is endemic and corruption and enforcement activity in
normalised. Latin America over the months and years
ahead? How do companies operating in
Rassi: The end goal of any compliance programme the region need to respond?
should be to permanently shift the company’s
culture. Challenges include monitoring potential Low: LATAM was hit particularly hard by the
illicit activity and potential issues with third parties. pandemic, suffering close to 30 percent of global
The first step to developing robust sanctions and mortality rates. During the public health crisis, the
an anti-corruption compliance programme is to region experienced significant economic contraction,
assess the vulnerabilities, then to take and balance with the International Monetary Fund (IMF) estimating
preventive and repressive measures. In terms of in its regional economic outlook report for 2021
prevention, every new business opportunity or third- that GDP in the region will not reach pre-pandemic
party contract should have an anti-corruption clause levels in the medium term. In the coming months
and go through a due diligence process that must and years, companies likely will continue to face
be kept up to date. Training programmes should be a challenging business environment that can
tailor-made for each sector’s needs, especially to contribute to pressures to engage in misconduct.
cover specific legislation of countries they operate Companies operating in the region should assess
in. Trainees should also learn what tools to use in whether their compliance programmes’ ongoing
response to any suspicious activity. As for repressive monitoring activities adequately account for this
measures, there should be a hotline for reports of business reality. This would include monitoring in

traditional compliance risk areas, but also focusing efforts coming over the months and years ahead.
on any donation, sponsorship, gifts or hospitality The US has made it clear that LATAM, specifically
surrounding the FIFA World Cup in November, the the Northern Triangle of Guatemala, Honduras
elections scheduled to take place this year in Brazil, and El Salvador, is of particular concern through
Colombia and Costa Rica, and the constitutional the administration’s anti-corruption efforts. FCPA
referendum in Chile. enforcement is a key piece of that effort, along with
an increased focus on AML, with new AML measures
Rodrigues: Brazilian authorities are focusing on included in the National Defense Authorization
prosecuting executives over their failure to prevent Act passed last year. LATAM states have picked up
irregular practices – prosecutions based on whether on these investigations and have begun to slowly
an individual contravened their role and function as bring charges of their own against those named by
set out in their company’s bylaws. Besides effective US authorities. Companies operating in the region
compliance programmes, a solution is also available should ensure that they have robust and enforced
through the adoption of clear metrics for corporate compliance policies and remain extra vigilant of the
governance structures. As corporate governance corruption risks posed by operating in LATAM.
is based on the principles of transparency, equity,
accountability and corporate responsibility, there Rassi: The outlook for anti-corruption and
must be a set of implemented mechanisms to enforcement activity in LATAM is not promising,
regulate internal processes and guarantee company particularly considering the trends seen over the
reliability. To obtain better results, a company’s board last few years. Unfortunately, companies will have to
should be involved in the operational management make a greater effort to guarantee the integrity of
of anti-corruption processes. It is also recommended their activity, since governments in the region usually
to hire external counsel and specialised auditing lack the structure or willpower to effectively counter
firms to execute internal investigations whenever corruption. Even if there are signs of efforts, LATAM
needed, as well as to monitor the implementation of countries still fail to actively enforce anti-corruption
respective policies. laws, and a change in perspective is not likely to
happen, unless there are deep changes in the
Cass: The outlook for anti-corruption and countries’ structure, culture, economy and politics.
enforcement activity in LATAM is mixed. Corruption
will remain a significant issue, however things Cadavid: Given the expansion of criminal liability
may begin to change with robust enforcement throughout the LATAM region, anti-corruption efforts

are even more important as they allow companies

to prevent and control those legal risks. On the other
hand, creating better enforcement against corruption
to prevent and punish malicious acts should be
a public matter. Just as private companies have
compliance rules and protocols against corruption,
the public sector should also be subject to similar
scrutiny. This is particularly important given the size
of many of the businesses and projects that public
sector firms are involved in, the amount of money
they manage and the effects that public corruption
can produce. RC
&

PERSPECTIVES
PERSPECTIVES
MAXIM I SI N G T H E I M PAC T
OF TH E UK ’ S N ET- Z ER O
ST RAT E GY – MA K I NG
EVERY P O UN D C O U N T A ND
COU N TI N G E V ERY P O U ND
BY ANDREW DURANT AND PIERS RAKE
> FTI CONSULTING
T
he whole economy transition needed to keep amount to £3.5bn per annum, and up to £50bn by
the planet below a 1.5 degree increase in 2050.
temperature is a massive undertaking. While It is in everyone’s interest to ensure fraud on
exact figures vary, the UK government’s Committee taxpayer money is kept as low as possible and that
on Climate Change estimates that £50-60bn per the money allocated to executing on the UK’s Net
annum of public and private sector investment is Zero Strategy is deployed efficiently and effectively.
required in the coming years if the UK is to meet its
net-zero targets. This level of investment and change Inaction – at what price?
is unprecedented and the operational, execution and According to the National Audit Office, ‘The
fraud risks cannot be overestimated. Bounce Back Loan Scheme: an update’, £47bn of
In our recent ‘Emerging danger – a new net zero ‘bounce back’ loans were issued by banks in 2021.
industry?’ report, we estimate that green fraud The National Audit Office has estimated that the
across public and private sector spending could taxpayer faces losses of £4.9bn because of fraud in

MAXIMISING THE IMPACT OF THE UK’S NET-ZERO STRATEGY... PERSPECTIVES
this area. In other Fraud is estimated to account for 40 percent of all

words, 11 percent crime committed across the UK. Fraud and error in
of loans under this public spending are estimated to cost the taxpayer
one scheme were up to £51.8bn every year, around £25bn of which is
fraudulent. outside the tax and benefits system, according to
According to HM the ‘House of Commons, The Committee of Public
Revenue & Customs’ Accounts – Fraud and Error, Ninth Report of Session
‘Annual Report 2021-22’.
and Accounts from
2020 to 2021’, £60bn The time to address public sector fraud is
was paid out under now
the Coronavirus Job The Bank of England has recently announced that
Retention Scheme, or it expects British households to see their post-tax
‘Furlough Scheme’. disposable income fall by 2 percent in 2022, thus
HMRC has estimated that causing the biggest fall in standards of living since
£5.2bn under this scheme comparable records began three decades ago. Any
was lost to fraud and error. reduction in fraud on taxpayer money must be seen
In other words, 8.7 percent as a priority and may also give the government
of funds distributed under more options. For example, HMRC calculates that a
the Furlough Scheme were 1 percent increase in the basic rate of income tax
lost to fraud and error. Total would raise £5.5bn in 2022/23. If avoidable fraud
taxpayer losses across these levels are reduced, it could provide government with
schemes alone is £10.1bn. the opportunity to reduce the basic rate of income
In 2017, it was estimated that the total cost of tax by 1 percent or more, and thereby help UK
fraud to the UK was around £190bn per annum, households meet the increasing costs of living.
according to the ‘Annual Fraud Indicator 2017 –
Identifying the cost of fraud to the UK economy’. Barn doors – stopping the fraudsters
More recent research by the University of before they strike
Portsmouth estimates that the total cost of fraud As a starting point, stopping taxpayers’ money
losses to the UK (applying a global average loss rate from being stolen by fraudsters is far cheaper and
to GDP) is around £137bn per annum. more efficient than trying to recover cash that has

already been misappropriated. Current estimates are providing a summary of the proceeds of fraud that
that around £10bn of taxpayers’ money has been it has been able to recover. In its annual report for
lost to fraud and error in relation to the Bounce Back the year 2019/20, it states that £5.5m in assets were
Loan and Furlough Schemes, alone. Details relating confiscated, with £1.1m in compensation returned
to the losses associated with coronavirus (COVID- to victims of fraud. In the most recent report for the
19)-related PPE contracts are only just coming to year 2020/21, total funds confiscated was £3.4m,
light. We do know that significant
amounts of the money lost to COVID-
19-related fraud was siphoned
overseas by criminals and organised “It is in everyone’s interest to ensure
crime gangs. With the passage of time,
fraud on taxpayer money is kept as low as
and the complications and costs of
pursuing perpetrators into and through
possible and that the money allocated to
other jurisdictions, it is very unlikely executing on the UK’s Net Zero Strategy is
that these funds will ever be recovered. deployed efficiently and effectively.”
As reported in The Telegraph in March
2020, the National Crime Agency (NCA)
estimates that less than 20 percent
of fraud is reported, and of the fraud reported, only with £2.3m being returned in compensation to
a fraction of the cases result in prosecution by victims of fraud. Of course, this is not the whole
the police. So, it is very difficult to determine how picture and does not include the impact of disruption
much money stolen by fraudsters is successfully work or where fraud is litigated privately, but it does
recovered. The Office for National Statistics (ONS) give an indication of the challenge of recovering the
estimates that there were approximately 5.1 million proceeds of fraud.
fraud offences in the year ending September 2021,
and prior research has estimated total losses What steps should be taken now and how
resulting from fraud across both public and private much could be saved with better counter-
sectors in the UK at anywhere between £137bn and fraud controls?
£190bn per annum. Fundamentally, there are a range of things
The City of London Police, the UK’s national lead government should and could do, including (but not
police force for fraud, produces annual reports limited to) conducting fraud and operational risk

assessments of all planned green investments and deploying predictive analytics and counter-fraud
schemes, implementing robust fraud risk controls risk analysis tools to detect possible fraud, waste
(including a well-publicised whistleblower hotline), and mismanagement, resulting in referrals to
undertaking counterparty due diligence, centralising other agencies for further investigation. Under the
data collection, analysis and oversight, and Recovery Board’s management and coordination,
implementing artificial intelligence (AI)-based threat $787bn was disbursed, and while prior levels of
monitoring. fraud, waste and abuse meant that some expected
But further steps are needed. We have seen around $55bn of this would be lost to fraud (equating
public-private partnerships (PPPs) established to to 7 percent of total funds), the measures taken by
combat terrorist financing and money laundering the Board meant that fraud losses were kept below
through the UK’s financial institutions. Is it time 1 percent.
for a new counter-fraud compact, between the The ARRA and its independent Recovery Board
public sector and a wider range of businesses and demonstrated that if governments design and put
stakeholders in the private sector, where resources, in place effective fraud and operational risk control
capabilities and expertise from across these strategies at the outset, they can dramatically
organisations and businesses are pooled? reduce fraud and error levels. Key to the ARRA’s
There are also models and learning that can success was to make the stimulus spend data
be leveraged from other countries. In the fallout available to the public on a website, allowing people
from the 2008 economic crisis, the US government to interrogate local spend and report any concerns
established an economic stimulus programme back to the Recovery Board. The actual fraud
under the American Recovery and Reinvestment and error losses under the ARRA were marginal
Act 2009 (ARRA). Critically, the ARRA also created compared to what was expected, with auditors
a Recovery Accountability and Transparency Board questioning only $5.1bn of funds disbursed (or 0.6
(the Recovery Board), whose remit was to provide percent of total funds). By applying effective fraud
transparency in relation to the use of recovery- and operational risk controls, the US government
related funds, and to leverage expertise from a wide reduced its fraud and loss levels by 6.4 percent (as
range of public and private sector organisations against expected).
and cutting-edge technology. The Recovery Board Had the UK government implemented a similar
set up a data analytics centre, which maintained a approach to mitigating fraud and error prior to
real-time database on recovery-related contracts distributing COVID-19 stimulus funds, it is possible
and grants. Other external data sets were used, that the taxpayers’ losses may have been reduced

from the £10bn (or 9.4 percent of total spent Strategy need to be deployed with maximum
on bounce back loan and furlough schemes) to impact, which means minimising fraud, waste
something closer to £1bn (or 1 percent of total and mismanagement. There are options and, as
spent), a saving of around £9bn. Perhaps more the US Recovery Board showed, it is possible to
telling, the Office for Budget Responsibility (OBR) leverage data, technology and centralised oversight
estimates that in 2021-22, public spending will and transparency to good effect. This may be an
amount to £1.045bn, and, applying the same logic, it opportunity for the UK to set the gold standard for
is possible that annual public sector fraud and error the deployment of green capital in the race to meet
losses could drop from around £50bn to £10bn, an our net-zero targets. Could this be a catalyst to reset
annual saving of around £40bn. the way in which the country combats what some
Unlike in the US, where there is legislation that have described as the UK’s fraud epidemic? RC
&
has required public sector agencies to publish

statistically valid estimates of the extent of fraud and Andrew Durant
Senior Managing Director
error for over a decade, there is no such requirement
FTI Consulting
in the UK. Unless you can measure fraud and
T: +44 (0)20 3727 1144
error levels, it is very hard – if not impossible – E: andrew.durant@fticonsulting.com
to effectively manage the associated fraud and
operational risks or to have any material impact on
minimising the resulting losses to the taxpayer. Piers Rake
Managing Director
FTI Consulting
A catalyst for change T: +44 (0)20 3727 1876
The funds allocated to key green investment E: piers.rake@fticonsulting.com
pathways under the UK governments’ Net Zero

PERSPECTIVES
PERSPECTIVES
ANTI- CO RRUP T I O N
ENFORCE M E N T T R EN D S
I N M& A: A RE T H E
PAST F OUR YE A R S A
PROLO G UE TO D E C R EA S E D
ENFORCE M E N T ?
BY JOAN MEYER AND MATTHEW RIDINGS
> THOMPSON HINE
M
easuring by the number of corporate Does the decrease in actions against corporations
enforcement actions initiated, 2021 represent a shift in enforcement priorities for the
continued the ebb tide of Foreign Corrupt government, or is it merely a temporary dip, brought
Practices Act (FCPA) enforcement in the US. For each on by the difficulties caused by the coronavirus
of the past four years, the number of FCPA corporate (COVID-19) pandemic? Although it may be too soon
enforcement actions by the Department of Justice to make any predictions, this article will look at the
(DOJ) and Securities and Exchange Commission (SEC) data, the policy pronouncements from the current
has decreased, from 16 in 2018 to just four in 2021. administration, and offer some practical tips to

ANTI-CORRUPTION ENFORCEMENT TRENDS IN M&A: ARE THE... PERSPECTIVES
help ensure that companies are well-positioned to On 3 June 2021, president Biden issued a national
weather whatever may come. security memorandum entitled ‘Memorandum on
Establishing the Fight Against Corruption as a Core
A multi-year low point in FCPA United States National Security Interest’. In the
enforcement but increased action memorandum, the president set out a multifaceted
promised strategy to combat corruption: (i) modernising
2021 was a record year for mergers around the US departments and agencies; (ii) combatting
globe. According to data from PwC, there were more illicit financial activities; (iii) holding corrupt actors
than 62,000 deals announced during 2021 – an accountable; (iv) supporting international anti-
increase of 24 percent over 2020, and a record $5.1 corruption efforts; and (v) promoting partnerships
trillion in announced value. Despite the number and with the private sector to advocate for anti-
size of these deals, and the prominent role that the corruption measures and best practices for anti-
DOJ and SEC expect anti-corruption compliance to corruption.
play in M&A activity, FCPA enforcement was light. In October 2021, the DOJ also announced the
During the last calendar year, the SEC and DOJ formation of an anti-corruption task force to fight
together resolved four corporate cases, totalling corruption in Central America. Under the taskforce,
$259m in penalties and disgorgement, the lowest several sections of the DOJ’s Criminal Division have
annual total since 2008. Likewise, individual partnered together: the FCPA Unit within the Fraud
enforcement actions were also at a multi-year low Section, the Kleptocracy Asset Recovery Initiative
during 2021; the DOJ brought six indictments and in the International Unit of the Money Laundering
announced three guilty pleas, while the SEC had and Asset Recovery Section, and the Narcotic and
zero individual enforcement actions. Dangerous Drug Section. Each of these sections are
Although the enforcement low point of the last supported by the FBI’s International Corruption Unit,
four years occurred under president Biden, his the Drug Enforcement Agency and the Department
administration and the enforcement agencies under of Homeland Security. Latin America has been
his watch have repeatedly emphasised over the past a significant focus for the DOJ’s anti-corruption
year that corruption-related offences will continue to efforts and this taskforce promises an even more
be an area of focus. Since president Biden assumed coordinated effort in this key region.
office in January of 2021, he has consistently made Also in October 2021, Lisa Monaco, deputy
white-collar criminal enforcement a centerpiece of attorney general, released a memorandum entitled
his law enforcement agenda. ‘Corporate Crime Advisory Group and Initial

Revisions to Corporate Criminal Enforcement

Policies’. The memorandum announced the creation
of the Corporate Crime Advisory Group and modified
the DOJ’s approach to corporate wrongdoing,
instructing prosecutors to consider a corporate
defendant’s full criminal history, requiring corporate
defendants to make full factual, non-privileged
disclosures, including all information about culpable
individuals, in order to receive cooperation credit,
and updating prior guidance about the use of
monitorships in corporate cases. Similarly, the SEC
director of enforcement announced more aggressive
enforcement, particularly for recidivist companies
and individuals.
While we have not seen an uptick in FCPA
resolutions, these new enforcement priorities for
anti-corruption are being felt in other parts of the
Biden administration. Over the course of December
2021, the Office of Foreign Asset Control (OFAC)
levied sanctions against more than 75 individuals
and entities pursuant to the Global
Magnitsky Human Rights Accountability
Act. The scope of the Act is quite broad
and permits sanctions for any person who
is responsible for, or complicit in, human
rights abuses or corrupt acts anywhere in the world.
Many of the sanctions were targeted against
companies and individuals who were responsible for
large-scale bribery schemes, particularly in Kosovo
and Serbia, demonstrating the administration’s
emphasis on corruption-related offences when

paired with human rights abuses. At the same time owners and principals and descriptions of products
that many of these sanctions were announced, on and sales volumes, supply and distribution chains,
9 December 20219, International Anti-Corruption and nature and types of interactions with foreign
Day, the secretary of the treasury spoke at the government officials or state-owned or controlled
Summit for Democracy, explaining the steps that entities. In addition to seeking the target’s responses
the US was taking to combat what she
described as the world’s “common
adversary: corruption”. That same day,
but separately, the State Department
established a coordinator on global “If anti-corruption representations and
anti-corruption, who is tasked with warranties are not included in the contract
implementing the government’s provisions that have become commonplace
strategy on anti-corruption.
in recent years, questions should be raised
M&A practical tips
as to why they were not included.”
It remains to be seen whether
these government pronouncements
will translate into more FCPA
enforcement actions. But given the administration’s in a questionnaire, a focused investigation should
strong and repeated emphasis on anti-corruption, be done to explore the backgrounds of owners
there is no doubt that it is renewing its aggressive and principals, including running them through
posture post-COVID-19. Accordingly, in light of the various prohibited person and entity sanctions
government’s concentration on M&A activity as a lists and through public databases to determine
source for its anti-corruption prosecutions, it is even if they have any criminal, regulatory or litigation
more important today that companies integrate history that should be further explored. In emerging
compliance personnel early when evaluating any markets, electronic databases may be unavailable
proposed deal. or incomplete, so accessing public data in hard copy
In the pre-acquisition phase, compliance should may necessitate travelling to various government
review the contents of a data room for corruption offices to get a complete picture of the target and its
risk red flags. Detailed questionnaires should be sent executive personnel.
to the target company seeking the identification of

If possible, onsite interviews should also be how the contract was negotiated and whether it
conducted at the target to get to know the structure serves a legitimate purpose.
of the business and interact with those responsible If anti-corruption representations and warranties
for managing operations in high-risk countries or are not included in the contract provisions that have
regions. Recent guidance from the Criminal Division become commonplace in recent years, questions
emphasises the importance of ‘tone in the middle’. should be raised as to why they were not included.
Although paperwork may seem in order, oftentimes Moreover, evergreen contracts or contracts with
a visit to the regional office may prompt additional no expiration date should be viewed with caution
inquiry if personnel are evasive or uncooperative in and, if they are used frequently by the target, it may
explaining their business practices. As part of onsite be a red flag that the target’s due diligence is not
interviews, anti-corruption deal counsel will want to regularly updated, and special scrutiny should be
assess whether the target’s middle managers have employed. If possible, an M&A anti-corruption audit
been empowered to run a compliant organisation. of the target’s transactions with business partners
Do the middle managers have a dialogue with the should be conducted to identify amounts, types and
target’s executives on ethical issues? Are middle location of payments and, if payments are made to
managers evaluated on anti-corruption compliance? third parties and not directly to the business partner,
These and other questions should be considered the rationale for this diversion should be investigated
and answered as part of the diligence process. and results documented. Related documentation
One of the critical aspects to an anti-corruption from the business partner should be sampled to
M&A due diligence review is to obtain a thorough ensure that invoices correlate to an existing contract
understanding of the target’s agents, distributors, and that products or services itemised on the
consultants and business partners. The target’s invoice are substantiated and legitimate.
contract files should be reviewed to assess the After the deal closes, a previously prepared
length and nature of the relationship and the post-integration plan should be implemented
business justification for establishing it. Compliance as soon as possible. While the 2008 Halliburton
personnel should look at contract provisions and advisory opinion provides useful M&A guidance
payment terms to determine whether they conform and timelines up to 180 days after the sale closes
to industry standard or seem aberrational. If contract for integration, the DOJ and SEC more recently
terms look unusually beneficial to the third party, have given companies wider latitude in integrating
additional questions need to be answered about their compliance programmes into the acquisition,
generally about a year. Realistically with a larger

acquisition, making this timeline can be a struggle. Joan Meyer

Anything that was not accomplished pre-integration Partner
Thompson Hine
should make it into the post-integration plan, along
T: +1 (202) 263 4115
with training new employees within the first few
E: joan.meyer@thompsonhine.com
months to the acquirer’s policies and approval
procedures. When the integration plan is completed,
the acquirer should obtain the target’s sign off Matthew Ridings
to all remediation and institute, at a minimum, a Partner

Thompson Hine
quarterly anti-corruption audit protocol to ensure
T: +1 (216) 566 5561
recommendations are fully implemented.
E: matt.ridings@thompsonhine.com
A thoughtful and carefully considered anti-
corruption plan integrated into the M&A process will
not create a talisman that wards off an investigation
from the DOJ or the SEC, but it will create a process
that is more likely to discover anti-corruption
violations before closing and create a defensible
record in the event that corrupt conduct is later
discovered in the acquired entity. Given the sabre-
rattling from this administration, a corruption-
focused integration strategy will be as important as
ever. RC
&

MINI-ROUNDTABLE
M I NI - RO U N DTA B LE
OPERATIONAL RESILIENCE
AND COMPLIANCE IN THE
FINANCIAL SERVICES
SECTOR

OPERATIONAL RESILIENCE AND COMPLIANCE IN THE FINANCIAL... MINI-ROUNDTABLE
PANEL EXPERTS
Brian Hart Brian Hart leads KPMG’s financial services regulatory and compliance risk
Principal network in the US. In that capacity, he supports clients across the financial
services and regulatory sectors to devise and implement large-scale programmes
KPMG that combine driving commercial benefits, including lower cost, greater scalability
T: +1 (917) 287 4512 and effectiveness of compliance and risk management programmes, while
E: bhart@kpmg.com improving alignment with regulatory expectations and improved risk-taking.
John Kemler John Kemler is a managing director in KPMG’s financial services regulatory and
Managing Director compliance risk practice with more than 20 years of experience. He has worked
with large organisations including top-tier banks and big tech firms, to design
KPMG and implement risk management frameworks and strategies, enabling firms to
T: +1 (347) 754 2133 effectively manage risk and build stakeholder trust. Mr Kemler’s background in
E: jkemler@kpmg.com trading, operations, risk management and technology gives him the experience
and knowledge to bring innovation to programmes to gain further insights with a
reduction of effort.
Greg Matthews Greg Matthews is a partner in KPMG’s financial services regulatory and
Partner compliance risk practice and leads third party risk management for KPMG. He
has significant experience transforming risk management operations based
KPMG on regulatory and business drivers. He has worked with clients as they seek
T: +1 (201) 621 1156 to manage disruption in their industry, meet regulatory expectations and use
E: gmatthews1@kpmg.com technology to drive both effective and efficient risk management practices.
Charles Jacco Charlie Jacco is a principal in the New York office of KPMG LLP’s advisory
Principal services practice and is the US information protection and cyber security
financial services industry lead. Mr Jacco has focused extensively on multiple
KPMG disciplines of the information security field, including security strategy &
T: +1 (201) 396 1980 governance, security transformation, digital identity and cyber defence over the
E: cjacco@kpmg.com last 15-plus years. His career experience includes designing and implementing a
wide variety of technology-based security solutions.
Pierre Champigneulle Pierre Champigneulle is a principal in KPMG’s advisory services practice

Principal with 25 years of experience in IT consulting and solutions development across
multiple industries and regions. He has managed a wide range of consulting
KPMG assignments including IT strategic planning, transformation management, design
T: + 1 (917) 887 6882 and implementation of IT infrastructure and management solutions. He has a
E: pgchampigneulle@kpmg.com strong background in IT process, automation and data centres across the IT
services lifecycle.

R&C: Could you provide an overview of R&C: How did the coronavirus
the operational resilience risks facing the (COVID-19) pandemic affect the FS
financial services (FS) sector, and why it industry? What additional governance
is so important for FS firms to effectively, and oversight challenges has the crisis
proactively manage these risks? created for FS firms?
Jacco: Operational resilience must

be a priority as firms face today’s threat
landscape and try to manage business “The pandemic has created a ‘new-
growth and innovation priorities. One normal’ working environment that is
important aspect of operational resilience here to stay for the foreseeable future.
that is top-of-mind for regulators is
Along with that comes challenges, but
cyber resilience, especially as cyber
criminals continue to get smarter and
also some benefits.”
target financial services firms. Specifically,
rising ransomware attacks are pushing
Pierre Champigneulle,
firm focus on cyber recovery techniques.
KPMG
In addition to cyber risk, there is
heightened risk due to evolving political
unrest globally, market dislocations and economic Champigneulle: The pandemic has created a
uncertainty. As firms continue to expand product ‘new-normal’ working environment that is here
offerings and digital capabilities, they must grow to stay for the foreseeable future. Along with
and adapt responsibly. Furthermore, with evolving that comes challenges, but also some benefits. A
business models, firms are leveraging third parties primary challenge is in execution of supervisory
to deliver critical business services and must practices remotely. Remote controls can no longer
ensure they can maintain resiliency. Any significant be a ‘makeshift’ temporary solution; rather, these
operational disruption could have a lasting impact controls must be built for the new supervision
on firm reputation and market stability. Regulators operating model. If not implemented correctly, there
will continue to push the agenda on operational will be challenges with data sharing, information
resilience and firms must keep pace with evolving protection and conflicts of interest. Another
expectations. significant challenge is onboarding and integrating

new employees in the remote environment, it clear that ‘once in a lifetime’ events are happening
especially imposing effective training, teaming more frequently. And their interconnectedness has
and engagement. Lastly, impromptu
collaboration, such as ‘water cooler’ talk,
is not as simple remotely and can limit
collaborative idea and information sharing. “With evolving business models, firms
Although, there are challenges, we should
are leveraging third parties to deliver
recognise some of the personal benefits
and work-life flexibility. Employees are
critical business services and must
able to spend more quality time with their ensure they can maintain resiliency.”
families, dedicate otherwise commuting
time to personal hobbies, and work from
‘anywhere’.
Charles Jacco,
KPMG
R&C: To what extent are
regulators increasing their focus
on how FS firms approach operational become clearer. Regulators are keen to highlight
resilience? Broadly speaking, what are the risks and encourage resilience across the
their expectations for FS firms? financial services sector. There has been growing
pressure on firms to establish clear prioritisation and
Hart: Operational resilience has become a identification of all assets and end-to-end mapping
relatively new area of focus among global and to services. However, this has proven difficult for
domestic regulators, drawing a focus on firms’ most of the industry.
ability to prevent, respond, recover and learn from
operational disruptions – to reduce impact to firm R&C: Have there been any regulatory
viability, instability in the financial system, harm to rules or guidance on operational
consumers and market participants, or business resilience proposed or introduced
objectives. This goes beyond traditional business recently? What are the key areas under
continuity planning by looking at an organisation consideration?
across its critical services end-to-end. Recent events
– the pandemic foremost among them – have made

Champigneulle: Global regulators have and collection and warehousing of large data sets. Firms
will continue to emphasise the importance of have been very successful in using data sets for new
strengthening operational resilience. Going forward, business opportunities. However, not until recently
firms should be on the lookout for more formal US have second line risk functions started to use data
regulatory guidance. The most recent US guidance to perform simulations. These simulations can help
sets a new high watermark expectation that all firms better understand the impact of operational
operational resilience practices should already be risk events and help firms set their tolerances for
in place and may be subject to regulatory review event levels and risk appetites. Informed by data
at any time. With that, firms should be establishing simulations, firms should be setting board-approved
an operational resilience strategy with clear risk appetite and identifying the threat landscape by
communication to the board and clear ownership defining importance criteria, along with solid metrics
and accountability to drive investment decisions. and tolerable levels of impact. Additionally, there
Operational resilience should be prioritised
for the most critical business services and
align to recovery and resolution plans.
Routinely, firms should be performing “Understanding a third party’s
testing of resilience controls, analysing capacity and ability to adapt in adverse
resilience of critical operations and third situations is key to determining the
parties, and integrating operational risks
resilience of the third-party service.”
into scenario testing. Maintaining secure
and resilient information systems is critical
to cyber security preparedness. Firms
should be regularly evaluating systems for Greg Matthews,
updates and weaknesses. KPMG
R&C: What strategies can FS firms should be clearly set boundaries for measurement
deploy to help them identify operational and early warning notifications. Lastly, firms should
risks and test their impact tolerance? focus on prioritisations and dependencies holistically
to identify and document the methodology used
Kemler: Financial services firms over the past 10 to prioritise assets. End-to-end service mapping
years have invested large amounts of money in the

requirements allow for narrowing focus and R&C: What essential advice would
enhancing resilience capabilities. you offer to FS firms on improving their
operational processes, making them
R&C: How important is scenario testing more resilient and ensuring compliance
to manage risks related to third parties? with applicable rules and regulations? To
what extent do they need to make this a
Matthews: Understanding a third party’s capacity strategic priority?
and ability to adapt in adverse situations is key to
determining the resilience of the third-
party service. A challenge firms face is
data availability related to a third party’s
business continuity testing approach
“Firms should focus on prioritisations
and results. Aside from confirmation of
and dependencies holistically to
testing performed, other related data is
generally not provided. Given limited data identify and document the methodology
availability, firms have to run scenario- used to prioritise assets.”
based simulations to forecast third party
service delivery related disruptions. As
firms develop scenarios, third parties
John Kemler,
should not only be considered in the KPMG
context of their firm’s delivery needs, but
also in the context of the third parties’
delivery needs to the industries they serve. This Hart: The specific actions, processes and
consideration is ideal for simulation modelling to data required to drive operational resilience are
best understand potential firm impact and necessary different for each organisation, industry sector
mitigation actions for the firm to survive an extended and market. However, with impending operational
service disruption. Consideration of critical third- resilience regulation, all firms can proactively take
party dependencies will continue to be a focus for action on setting the bar with their regulator on
US regulators and the industry collectively. expectations and should actively collaborate with
peer institutions to collectively make the sector
stronger and ease the regulatory burden on all

financial services firms. Tactically, as

financial services firms look to develop “Recent events – the pandemic foremost
a strategy for operational resilience, in
among them – have made it clear
the short term the focus should be on
prioritising business services, mapping
that ‘once in a lifetime’ events are
assets to those services, methodologically happening more frequently. And their
defining resilience criticality for services, interconnectedness has become clearer.”
as well as measuring the financial risk
exposure. In the long term, firms will
need to define a services framework that Brian Hart,
articulates how services are governed for KPMG
resilience, set resilience measures and

thresholds, increase efficiency in testing, introduce
risk modelling and data analytics techniques,
and increase board visibility into firmwide control
vulnerabilities. RC
&

MINI-ROUNDTABLE
THE LOAN LIFECYCLE IN

THE NEW NORMAL

THE LOAN LIFECYCLE IN THE NEW NORMAL MINI-ROUNDTABLE
PANEL EXPERTS
Tony Cartia Terisa Roberts

Principal Solutions Advisor Risk Modelling Global Solution Lead
SAS Institute Inc. SAS
T: +39 02 8313 4456 T: +61 (2) 9428 0432
E: tony.cartia@sas.com E: terisa.roberts@sas.com
As principal solutions advisor, Tony Cartia drives innovation of Terisa Roberts is a director and global solution lead for risk
SAS’s portfolio of solutions for risk modelling, including machine modelling and decisioning at SAS. She has extensive experience in
learning (ML) and artificial intelligence (AI), risk decisioning and quantitative risk management, advanced analytics and regulatory
model risk initiatives across the globe. He works closely with compliance. She advises banks and regulators around the world
research and development (R&D), product management, industry on best practices topics in risk modelling, decisioning and the
consultants, pre-sales systems engineers and customers to define responsible use of artificial intelligence (AI) and machine learning
solution direction based on market and customer demands. He (ML), and regularly speaks at international conferences. She holds
holds a degree in statistics and was a data scientist at PwC for the a PhD in Operations Research and Informatics.
banking sector before joining SAS.
Naeem Siddiqi David Asermely

Senior Advisor, Risk and Quantitative MRM Global Solution Lead
Solutions SAS
SAS Institute Inc. T: +1 (919) 531 2710
T: +1 (416) 307 4610 E: david.asermely@sas.com
E: naeem.siddiqi@sas.com
Naeem Siddiqi meets with senior executives and decision David Asermely is the global model risk management (MRM)
makers worldwide and provides strategic advice to them on areas lead at SAS, driving strategic conversations with global institutions
such as the development and validation of credit scoring models, and influencing the SAS MRM solution roadmap. He is passionate
infrastructure planning for analytics, and retail credit risk strategy. about translating data into actionable intelligence, and he focuses
He is also responsible for SAS climate risk solutions. He has trained on combining the best technologies and design principles to
hundreds of bankers in over 25 countries on the art and science improve modelling efficiency and quality. Prior to joining SAS, he
of credit scorecard development and helps credit risk analysts managed the Bank of New York Mellon’s global performance and
develop better scorecards. risk analytics product set.

R&C: In the ‘new normal’ emerging in with appropriate methodological approaches and
the wake of the coronavirus (COVID-19) best-in-class technologies.
pandemic, could you outline the impact
on the loan lifecycle, and what it means R&C: What role do open banking and the
for lenders? use of alternative data have to play in this
context?
Cartia: Undoubtedly, the pandemic has
precipitated several sudden changes in
everyone’s life, accelerating the use of “Lenders are increasingly relying on
digital channels and changing lifestyle
models to drive lending decisions.
habits in how we shop, work and live. As
all companies that offer services across These models have a direct effect
the globe noted, there is a strong need on an organisation’s loan business
to meet customers where they are today. profitability.”
This post-pandemic ‘new normal’ world
offers lenders an opportunity to evolve
their loan lifecycle process, on the one David Asermely,
hand to meet new customers’ needs, SAS
rethinking their origination strategies with

hyper-personalised customer experience, fast- Siddiqi: The pandemic did two key things
lending and process automation for onboarding and regarding the role of open banking and the use of
evaluation requests, and on the other, reviewing, alternative data. First, it accelerated the adoption
in compliance with regulatory guidelines, their of digital everything, which is not just a channel
customer management processes to reduce risk, preference but also an indication of the desire for
improving bad collection and recovery processes. flexibility. Second, it highlighted the unfortunate
In addition, we see emerging factors, such as and very social divide in our societies. The mostly
climate risk concerns, ‘K’ shaped recovery and white-collar workers who had the luxury of working
the emergence of digital-ready FinTechs with new from home did well, while those on the front lines
services and products, such as ‘Buy Now Pay Later’ in lower-income jobs took most of the risk and
(BNPL), all as elements that need to be addressed had unstable incomes. Many changed careers and
opted to open small businesses. Open banking and

alternative data go together as they open access to access to capital reduced. On the flip side, they are
credit to the unbanked and underbanked. They give also increasing lending to ‘clean’ or ‘green’ industries
easy access to data such as deposit and savings with future growth and better green asset ratios in
accounts transactions, rental, utility bills, streaming mind. There is some historical data for physical risks,
services and other payments. Being able to prove so that is being analysed and extrapolated for higher
stable cash flow via bank accounts and being able frequency and severity. For transition risk, it is mostly
to show consistent payments for obligations will scenario analyses as data for those scenarios does
help the underbanked show creditworthiness and be not exist.
able to access credit. This will allow small
businesses to expand, and individuals to
build credit histories.
“The adoption of AI and ML
R&C: With climate change a throughout the loan lifecycle continues
looming risk that needs to be
to grow and is only accelerated by
addressed, how is it possible to
incorporate this aspect into the digitalisation.”
lending process?
Siddiqi: Climate risk is not just Terisa Roberts,

something that is going to happen in 20 SAS
to 50 years. It is happening now, with
both physical and transition risks impacting lenders.
The expectation is that those who live, work or R&C: In what ways can technology,
own businesses in areas impacted by more fires, including the latest artificial intelligence
hurricanes, floods and droughts will present higher (AI) and machine learning (ML) model
risks. Some UK banks have already started charging techniques, support loan lifecycle
higher rates from customers like these. In addition, transformation for lenders?
most lenders are now incorporating climate risk
factors qualitatively for corporate lending, knowing Roberts: The adoption of AI and ML throughout
that some businesses with high exposure to carbon- the loan lifecycle continues to grow and is only
intensive industries will see both demand and accelerated by digitalisation. It has demonstrated

significant benefits in terms of risk-based that defaulted at rates higher than predicted,
decision making at scale. Presently, AI-based risk resulting in financial loss. In addition, organisations
assessments are embedded throughout digital must be mindful of fair lending regulations to ensure
customer journeys, enabling personalised
services and on-demand, automated
decision making. Although often referred
to as black box applications, their uses “Climate risk is not just something that
are much broader than that and not all is going to happen in 20 to 50 years. It is
are black box – technologies that make happening now, with both physical and
computers behave like humans such as
transition risks impacting lenders.”
natural language understanding, computer
vision and so on. AI and ML have
transformational benefits throughout the
life of a loan, but the models require the Naeem Siddiqi,
right controls. They also require special SAS Institute Inc.
attention to explain them and to check

for fair, equitable outcomes when they are used for race, age, religion, family status or disabilities are not
customer-focused risk decisions. considered by the lender when deciding on a loan.
It is easy to ensure these factors are not used in
R&C: What risks face lenders that fail to statistical models, but the problem becomes much
exercise proper governance of traditional more difficult in black box machine learning models.
statistical and advanced AI/ML models? It is an organisation’s responsibility to ensure its
models follow all loan compliance regulations.
Asermely: Lenders are increasingly relying on
models to drive lending decisions. These models R&C: Could you explain the fundamental
have a direct effect on an organisation’s loan importance of customer management,
business profitability. Imagine a model over-pricing debt collection and recovery?
safer potential obligors, resulting in non-competitive
pricing. The bank would lose this business, resulting Roberts: The origination of a loan is only the
in decreased revenue. Alternatively, a model could beginning of the customer journey. Customers
underprice riskier loans, resulting in winning loans are now expecting seamless, on-demand banking

services and easy access to digital products and months and years. The intelligent component
services throughout the customer lifecycle. On the represented by AI and ML will play a key role in
other hand, in a post-COVID-19 world, financial reducing and managing current and emerging risks
services are grappling with customer behaviour that related to customers’ acquisition and management,
is fundamentally different, such as remote working, continuous monitoring, and efficiency of debt
travel and supply chain disruptions. These changes collection and recovery process. To this must
happened against a backdrop of a low interest rate be added regulator’s requests and guidelines to
economy, in which rates are likely to rise to curb remain complaint with a loan lifecycle process in a
inflation, increasing debt services costs. It requires state of continuous evolution. How banks adapt to
a fundamental change in the ongoing management these transformations will determine winners and
of loans, requiring more vigilance in the form of losers. That is why we suggest starting a review
dynamic monitoring and integrated risk assessments process of the loan lifecycle using the expertise of
to help detect early warning signals of
financial difficulty and help to optimise
collections and recoveries. For financial
services to respond to uncertain and “The lenders’ landscape has changed
changing market conditions with agility,
significantly. The drivers of this
risk analytics will need to transition from
transformation are many and concern
back-office to front-office processes.
the entire loan lifecycle process.”
R&C: What final advice would
you offer to lenders seeking to
improve the way they manage Tony Cartia,
the loan lifecycle over the months SAS Institute Inc.
and years ahead?
Cartia: The lenders’ landscape has changed professionals who can combine industry experience,
significantly. The drivers of this transformation are methodological and technological knowledge in line
many and concern the entire loan lifecycle process. with new requirements and market trends. RC
&
Automation and digitalisation will drive how lenders

must and can reach customers over the coming

O N E - O N- ON E IN TERV IE W
SOLVING
COMPLEXITY
WITH ROBUST
TAXONOMY
Mike MacDonagh
Director of Content Strategy
Wolters Kluwer
E: mike.macdonagh@wolterskluwer.com
Mike MacDonagh is responsible for defining and driving the

regulatory content strategy for Wolters Kluwer’s enterprise risk
management offerings, including solutions that allow financial
organisations throughout the world to measure, monitor and
manage regulatory compliance, operational and other risks across
their businesses. He has worked at Wolters Kluwer for 14 years and
previously worked in product management and marketing roles at
Misys, Qumas and Financial Objects.

SOLVING COMPLEXITY WITH ROBUST TAXONOMY ONE-ON-ONE INTERVIEW
R&C: Could you explain the value reviewing options for artificial intelligence
of tagging within financial services (AI) and machine learning (ML) solutions
compliance operations? How does the that include tagging?
process help to break down the problem
of complex regulatory compliance? MacDonagh: For anyone working in compliance,
timeliness of information is vital. Users cannot afford
MacDonagh: The potential scale and scope of to wait for content to be tagged entirely by hand.
regulatory requirements is vast. A fundamental part In addition, it is fair to say that any taxonomy that
of the job of anyone who is concerned
with regulatory compliance is to filter
out the irrelevant content without
missing anything important. Tagging of
“Every enterprise’s business is different
regulatory updates allows for reduced
noise and complexity in regulatory
and so every taxonomy that is going
change management by showing users to be used across enterprises will be a
only what is relevant to the enterprises’ compromise.”
locations, products, services and business
model, effectively quieting the noise that
would take time to filter out manually.
Mike MacDonagh,
Tagging allows a compliance team to Wolters Kluwer
easily find the regulatory updates that
apply to the business, to integrate
applicable regulations into day-to-day processes is sufficiently complex to be useful is also likely
using workflow tools, and to prove that policies to be too complex to be applied solely by people,
and processes align with all relevant regulatory because they will not be able to consider all the
requirements. Of course, for tagging to be effective possible tags at the same time. For this reason,
for critical compliance purposes, it must be accurate there has been a significant move toward using AI
and timely. techniques, typically natural language processing
(NLP) and machine learning (ML), to tag regulatory
R&C: What considerations should content. Unfortunately, this brings the issue of
financial services companies make when accuracy into play. Across a broad and diverse set of

compliance information, from different jurisdictions MacDonagh: For these users, AI techniques
and often arising in different languages, even the need to be augmented with human expertise. For
best knowledge models are unlikely to achieve an example, AI tags can be applied to all regulatory
accuracy much better than 90 percent. This matters. updates, but perhaps the types of updates that may
When considering whether a tagging solution is likely contain regulatory changes or guidance can also be
to be effective, we first need to consider what it is looked at by experts, to identify the specific sections
being used for. Typically, users who have a focus on of laws, rules and regulations that they are affecting.
the overall direction of compliance for an enterprise This is a rapid and clearly bound task that can
will have a broad range of interests that change over achieve high levels of accuracy, allowing users to
time and will also be interested in new topics. For quickly identify the updates that affect the citations
them, AI-based tagging is ideal – it is timely and is that they know affect their enterprise. This approach
sufficiently accurate for their needs. However, for would bring together AI techniques, the expertise
those users who are responsible for compliance of the content provider and the expertise of the
outcomes, it is another question. When a rule compliance team, to achieve a timely and reliably
changes or there is federal preemption that requires accurate outcome.
an enterprise to make changes to ensure continued
compliance, 90 percent accuracy is nowhere near R&C: For AI-based tagging, what
good enough. Regulators and judges will have no approach is needed to create the best
patience with an enterprise that ‘missed’ an action taxonomy?
because its AI failed to pick up a relevant change.
This has been likened to using today’s ‘self-driving’ MacDonagh: No taxonomy is going to be perfect.
cars; it is one thing to use that to allow the driver Experts and consortia have devoted countless years
to relax for a while on an open road but very few to trying to produce comprehensive and complete
people would be sufficiently foolish to sit in the back taxonomies for financial services but there is not
seat and trust their safety to it. one that has yet secured widespread adoption.
Every enterprise’s business is different and so
R&C: What factors need to be addressed every taxonomy that is going to be used across
to increase tagging accuracy and meet enterprises will be a compromise. We see two
compliance requirements? general approaches to creating taxonomies: detailed
approaches that try to create hierarchies of specific
terms for every combination of topics, products,

processes and so on, and more general approaches

that use a limited number of more generic tags
across several dimensions, and then allows users to
bring them together, in a faceted search, to create
the combinations that are specific to their business.
As with anything that is attempting to deliver
simplicity, the generic approach requires a significant
amount of design and consideration and a lot of
discipline to maintain. It is not likely to be perfect the
first time round, but it can be improved over time.
R&C: In scenarios where the taxonomy

of the enterprise already exists, how
might this affect the approach?
MacDonagh: Many enterprises already have their

own taxonomies, used to tag compliance content
for workflow or reporting purposes, and larger
enterprises may even have several, in different parts
of their organisation. There is valuable information
attached to these that firms will want to retain.
One clear advantage of the second approach is
that it lends itself to being mapped against existing
taxonomies that have been built by enterprises.
Such taxonomies are generally detailed, hierarchical
taxonomies, and trying to map them against a similar
taxonomy is all but impossible. But mapping to
combinations of tags from a more generic taxonomy
is often more successful. RC
&

MINI-ROUNDTABLE
WHY INSURANCE
COMPANIES SHOULD
REVIEW THEIR OPERATING
MODELS

WHY INSURANCE COMPANIES SHOULD REVIEW THEIR OPERATING... MINI-ROUNDTABLE
PANEL EXPERTS
Graham Handy
Managing Director
FTI Consulting
T: +44 (0)20 3727 1018
E: graham.handy@fticonsulting.com
Graham Handy leads the risk, governance and regulation teams

for FTI Consulting EMEA and is a senior insurance practitioner,
advising insurers across the globe on financial, operational and
strategic challenges in changing markets. With over 25 years
experience, he specialises in capital modelling and efficiency,
product design and assessment of the customer value chain,
post-acquisition integration, operational efficiency, and actuarial
and commercial due diligence. He is a fellow of the Institute of
Actuaries.
Darko Popovic
Senior Director
FTI Consulting
T: +44 (0)20 3319 5604
E: darko.popovic@fticonsulting.com
Darko Popovic is a qualified actuary who specialises in risk

and capital management achieved through a mix of in-house
and consultancy life insurance roles. He has worked across
Europe, North America and South Africa, and is a member of the
UK Institute and Faculty of Actuaries (IFoA) Sustainability Board.
His experience spans a range of business activities, from model
development and review through to process optimisation and
training.

R&C: Could you explain why insurance to ensure up front that they correctly understand
companies may need to review the regulations, and may sometimes even help to shape
operating model for their risk function? them, rather than simply responding to queries and
issues that arise retrospectively. These developments
Handy: There are three major reasons to think the highlight the fact that, when the risk function is run
operating model for risk functions needs an overhaul. the right way, it is now a central part of the business
First, businesses are recognising the risk function as rather than an afterthought. It is also apparent that
more central and more strategic, as shown by the the risk model has matured significantly, with an
appointments of former chief risk officers (CROs) as increased emphasis on strategic aspects.
chief executive officers (CEOs). Second, they need to
ensure that the three lines of defence concept is fit R&C: How would you rate the
to support new ways of working, including remote effectiveness of the three lines of
working. Third, and perhaps most importantly, today’s defence concept prior to, and during, the
volatile business environment, with its many cost and pandemic?
other pressures, makes it vital to maximise agility and
efficiency within the risk function. Popovic: Since the advent of the European Union’s
(EU’s) Solvency II directive, companies have done
R&C: What signs are there that some hard thinking about exactly what the three
insurance companies are assigning lines of defence should look like in their businesses.
greater importance to the risk function? By the time the pandemic happened, the model
was well bedded in, and companies had been
Handy: One sign is that, over the past five years, able to turn their attention to issues like efficiency,
an increasing proportion of former CROs have been effectiveness and value add. A particular area of
making the CEO grade, rather than a tendency focus was the relationship between the first and
toward CFOs to move into that role. In addition, second lines. Although each company has its own
CROs are leading ever more complex interactions way of implementing the concept, many had clarified
with regulators. This change is especially significant the second line’s role to make sure that it was not
because it comes at a time when businesses are a bottleneck, and that it did not end up as a kind of
moving away from simply complying with regulations ‘line 1.5’ doing all the work. Organisations were also
to establishing a more proactive relationship with tackling cultural issues, for example stopping the first
regulators. In this new relationship, companies seek line from passing off the checking and duty of care

to the second line. Work had also been done to make this new way of working. Of course, risk functions
sure the second line got involved in discussions early have always had to make governance succeed
on in any project, rather than once the work was across multiple sites and geographies. What is
finished, to avoid last-minute delays. This relatively different is that many are now coping with distributed
informal and collaborative way of working made risk working within teams daily.
management more effective because problems were
anticipated and prevented, rather than
detected and rectified after the event. But
it had an even more important advantage:
it made the company more agile and
“With most insurers expecting hybrid
responsive to change, since the three lines working patterns to persist, it is time
could work together to find a compliant to revisit the operating model to make
solution to any new challenge, instead of sure that it is optimal for this new way
being locked into inflexible processes. All
of working.”
this work stood companies in good stead
when the pandemic came along, and we
have been impressed by how well most
Darko Popovic,
were able to adapt to home working and FTI Consulting
the other sudden disruptions they were
faced with. Naturally there was some
flexing of roles and processes to make sure all urgent Handy: To remain agile, it is vital to strike the
work got done, but the majority were able to maintain right balance between formality and informality, and
their essential controls. between objectivity and collaboration, across the
first and second lines, in particular. At present, many
R&C: What effect might new ways firms are finding themselves too near the formal
of working have on the three lines of end of the spectrum because of the limitations of
defence concept in the future? hybrid working. With the first and second line mostly
communicating by phone and email, rather than face
Popovic: With most insurers expecting hybrid to face, it becomes much harder to maintain those
working patterns to persist, it is time to revisit the informal, collaborative relationships.
operating model to make sure that it is optimal for

R&C: What challenges do companies easy to tell whether you are complying with a rule,
face in becoming more agile? principles constantly require insurers to guess how
the regulator will interpret them. That can reduce
Handy: Agility is not at all easy for the average agility.
insurance company. The whole idea may appear
to clash with the traditional insurance culture and R&C: What steps can the insurance
structure, which is built around strong governance industry take to get the risk function into
and rigorous processes. In fact, it is possible to shape for its new business environment?
reconcile agility with rigour, but that is
difficult to do overnight. The tone from the
top must change fundamentally, and the
work has to be done by a special type of “To remain agile, it is vital to strike the
person, who is not typically found in every right balance between formality and
risk team. In addition, the intensive bursts informality, and between objectivity
of work that agile working requires make and collaboration, across the first and
difficult demands on resources that are
second lines, in particular.”
already overstretched. The idea of asking
someone from a key function to step out
into a multi-day ‘garage’ is a big ask at the
Graham Handy,
moment. FTI Consulting
Popovic: Another agile concept that is

challenging for most insurance companies is that of Handy: First, re-establish the right level of
‘failing fast’ – abandoning projects that are clearly formality in the three lines of defence model.
not going to meet their success criteria. When you There are several ways to do this. Once first and
are already working to 110 percent of your capacity, second-line staff are made aware of the issue, they
it looks like a luxury to invest resources into a task may well come up with ways to fix the balance
that may be abandoned. And culturally, failing fast is themselves. Apart from that, options include the
still seen as failing. The adoption of agile practices use of observational technologies to help people
is also hampered by Solvency II’s principles-based understand where their time could be spent more
regulatory environment. Whereas it is relatively productively, or where they could be collaborating

more closely. In addition, collaborative technology the processes and activities that generate that
platforms can, to some extent, replace the traditional information.
discussions at the water cooler and help teams
to visualise shared targets and outcomes, and the Popovic: Another valuable way of overcoming
relationships between tasks. Another vital step is to obstacles to agility is to parcel relevant work up as
box clever when it comes to talent, especially the projects rather than treating it as business-as-usual.
talent needed for achieving agility. Universities are This makes it easier to tackle intensive sprints and to
training people to blend agile thinking with good make failing fast acceptable. External resources can
discipline, and it is well worth recruiting those people. be brought in on a fixed-term basis if there are not
But to see where they fit in, it may be necessary enough resources in-house. In fact, maybe it is time
to re-evaluate the design of the risk function, and to rethink outsourcing altogether. In a fully remote
its processes. Is it better to have a few really smart environment, is everyone in a sense an outsourced
people or lots of foot soldiers? Is it best to debate service provider? If so, that renders the ‘them-and-
issues on an ongoing basis or take a one-and-done us mentality’ that used to be a concern in managing
approach to executive-level challenge? Different external relationships obsolete. To overcome the
approaches can work provided it is a deliberate constraints that a principles-based regulatory
choice. It is also important to make the most of environment imposes on agility, embed risk
existing talent. Is all the work that is being done management into everything you do. Work closely
adding value? If not, consider stopping or changing with major development programmes affecting the
the work. This is an area where you may value front line to inject a risk and governance perspective.
outside help, as people who are working more than Make sure that new systems for claims, underwriting,
full time do not have time to reassess what needs financial reporting and so on have the right controls
to change. A key element of this rethinking of work built in. This approach, together with automation
is to review the metrics and indicators that drive in the second line, should reduce the amount of
decision making. Particularly after the pandemic, you second-line activity required in the future. The
may well find that reports are being produced more hardest part is to prove that risk management really
often than is necessary, or that only a few metrics is embedded across the organisation. That is mainly a
on them are used by the board. Consider the use question of showing how information and processes
of digital dashboards as an efficient way of giving support the principle. RC
&
decision makers the information that they really

need, although it may also be necessary to upgrade

PERSPECTIVES
PERSPECTIVES
R ISK AN D CO M P L I A N C E I N
2 0 2 2 : D O N OT U N FA S T E N
YOU R S E AT BELT J U S T Y ET
BY ALEX KWIATKOWSKI
> SAS
T
he sigh of relief at the end of 2021 was The headlines and articles at the beginning of
audible. Bank executives had spent the 2022 read very differently: ‘The non-performing
year on tenterhooks, holding their breath loan tsunami that never happened’ being one
amid well-founded concerns over the contagious of many prime examples. That is not to say the
economic effects of the coronavirus (COVID-19) banking industry has escaped unscathed. There has
pandemic and the detrimental impacts on the health undoubtedly been a degree of collateral damage, but
of their lending books. The predictions made a not to the extent that the world is now addressing
year earlier – and the headlines and articles which the twin challenges of a global pandemic with
accompanied them – were dire and made it clear the bonus of a financial crisis for an extra dash
that apocalyptic conditions were nigh. With banks of difficulty. Having exhaled, banking can reflect
travelling at cruising altitude, the ‘fasten seat belt’ upon what has happened and consider what the
sign illuminated in response to severe turbulence future holds in store, not just for institutions but
directly ahead, a sense of foreboding gripped the their stakeholders, including customers, regulators,
industry. shareholders, employees, technology providers
and ecosystem partners, too. While the predictions

RISK AND COMPLIANCE IN 2022: DO NOT UNFASTEN YOUR SEAT... PERSPECTIVES
for 2022 are not all doom and gloom, it is not all momentum. While the UK’s economy cannot be
rainbows, sunshine and unicorns either. The seatbelt considered as a bellwether for every country, it is
sign remains on. nevertheless significant to observe how Britain’s
Against this realistic but hopefully not too economy grew by 7.5 percent in 2021 in the fastest
depressing backdrop, let us consider
risk and compliance in 2022 and the
operational priorities of banks.
Restarting lending
“The predictions for 2022 are more
Restarting lending is high on the positive than for the two prior years, but
agenda. The core business of lending firms must remain alert to the known
dates from around 2000 BC and has challenges and to any future black swan
been evolving ever since. It is the
events.”
raison d’etre of banking. A wide range
of products have been developed, and
firms continue to innovate in pursuit of
revenue growth. However, with interest
rates remaining at a historic low, despite inflationary annual growth rate since World War II. This is in
concerns, increasing net interest income (NII) and sharp contrast to 2020, when the UK suffered one
net interest margin (NIM) remains challenging. of the largest annual economic contractions of any
Loan growth is expected to resume in 2022 major economy when GDP fell by 9.4 percent due to
after a period of uncertainty as a direct result of the first wave of the pandemic.
COVID-19. Restarting lending will partially offset In terms of innovation, while ‘buy now pay later’
earnings pressures as credit costs begin to revert (BNPL) products cannot be considered all-new for
to the mean and the benefit of negative provision 2022, they will proliferate, with firms seeking to drive
expenses tapers off. This will likely lead to a decline revenues from this potentially lucrative market. But
in banking sector liquidity, as deposit growth slows having entered a new era of conscientious banking,
concurrently. where purpose and prudence combine in pursuit
However, with favourable financing conditions of profit, BNPL products must be handled with care.
prevailing and a powerful economic rebound This begins by lenders ensuring the correct decision
underway, 2022 began with largely positive credit is made when faced with an application for credit.

PERSPECTIVES
Managing exposures
The risk of previously performant loans becoming
non-performant remains omnipresent, despite losses
in 2021 not being as severe as originally anticipated.
Banks have largely proved resilient to the COVID-19
pandemic and have successfully taken measures to
reduce the impact of non-performing loans (NPLs).
This is not solely related to applicant suitability based
From a regional perspective, while Europe’s
on scoring from a risk management perspective, but
banking sector has reported a significant reduction
also includes detecting fraudulent activities based
in problem loans, the EBA has raised concerns
on real or synthetic identities. Transforming the
over banks’ exposure to hospitality and leisure-
credit lifecycle remains a major objective, and with
related sectors, where NPLs are rising. In the US,
it comes the need to make concerted efforts which
the percentage of NPLs has declined quarter on
prevent borrowers from getting into difficulties.
quarter, from a high of 1.19 percent in Q4 2020
Having got this far, banks cannot afford to undo
to 0.89 percent in Q4 2021. Risk and compliance
much of the good work done in the pandemic period
functions deserve credit for the work done to drive
by being responsible for inflating a massive credit
NPL volumes downward as a component part of
bubble which eventually – and inevitably – bursts
managing and mitigating exposures.
with a bang.
Banks’ earnings in 2021 surpassed expectations,
And with the global digital lending platform market
primarily because of lower than anticipated credit
expected to grow at a compound annual growth
losses. The steady influx of deposits will continue
rate (CAGR) of 24 percent from 2021 to 2028, having
in 2022 but at a slower pace, and with difficulties
been valued at $4.87bn in 2020, this is a clear sign
associated with increasing NII and NIM, banks
that firms intend to make it easier for applicants to
simply cannot afford to see credit losses increase
access funds. Banks’ risk and compliance functions
significantly.
need to remain vigilant.

PERSPECTIVES
Firms must continue to minimise exposures

for financial reasons and to achieve and maintain
regulatory compliance. Banks are required to
follow standards related to expected credit losses,
be it International Financial Reporting Standards
(IFRS) 9 or current expected credit loss (CECL).
governance, policies, models and infrastructure in
Extensive progress has been made to implement
place will be a major task in 2022.
technological solutions which adhere to these
Banks must accelerate efforts to tackle climate
standards, although there were delays to IFRS 9
risks, as current positions in many regions are
transition dates because of the pandemic. Issues
inadequate. For example, no supervised bank is
with initial implementations have also been reported
close to meeting all ECB expectations on climate and
in some countries.
environmental risks. Banks have developed plans to
improve practices, but progress is too slow.
Addressing climate-related risk
In 2022, the European Central Bank (ECB) is
Put simply, climate change creates financial
running a stress test on climate-related risks.
risks and has economic consequences. It is a key
This will help identify vulnerabilities, industry best
concern of all sectors of the economy, and financial
practices and the challenges faced by banks. Firms
regulators are moving to ensure banks identify risk
both within and beyond the ECB’s jurisdiction must
exposures from climate change and establish robust
pay attention to the findings, as this will indicate the
strategies and adjust business models to manage
actions required to better address managing and
them.
mitigating climate risk.
As regulators accelerate efforts to ensure the
financial system is not destabilised by climate
Do not unfasten your seat belt just yet
change, banks are deciding how to address
We have probably all been on flights where a
new risks. Putting the proper data, processes,
passenger thinks they are exempt from the rules

RISK AND COMPLIANCE IN 2022: DO NOT UNFASTEN YOUR SEAT... PERSPECTIVES
or can ignore a request from the crew, unbuckling Alex Kwiatkowski

their seat belt whenever they fancy, despite it being Director, Financial Services, Global
Industry Marketing
deemed unsafe to do so. The risk and compliance
SAS
function in banking is there to protect firms – and
T: +44 (0)1628 490 246
their stakeholders – from avoidable injury. The
E: alex.kwiatkowski@sas.com
predictions for 2022 are more positive than for the
two prior years, but firms must remain alert to the
known challenges and to any future black swan
events. Let us fly carefully through the coming
months, with seat belts correctly fastened. RC
&

PERSPECTIVES
PERSPECTIVES
HOW TO SCA L E R I S K
AND CO N TRO L S EL F-
ASSES SM E N T AC R O S S
I NST ITUTI ON A L S I LO S
BY KERRIS LEE
> ISACA
A
s regulators continue to focus on non- breakdowns that occur when trying to scale the
financial risks in financial services it is easy RCSA process across institutional silos.
to understand why risks, controls and their Some breakdowns are caused when the
relationship with operational failures will be heavily process gets more cumbersome as the scope
scrutinised. For many years, the risk and control grows, information sources begin to increase,
self-assessment (RCSA) process was one of the comprehension of risks and controls vary, or the
preferred methods for identifying risks, controls and needs of the reporting process begin to fragment.
gaps through self-identification while monitoring More severe instances occur when it becomes
remediation efforts to reduce risk. One of the goals harder to correctly link back to the identified risk
of enterprise risk management (ERM) is to obtain a after control testing, determine if certain areas in
360-degree view of the company’s risk footprint to the business take longer than others to remediate,
better manage risks and provide transparency to and provide evidence that the control and key risk
board members. However, many ERM professionals identifiers (KRIs) used are relevant to the risk.
are still challenged with achieving this goal due to

HOW TO SCALE RISK AND CONTROL SELF-ASSESSMENT ACROSS... PERSPECTIVES
Why is it hard to scale RCSAs across or debates instead of achieving the objective of
institutional silos? obtaining a 360-degree view of the company’s risks.
Typical challenges with scaling the RCSA process Key themes for an integrated risk assessment
include duplication of effort, a lack of consistency approach. Many companies have been challenged
across the enterprise risk frameworks, lack of risk with integrating various risk assessments across
infrastructure, stakeholder fatigue due to over- institutional silos. Outlined below are some
testing, and inconsistent risk reporting. Siloed risk considerations to evaluate for a risk programme.
assessments, via organisations, processes, data First, set up a workshop with first and second line
and systems, provide a limited view of aggregate of defence executives to gain their perspective on
risk exposures and controls, leaving the enterprise how they approach identifying risk and controls.
vulnerable to threats. In addition, as organisations Develop a repository of risks and controls along with
continue to shift priorities and adapt to the new KRIs and share this with your lines of defence and
normal of their industry, many processes will be business. Discuss how each risk and control is rated
disrupted, causing further challenges for chief risk and whether it makes sense to standardise. Uncover
officers (CROs) to incorporate the changes into how each control is tested against that risk from
their already established RCSA process. These sorts different perspectives, such as compliance, cyber
of scale issues are often a symptom of a weak security and so on, and incorporate the perspective
enterprise risk infrastructure that can scale across into the risk programme. Develop a roadmap
institutional silos. that includes touchpoints with the internal line of
Also, ironically, the infrastructure itself can be a defence to augment the risk identification process
point of contention if a solution did not take into and to help unify efforts across all assessments.
account best-in-class approaches to choosing a Second, develop a cadence that will allow the first
solution or implementation. We have seen instances and second lines of defence to share information
where the solution can cause more debates on and cross-pollinate approaches and areas of
things like the structure, risk controls to be assessed, identification.
who needs to provide input from what information, Finally, optionally research and discuss
the level of details required and how to make the with counterparts whether an enterprise risk
assessment not only consistent but relevant for infrastructure such as a governance, risk and
everyone. In these cases, a poorly implemented compliance (GRC) solution needs to be in place in
solution can distract from the value of scaling across order to augment RCSA activities.
institutional silos and instead causes more hurdles

Approaching these key aspects can

help establish an approach to scaling
RCSA across silos and building a more
“Some breakdowns are caused when the
robust risk identification programme.
This can increase efficiency, resiliency
process gets more cumbersome as the
and return on investment (ROI) scope grows, information sources begin
in business management areas. to increase, comprehension of risks and
Companies should also evaluate and controls vary, or the needs of the reporting
discuss GRC implementation when
process begin to fragment.”
maturing this exercise, as this can
augment most aspects in building

a robust enterprise risk infrastructure. Key areas within a business context to understand aggregate
for a GRC data architecture implementation are exposure in terms of enterprise value; and (iii)
business processes, controls, risks, taxonomies and increasing the focus on using a common risk
hierarchies, so care should be taken when designing language that correctly labels the items that must be
a scalable operating model that aligns products managed well to create value.
and channels and organisational structure with the Many professionals have seen success in
elements described above. Keeping this in mind unlocking the value of risk management in their
can help promote a scalable risk programme for respective industries by leveraging best in class
identifying, measuring, managing and monitoring practices and approaches. RC
&
risk.
To go above and beyond when developing,
Kerris Lee
implementing or enhancing the practice of risk
Global Director of Enterprise Risk
management, other steps to consider include: (i)
Management
developing appropriate operational capabilities to ISACA
ensure that business processes continue operating E: klee@isaca.org
through adverse events; (ii) framing IT-related risk

PERSPECTIVES
PERSPECTIVES
T HE G RAVI TY O F
COMPL I A N CE
BY PATRICK HENZ
G
ravity is not only necessary for the existence level management can be influenced by peer and
of the universe, but also beautiful in its group pressure. The more the manager identifies
own right. Astrophysicist Neil deGrasse with the group, the greater the chance they will be
Tyson wrote: “When I close my eyes, I see the influenced. Like the law of gravity, not only does the
planets as pirouetting dancers in a cosmic ballet, manager influence the employee, the reverse is also
choreographed by the forces of gravity.” He notes true.
that a planet does not technically orbit its host star; Employees are responsible for themselves.
instead both bodies effectively orbit their common Business consultant Ira Chaleff notes that leadership
centre of mass. Of course, he is referring to stellar is not about followers: team members do not exist
objects, but this concept can also be applied to to satisfy their leader. Instead, both are part of the
relations within companies. system and are responsible for their area of gravity
All employees are responsible for their radius. and for maximising the efficiency of the whole
Managers can be influenced by this pressure. A system. As a micro-system, a group must not only be
study by the Vanderbild University’s Owen Graduate able to fulfil its tasks, but also uphold the company’s
School of Management concludes that even high- vision and values. The same applies to each

PERSPECTIVES
employee. To achieve this, all employees require at The chief executive officer (CEO) and compliance
least a basic knowledge of the company’s strategy officer (CO) are not only a centre of gravity for
and business philosophy. Mr Chaleff goes on to say legal compliance, but also for business ethics.
that the values correspond to Isaac Newton’s laws of Most employees cannot distinguish between
gravity. If these are lost, due to a negative corporate compliance and ethics. Life requires a position
culture, for example, the planets can no longer stay within the so-called ‘goldilocks zone’, also known
in orbit and disappear into the vastness of space. as the ‘circumstellar habitable zone’: an area not
This happens when employees are fired or choose to too near the sun, but also not too far away from it.
leave the company. A positive business culture requires employees to

THE GRAVITY OF COMPLIANCE PERSPECTIVES
be in the goldilocks zone, where they can observe colleague and expert, and should always be
the tone from the top, and be impacted by it, but available for questions, discussions and advice. The
are far enough away to be aware of their own CO should support employees in finding answers
responsibilities and accountability.
This is necessary to act on company
principles and regulations, but also
to set an example for colleagues, “A positive business culture requires
including team members. employees to be in the goldilocks zone,
In our analogy, the CO and CEO form where they can observe the tone from
a binary star system; they are twin
suns. Both impact one another as well
the top, and be impacted by it, but are far
as the planets in their gravitational enough away to be aware of their own
range. Both are responsible for responsibilities and accountability.”
compliance, though the CO is the
subject matter expert. A compliance
system implemented or updated in
response to internal corruption may seek to keep a for themselves, instead of directly providing the
closer watch over employees. Nevertheless, this is answers. Employees also need to understand
only a temporary solution, as employees develop a the path leading to those answers. To this end,
resistance to micromanagement, or follow only the interactive case studies are better than one-way
letter of regulations, rather than their philosophy. communication. Active learning is more likely to be
This creates a risk, as regulations cannot predict remembered, leading to the right behaviour.
or define every potential scenario. To ensure that Second, it is important that corporate culture is
compliance flourishes, employees must have a respectful, giving employees the opportunity to
certain level of independence. The CO should set the express different opinions. This allows the CO to
tone from the top and explain expected behaviour change minds through healthy discussion, rather
(based on internal regulations and processes), but than using authority to impose knowledge.
leave enough space for employees to think for Third, the CO should not take work away from
themselves and to understand the broader purpose. employees. Tools and systems should be explained,
These abstract ideas lead to practical actions. but it is the employees’ responsibility to use them.
First, the CO should be perceived as a trusted

THE GRAVITY OF COMPLIANCE PERSPECTIVES
Finally, a star is not only a source of energy Based on the company’s accepted risk level, the
that can sustain life, but also a determining force. CO must decide when it is necessary to hold an
With a risk-based approach, the CO must accept employee’s hand, and when to rely on instructive
responsibility for changing internal regulations videos and interactive chat-bots instead. RC
&
and tools, and, if needed, to carry out internal

Patrick Henz
investigations. Much like a stellar object, this can
Head Governance, Risk & Compliance
impact employees, but in a predictable way if
E: cerpheus27@gmail.com
processes are transparent. Furthermore, this fosters
positive relationships between employees and the
compliance department.

O N E - O N- ON E IN TERV IE W
ESTABLISHING
ESG STRATEGY
AND HUMAN
VALUES AT
BOARD LEVEL
Gerry Zack
Chief Executive Officer
Society of Corporate Compliance and Ethics
& Health Care Compliance Association
T: +1 (952) 567 6215
E: gerry.zack@corporatecompliance.org
Gerry Zack is the chief executive officer (CEO) of Society of

Corporate Compliance and Ethics (SCCE) & Health Care Compliance
Association (HCCA). He leads the global strategy and activities of
SCCE & HCCA and its 18,500 members across 100 countries. He has
more than 35 years of experience providing preventive, detective
and investigative services involving fraud, corruption and compliance
matters. He has worked in more than 25 countries with businesses
of all sizes and in many industries, as well as with non-profit and
nongovernmental organisations and government agencies.

ESTABLISHING ESG STRATEGY AND HUMAN VALUES AT BOARD... ONE-ON-ONE INTERVIEW
R&C: Could you explain why companies’ led to thinking that extended well beyond profit
environmental, social and governance and loss (P&L). At the same time, climate change
(ESG) strategies are increasingly has impacted business thinking, while social
important in today’s business world? expectations continue to rise. So, while the pandemic
What factors are compelling organisations had a major impact, it was far from alone in driving
to enhance performance in this area? this transformation.
Zack: The days of share price as the sole measure R&C: What steps can companies take
of a company’s performance are over. Employees, at board level to create an ESG culture
customers, the general public, governments and and embed human values across the
the investor community are all now looking at the organisation? Why is it vital that senior
non-financial impacts organisations have. They are leaders buy-in to these concepts and
setting behavioural standards on everything from drive the initiative?
CO2 emissions to how well the company ensures
there is no human trafficking in its supply chain. If Zack: The board sets the direction for the
an organisation wants to see its business grow and organisation, and if it is not committed to ESG,
keep good people, it must look to environmental, leadership and management will quickly figure
social and governance (ESG) measures that out. Likewise, if they set ESG goals and ask
leadership hard questions about performance, the
R&C: To what extent has the global impact will be enormous.
coronavirus (COVID-19) pandemic served
to highlight the ESG agenda and focus R&C: What are some of the common
companies’ priorities? challenges at board level when adopting
ESG strategies and, in turn, reporting
Zack: The coronavirus (COVID-19) pandemic performance to stakeholders?
placed enormous pressure on organisations as they
struggled to keep operating in the face of a range Zack: Goal setting is going to be key for boards
of challenges. They had to revisit everything from in ESG, as it is elsewhere in business. And the
employee health and wellbeing, both physically and board needs to realise that the organisation simply
from a mental health standpoint, to new methods cannot satisfy everyone. Selecting stances on social
and vendors for sourcing goods. That inevitably issues gets very complicated and priorities must be

established. The board must set reasonable goals is not just about aspirations; there are an increasing
that are achievable for the business. And, just as number of laws and regulations that companies
importantly, it must ensure that those goals are have to be mindful of when it comes to ESG and ESG
truly and honestly met. That will mean ensuring that reporting. Cheating here is no different that doing so
there is a system in place, whether managed by the elsewhere.
compliance team or others, to make sure
that the results reported are accurate and
reliable.
“The greatest tool organisations have

R&C: Given the burgeoning
for implementing effective strategies
status of ESG as a top
business imperative, what and reporting processes are their own
tools are available, such as people and compliance programmes.”
new technologies, to help
companies implement effective
ESG strategies and reporting
Gerry Zack,
processes? SCCE & HCCA
Zack: The greatest tool organisations

have for implementing effective strategies and R&C: How important is it for boards
reporting processes are their own people and to maintain adequate oversight of a
compliance programmes. Since ESG is about how company’s ESG claims and credentials, to
the business will operate, businesspeople must ensure their accuracy? Could you outline
be on board and work through the challenges to the potential financial and reputational
make ESG measurements as integrated as quality risks of greenwashing, for example?
measurements. The compliance team is already
well-skilled in identifying risks, finding, investigating Zack: If a board does not exercise proper
and remediating problems and developing controls. oversight of the company’s ESG claims, it is being
ESG also greatly overlaps with initiatives around the derelict in its responsibilities. The same approach
organisation’s values, which is also squarely in the to internal controls over systems and information
compliance team’s remit. And keep in mind that ESG that apply to the audited financial statements

needs to be applied to ESG reporting processes and Zack: We are already seeing it happening. Look
systems. Investment decisions are made based on at what happened to Exxon Mobil. Activist investors
them. Reputations depend on them. The cost for are making it clear that a board cannot settle for a
the organisation in terms of share price will likely be ‘business as usual’ approach today. And litigation
substantial, and no board member wants to have pertaining to ESG is increasing rapidly. Any board
to explain how he or she missed what likely would member will have to address ESG and human values
have been an avoidable scandal. issues if they value the company they serve and the
board seat that they occupy. RC
&
R&C: In your opinion, what are the likely

consequences for companies that fail
to demonstrate a commitment to ESG
and human values? Do you expect these
issues to become an integral part of
boards’ remit in the years ahead?

PERSPECTIVES
PERSPECTIVES
F OU R S TE P S T O
S AF EG UA RD I N G
COR P ORATE R EPU TAT I O N
BY NADA KAKABADSE AND ANDREW KAKABADSE
> HENLEY BUSINESS SCHOOL
M
any firms consider brands to be among media-driven communications environment, a hard-
their most important assets and a loss of fought brand status can be eradicated in an instant.
reputation as the biggest risk facing their Consider the pressure the British monarchy, as
organisation. a brand, finds itself under in the wake of Prince
The logic behind this thinking is gleaned from both Andrew’s legal settlement with Virginia Roberts or UK
research and experience which shows that most prime minister Boris Johnson’s attempts to salvage
customers will switch brands after just one bad the Conservative Party’s political agenda following
interaction. ‘Partygate’. The UK Post Office is still attempting to
Human nature further dictates that dissatisfied move on from its scandal of more than 700 sub-
clients talk more about poor than positive postmasters and mistresses being accused of theft,
experiences with others, and this damaging word- fraud and false accounting in what has become
of-mouth messaging can be enormously magnified widely regarded as one of the most widespread
through social media and ‘citizen journalism’. miscarriages of justice in British legal history.
It takes years for organisations to build a There are plenty of other examples of disastrous
reputation, but in today’s 24/7 news cycle and social behaviours and outcomes that have sunk

FOUR STEPS TO SAFEGUARDING CORPORATE REPUTATION PERSPECTIVES
reputations, or the perceptions, attitudes and

feelings of stakeholders, about the nature and
underlying reality of organisations, all of which is
inextricably linked back to company assets and risk.
As the reputation and value of a company rises, so
does its vulnerability. Any significant adverse events
impacting an organisation can lead to potential
reputational damage and ultimately loss of revenue.
Finance – the ultimate reputational

standard
A favourable reputation, and the capital
that accompanies it, does not occur
by chance. Accumulating a sound
stock of perceptual and social
assets depends very much on
existing levels of trust between the
organisation and its stakeholders, as
well as the quality of product or service
it offers.
Finance is the most accepted and used metric for
measuring reputational damage as it directly reflects
tangible impact in a way that the executive can
easily recognise and understand.
Losing the support and trust of the wider public is
a precursor to corporate collapse. This means that
reputation is viewed as a reliable information tool
that enhances the predictability of organisational
success or failure.
A favourable reputation is difficult to imitate
or replicate as it is a socially complex and

multidimensional condition. Reputation has all reputation requires sincere engagement with
the qualities of a strategically valuable, relevant stakeholders to achieve lasting competitive brand
and scarce resource among actual or potential and reputational advantages.
competitors. It is difficult to imitate and does not It is a process of ongoing interaction and
have any equivalent substitutes. empathetic listening to the experiences and
Uniquely, reputation has no limit in the way it concerns of clients, suppliers, employees, investors
can be used as it does not depreciate. It is also and a host of other stakeholders.
somewhat intangible and difficult to manipulate by There are four core steps to safeguarding
the firm. In essence an organisation does reputation, as outlined below.
not own or control the perceptions of Living the corporate purpose and values.
others, although it can nurture and Reputation flows from corporate values, culture
safeguard its reputation. and tone at the top. This begins with selecting
an appropriate chief executive officer (CEO) and
Effective board developing a purposeful communications strategy.
stewardship Successful organisations build an authentic
All of this narrative through management that proactively
depends on having engages critical stakeholders in discussion on the
effective board company’s strengths, vulnerabilities and growth
oversight, authentic potential.
leadership, company capability, The board’s responsibility is to assess whether
effective communication activities these factors have been built into the culture and
and formalised stakeholder feedback adequately maintained. In addition, the board needs
mechanisms. to remain mindful of brand and operational mindset
Accidents and corporate crises also cause to safeguard reputation and brand equity.
damage to reputational capital, so having a positive This requires the organisation to deliver the brand
position in the first instance acts as a buffer against consistently and reliably throughout the customer
unexpected incidents. journey, meaning delivering on all the functional and
Board stewardship is the starting point for emotional values the brand promises.
responding to and rebuilding reputational damage, If the brand is delivered differently from its stated
while values and leadership are key to a company’s benefits, it will reduce its equity and reputation. If
success. Most importantly, safeguarding brand an organisation falls short and loses the trust of its

stakeholders, there is a tangible impact through conditions and trade, climate change, the privileging
a loss of sales, partners, sponsors, endorsers and of certain groups and the marginalisation of others.
investors. To address these issues, organisations should
On the positive side, organisations that genuinely reflect on the signals they choose to communicate
live the core principles of fairness, accountability, through existing behaviour and devise various levels
responsibility and transparency have a higher of stakeholder engagement. For example, some
propensity to spring back and recover from a crisis. stakeholders are satisfied with being kept generally
Creating a positive culture where stated values informed of developments, while others prefer to
are lived throughout organisations is mandatory, as be consulted, be involved, to collaborate or even be
no single risk management team can successfully empowered.
manage reputation on its own. To succeed requires Stakeholders continuously receive information
genuine effort from every employee because the through news and advertising media, opinion
relationship between the corporate brand and leaders’ analysis, and word-of-mouth. However,
culture is intertwined. This is particularly evident in it is direct experience and interaction with the
service organisations. organisation that is the most potent method of
Continuous stakeholder engagement. How an perception development. As a result, genuine two-
organisation uses narrative to communicate brand way dialogue with stakeholders is vital to create an
and value delivery is vital to influencing stakeholder understanding of, appreciation for and commitment
perception. Even more critical is how an organisation to community-building.
engages with its stakeholders. This is a fundamental Engagement means emotional receptivity and
part of the monitoring process and helps reveal an ability to listen with openness, sometimes to
stakeholders’ needs, expectations and changing unpalatable messages or significant differences of
social norms and perceptions. opinion. It requires a great deal of active listening,
Successful organisations understand the use of feedback and prompt reaction to improve the
importance of an engagement strategy that seeks stakeholder experience.
to influence rather than control stakeholder If there is a problem, the organisation should
perceptions. Research and current social movement acknowledge this and take full responsibility.
show that society wants companies to take a Similarly, with activities involving the media, if an
position and communicate what they are doing to apology is required it should be delivered quickly and
address present-day problems, such as fairer work action must be announced and taken to right the
wrong.

Even in the case of interaction by one individual, It also involves identifying the areas of reputational
as exemplified by Jack Sweeney, who runs a Twitter risk to which they are exposed and then developing
bot page that monitors Elon Musk’s private jet’s systems and processes that enable flexibility as
movements, dialogue should be used to solve the required. For example, cyber security is a potential
problem satisfactorily. A solo voice on
social media can cause a downward
reputational spiral, triggered either
gradually or by abruptly fracturing “It takes years for organisations to build a
relationships. As many organisations
reputation, but in today’s 24/7 news cycle
have learned to their regret, attempting
to control damaging online fallout is
and social media-driven communications
very difficult. environment, a hard-fought brand status
Organisations should take heed of can be eradicated in an instant.”
mindfulness and develop an awareness
of how public relations can help
manage power distribution and shape
expectations. A crucial part of this is assessing threat to any established corporate reputation.
reputational context and risks by monitoring when, Losing data on a large scale diminishes a company’s
what and how an issue is communicated, and ability to portray itself as competent, well managed
through which media. and trustworthy. Massive digital migrations of
Building resilience. The prevention of accidents businesses are being continually threatened by
and minimising reputational damage requires cyber crime, which is currently at an all-time high.
resilience across the organisation. Data privacy is an ongoing issue and privacy
In rapidly changing work environments, resilience regulations are still a long way from offering a
or the ability to persevere through a stressful time comprehensive fix. Investing in sound cyber security
and thrive amid change is one of the most important systems and expertise is both expected and crucial
skills organisations need to develop. This occurs to protecting data and the organisation’s reputation,
by fostering a psychologically safe workplace and, as is actively planning on how to reactively
through appropriate training, leaders can help manage a possible incident. Resilient firms foster
enable the development of resilient organisations. an organisational culture that enables people to

maintain transformational growth in the face of The discomfort the chair faces in addressing such
change. dilemmas is considerable. After all, it is the chair
Evaluating and updating the business model. To who supported the CEO in the creation and delivery
understand how each stakeholder group influences of the original strategy, agreeing the goals to be
business success, regularly measuring organisational achieved. The fact the CEO arrived at these goals in
reputation is critical to safeguarding reputation. a manner the chair did not intend or anticipate was
Successful discourse adopts a system that tacitly approved.
evaluates the relative position of each group of The demoralising reality is that most chairs back
essential stakeholders, ranging from informal down from making this type of uncomfortable
dialogue, through to rigorous proceedings based on decision, citing a likely loss of shareholder
measurement. confidence if the CEO is removed. However, by
Remember, reputation is fluid, constantly taking this route, the reputational consequences and
evolving and sensitive to organisational actions and damage are often delayed and build up over time to
behaviours. Reputation measurements can be used an unbearable breaking point.
to create competitive and internal benchmarks to Evidence strongly indicates that chairs who
identify more effective practices. ultimately take the decision to sack the CEO face
Identified weak reputational areas must be an initial dip, followed by a subsequent rise in share
prioritised, along with action plans to treat them and price and allied reputational growth. RC
&
schedule continuous re-evaluation. An organisation

Nada Kakabadse
will do well to consider how its actions benefit
Professor of Policy, Governance & Ethics
its clients and other stakeholders, as well as the
Henley Business School
environment. T: +44 (0)1491 418 786
Ultimately, feedback from multiple stakeholders E: n.kakabadse@henley.ac.uk
and reputation measures are invaluable tools for
understanding, improving and innovating within an
Andrew Kakabadse
existing business model.
Professor of Governance & Leadership
Henley Business School
In conclusion T: +44 (0)1491 418 776
The responsibility for resolving the matter of the E: a.kakabadse@henley.ac.uk
‘operational performance versus the intangible
effects’ dilemma rests squarely with the chair.

PERSPECTIVES
PERSPECTIVES
MANAG I N G CY B E R R I S K
I N A DI G I TAL W O R L D –
PRACTI CA L A PPL I C AT I O NS
OF ZE RO TRU S T
BY SIÂN JOHN
> MICROSOFT
I
n 2015, the owners of the Hatton Garden Safe transformed. This is in stark contrast to most modern
Deposit scheme in London returned after the industries.
long Easter weekend to discover that a robbery Digital technology has transformed the way we
had taken place and goods of an estimated value live and work. It provides great opportunities to
of £14m had been stolen. This felt like a crime address new markets, transform products, optimise
that belonged to a previous age. When they were the experience for employees and customers
apprehended, the average age of the thieves was 63 and increase opportunities for many businesses.
and two were in their 70s. These were old-fashioned There are very few businesses now that do not rely
thieves; technology was not part of their modus on technology for success. Even hotels and bars
operandi and digital transformation not in their rely on internet bookings and digital payments.
vocabulary – a fact which was highlighted when they The convenience of digital technology unlocks
were ultimately identified through images captured many opportunities but also brings with it new
on CCTV in public streets which they had not fully complications and challenges. Technology makes
considered. They were stealing precious stones, services accessible to people that previously could
a physical resource the value of which cannot be not access them, but also expands the available

MANAGING CYBER RISK IN A DIGITAL WORLD – PRACTICAL... PERSPECTIVES
attack surface for malicious actors. It increases attackers alongside ‘regular’ criminals. The
opportunities, both for businesses and criminals. Bangladeshi state attack is believed to have been
Over the last 30 years, there has been a decline instigated by a nation state attacker. Crime is not the
in the number of bank robberies, but, at the same only place where cyber has been added as a parallel
time, we have seen a rise in online financial crime attack vector. We increasingly see it being used as
and fraud. The largest sum of money ever stolen in part of the arsenal of nation states. There have been
a classic bank robbery was $282m from a 2017 bank numerous examples of this in recent years. There is
robbery in Iraq. The largest online financial attack is a tendency to think of cyber as something special
probably the Bangladeshi bank attack in 2016 which that needs a whole new way of operating and should
led to the loss of $101m. The reality of cyber attacks be left to the IT department, whereas it is simply an
is that internet connectivity allows for a longer term evolution of the world to address the fact that we
and ongoing fraud. The coronavirus (COVID-19) are more digital now, which brings new opportunities
pandemic saw a spike in cyber attacks in banks of but also a new threat vector.
238 percent. Second, to emphasise the fact that we tend to
So why did this article on managing cyber risk in think in terms of a definable perimeter. For a robbery,
a digital world start with an overview of one of the such as that which took place in Hatton Garden,
least digital crimes of recent years and then discuss there is a defined premises, with a sphere of risk and
how that relates to cyber risk? a physical area to protect. And yet the business still
There are two reasons. First, when we discuss failed through not having the appropriate protections
cyber crime we often consider it in a vacuum, as in place over a holiday weekend. In the cyber world,
if it is a magical new threat that has arisen from we do not have that perimeter, and the need to
the digital ether. In reality, it is criminals attempting provide protection 24/7 is higher still. However,
to make money in the best way they can. When we still carry over a lot of the mindset from that
our greatest source of wealth was physical assets, physical protection era. Many traditional models of
the most prevalent form of crime was physical. As cyber security revolve around the ‘castle and moat’
we move into a digital world, it is only natural that concept of a definable area that is mine within the
criminals move with us. Cyber crime reflects the fact walls and the ‘bad guys’ outside. In a world where
that criminal organisation are capable of digitally we are all working remotely across different offices,
transforming as much as legitimate ones. locations and services, including cloud and mobile,
There are complications that come in a digital these perimeters are impossible to define.
world, such as the involvement of nation state

XXX PERSPECTIVES
So, how do we secure a world in which we have opportunity of attack, it also provides more options
no physical perimeter to defend, where the criminals for reducing the impact.
are also digital and where we may even have nation This is what has led to the rise in popularity of the
states to contend with? principles of ‘zero trust’, which are: (i) explicitly verify
Companies only have so many resources to deal – verify every connection to ensure that the identity,
with these challenges. Traditionally, there was a lot of device and connection all meet requirements (ii)
focus in cyber defence on protection. This followed least privilege access – only allow access to the
the ‘castle and moat’ model of security: strong resources needed; and (iii) assume breach – assume
perimeter defence with a relatively soft interior, someone has already breached your defences.
apart from endpoint security. Most investment ‘Zero trust’ is currently the buzzword of the
was on prevention of attack, but with the increase industry, leading to a lot of vendors choosing to map
in sophisticated attacks, spending shifted into it to whichever product or capability they have that
detection and response. However, there is now it addresses. This has led to some disillusionment in
a recognition that you do not just want to detect the term and a belief that it is ‘snake oil’, however
and respond to attack, but to proactively limit the this belief does the concept a disservice. Zero trust
damage as much as possible. It is no use being able contains sound principles that can be taken to limit
to find and track down the criminals after the £14m a company’s exposure to attack. They are also well
has been lost. It is much better to prevent the loss in adapted to a world where users can be anywhere.
the first place. Although a digital world increases the There should be no more trust from sitting on a
corporate network than sitting in a coffee shop.

MANAGING CYBER RISK IN A DIGITAL WORLD – PRACTICAL... PERSPECTIVES
This allows the integrity of every user, device or had breached the system meant the theft was not
application to be tested before it accesses an discovered until after the weekend. An alarm was
application and to only gain the minimum access tripped and investigated, but because things looked
required for productivity. Also, assuming
a breach has occurred removes the
concept of a trusted asset that has
unchallenged access to sensitive “So, how do we secure a world in which
systems and data. Applying this
we have no physical perimeter to defend,
principle improves our ability to detect
and respond to malicious access. In
where the criminals are also digital and
the case of a nation state attacker, where we may even have nation states to
this is particularly important. While it is contend with?”
difficult to match the sophistication of
the attacker, you can limit their ability
to proliferate across the network. This
is where the principles of zero trust come into play, normal it was assumed to have been an error.
limiting the implied trust that gives the ability to Applying the principles of zero trust would have
spread unguarded across a network. helped to address these challenges.
The Hatton Garden robbery provides another In a digital world where connections are
non-cyber example of what happens when you do ubiquitous and there is not even a physical door to
not apply the principles of zero trust. The criminals access, zero trust is not hype but the articulation of
gained access through a door that was shared with principles that are essential to follow when you do
other businesses in the same building as the safe not control the perimeter or access. Trust no one,
deposit scheme. This shared access meant the safe verify everything. RC
&
deposit did not have full control of access to its

premises, much like many digital businesses today.
Siân John
As there was an implied trust in being within that
Senior Director
door, the thieves were able to access the basement
Microsoft
and, after disabling local security systems, have T: +44 (0)118 909 4786
unfettered access to drill through into the safe room. E: sian.john@microsoft.com
The lack of monitoring and assuming that someone

PERSPECTIVES
PERSPECTIVES
PRIVACY A N D CY B ER
SECURI TY: I MM E D I AT E
CONV E RG E N C E I S A
NEC E S SI TY
BY VISHAL CHAWLA
T
he daily lives of ordinary citizens are incentives and the ethical duty to protect such
connected to the internet in many ways, information. To do so effectively, privacy and cyber
with multiple vulnerabilities and different security must converge into a single affair, managed
exposure points. Reliance on the internet is so strong with a more assertive approach to keep data safe
that individuals often turn a blind eye to the risks and secure.
taken as they readily transfer bank data, medical Regardless of recent corporate attempts to
information and other sensitive information over prevent them, data breaches affecting millions of
networks. people have become all too common. Disclosed in
Online activity is being recorded and scrutinised, 2018, in the now-famous scandal, Facebook allowed
often without the knowledge or consent of the Cambridge Analytica to gather data from up to 87
people affected. It is an infringement of privacy and million Facebook profiles without users’ consent.
should not be taken lightly. Facebook was fined in the US and the UK for the
The companies obtaining, storing and using incident. Cambridge Analytica filed for bankruptcy.
data linked to individuals have both the business

PRIVACY AND CYBER SECURITY: IMMEDIATE CONVERGENCE IS A... PERSPECTIVES
Discovered in 2020, online learning platform to the unanticipated inferential uses of that data.
OneClass left exposed a 27-gigabyte database Advancements in artificial intelligence (AI) and
containing full names, email addresses, phone machine learning enable the sifting and comparing
numbers, schools and universities attended, school of massive amounts of data to identify connections
enrolment information, and payment details for over and recognise patterns – to infer invasive knowledge
one million North American students. Much of this about individuals’ assets, habits and desires. This
data was from minors, which makes the matter even elevates privacy concerns to another level.
more concerning. Any business whose processes touch the internet
Announced in 2020, Marriott International advised in any way (which means nearly any business)
that personal information had been illicitly acquired should ensure that privacy and personal data issues
for approximately 5.2 million guests, including are taken seriously. Companies cannot simply tell
contact details and birthdates. This followed a similar their IT departments to build higher and stronger
breach spanning from 2014 to 2018 during which walls and hope for the best.
contact details and passport numbers for up to 500 Motivations to improve data protection reside in
million people were exposed. both doing the right thing and protecting the bottom
Revealed in 2020, Canva, an Australian graphic line.
design platform, was alerted (by the hacker) that its There is a duty (sometimes implied, sometimes
system had been breached. Almost 140 million user expressly required) to act with honesty and
records were uncovered and, purportedly, posted to decency on the public’s behalf. In 1928, Supreme
the dark web. Court Justice Louis Brandeis wrote: “The makers
The enormous amount of data online is hard to of our Constitution undertook to secure conditions
fathom. Based on information published in March favourable to the pursuit of happiness…They
2021 by the International Data Corporation, 64.2 sought to protect Americans in their beliefs, their
zettabytes of data were created or replicated in 2020 thoughts, their emotions and their sensations. They
(approximately 900 megabytes of data per hour for conferred…the right to be let alone—the most
each human on earth). Not all data created is saved comprehensive of rights and the right most valued
– the installed global base storage reached 6.7ZB in by civilized men.” The public expects and generally
2020 – yet it still presents a tempting target for data assumes (until proven otherwise) that companies
miners and hackers with malicious intent. will perform with integrity; this includes ethical use,
Alarmingly, the problem is not limited to the proper protection and handling of personal data.
illegitimate possession of digital records. It extends

If ethical principles are insufficient to drive measures sufficient to thwart hackers and data
business decisions, then consider the negative miners. Complex advancements in technology, the
financial effects of improperly controlled data. It increased number of interconnected devices, and
begins with legislation and regulations that are the sophistication of threats pose severe risks. In
quickly being proposed and enacted. response, serious consideration should be given to
One of the most wide-ranging and
thorough is the European Union’s (EU’s)
General Data Protection Regulation
(GDPR), which came into effect in May
2018. It establishes a comprehensive “To man the gates and guard the kingdom,
approach to personal data protection. It the starting point is certainly in cyber
establishes rights for individuals whose security measures sufficient to thwart
data is being processed, including the
hackers and data miners.”
right to be informed and the rights of
access, erasure, processing restriction
and data portability. Obligations are
imposed on organisations anywhere
in the world as long as they target or collect data advanced encryption protocols that can add double
related to people in the EU. The GDPR allows for or triple layers of security. This has typically been the
significant fines – €20m or 4 percent of global realm of the IT department.
revenue, whichever is higher – and sanctions such Malicious actors do not necessarily need to break
as bans on future data processing. through digital barriers to gain access to data. The
Similar regulations have been proposed or enacted actions of an employee working far from the data
in several US states and other countries around the may open an unintended door via loose handling of
world. passwords and security devices or by falling victim
Beyond regulatory action and fines, additional to a social engineering ruse. Maintaining cyber
incentives to maintain proper control over personal awareness across the employee population may fall
data include consumer lawsuits. The cost of failure in to IT, company security, or even human resources
privacy and data protection can be quite high. (HR).
To man the gates and guard the kingdom, When privacy issues regarding personal data are
the starting point is certainly in cyber security raised, these matters are often managed by a chief

privacy officer (CPO), with involvement from legal

and limited support from IT and security.
While this cross-functional dance is proceeding,
the customer experience and the user’s concept of
privacy can be lost in the shuffle. What customers
want – easy, rapid movement through online systems
– is typically at odds with customer identity and
access management systems experience. IT security
says ‘lock it down with multi-factor authentication’;
the consumer says ‘keep my information safe
but give me an uncomplicated experience’. The
consumer also wants to be able to control what data
is held, including the right to expunge that data.
The right balance requires a new three-part
approach: unified organisation, risk-based
management, and customer focus.
First, unified organisation. The use of disparate
departments worked well in the past, but
technological changes and elevated concerns about
privacy now point to the melding of cyber security
and privacy. This cannot be done as an add-on or
afterthought. Rather, set the tone at the top that all
products and services will be secured and trusted
by design. Establish accountability for security and
privacy under a single executive-level person. This
leader’s resources must include those necessary
to cover legal and regulatory aspects, in addition to
managing security and privacy across the full data
lifecycle. Integrated cyber and privacy risk reporting
is to be provided directly to executive management
and the board of directors.

The security and privacy teams, now subordinate

to the new executive leader, must collaborate. The
privacy group must become more aware of technical
requirements and constraints while security experts
must gain a solid understanding of both legal
mandates and customers’ privacy expectations.
In this process, confidentiality and privacy should
not be confused. Security organisations often define
their programmes as providing confidentiality,
integrity and availability. Procedures that allow
only authorised individuals to have access to the
information ensure confidentiality. The methods used
to collect information about customers, the type of
information being collected, and the collection of
only the minimum amount of information necessary
to conduct the business are privacy controls.
Second, risk-based management. This starts
with a systematic review of information system
vulnerabilities: evaluate for weaknesses, assign
severity levels to vulnerabilities, and define
mitigation or remediation steps that will reduce risk.
The results of these reviews become input to cyber
incident response plans.
Similarly, privacy vulnerabilities must be assessed
and mitigated – what are the risks to customers
which may arise from the company’s processing
and storage of their data? In doing so, consideration
must be given to new or unconventional methods
of combining data. A recent study demonstrated
that 99.98 percent of Americans could be correctly

identified from an anonymised dataset using 15 Privacy regulations are evolving and expanding.
demographic attributes. Many new privacy compliance laws have security
Finally, customer focus. Understand that privacy is expectations. Article 32 of the GDPR clearly defines
a major issue with consumers. They want control of security controls required for protecting customer
where their data goes and how it is used. In a 2019 information. Consumers are becoming more aware
upgrade to its mobile-device operating systems, of how companies do and do not protect their
Apple gave users the choice of whether personal privacy. Hackers and other hostiles improve their
data could be collected or not; the vast majority of technical abilities every day. Companies must either
users took advantage of the opportunity and opted react through the convergence of cyber security
out. and privacy or face regulatory and consumer
Privacy can and should be expressed at the core consequences. The time to act is now. RC
&
of the business. The concepts should be applied

Vishal Chawla
across all business services or within all product
Cyber Security & Privacy Risk Professional
developments. Be transparent with customers on
E: vchawla01@gmail.com
what data is collected, how it is used and how it is
protected.

MINI-ROUNDTABLE
COMPETITION AND
ANTITRUST CHALLENGES
IN THE LIFE SCIENCES
SECTOR

COMPETITION AND ANTITRUST CHALLENGES IN THE LIFE... MINI-ROUNDTABLE
PANEL EXPERTS
Irene Antypas
Counsel
Ashurst LLP
T: +32 (2) 641 9966
E: irene.antypas@ashurst.com
Irene Antypas is a counsel in Ashurst’s competition & EU law

department, based in Brussels. She has extensive knowledge and
experience advising on EU competition and regulatory matters
and acts for major companies in a variety of sectors, including
agrochemicals, pharmaceuticals and consumer goods. Litigation
before national and EU courts also forms an integral part of her
work.
May Lyn Yuen

Partner
Hogan Lovells
T: +32 (2) 505 0977
E: maylyn.yuen@hoganlovells.com
Based in Brussels for over a decade, May Lyn Yuen advises

on all aspects of EU competition law. She has specific expertise
in advising clients in the life sciences sector on the antitrust
issues arising from joint collaborations and M&A deals, licensing
and distribution arrangements, pricing practices and antitrust
investigations.

R&C: Could you provide an overview of supply structures that they have set up and in their
key developments around competition/ pricing decisions. For example, there has been a
antitrust in the life sciences sector? surge in activity across the European Union (EU) in
relation to the pricing of medicines and protective
Antypas: Competition law enforcement in the equipment. We have also seen the launch of
pharmaceutical sector has been a high priority for investigations across Europe with regard to abuses
competition authorities in Europe in recent years. of dominance, competitor collusions and information
Substantial fines running into millions of euros exchange.
have been imposed on pharmaceutical companies
found to have engaged in excessive pricing, abusive R&C: How would you describe recent
patent strategies and market sharing/pay-for-delay enforcement efforts to curb anti-
arrangements aimed at preventing or delaying the competitive business practices in the life
market entry of generic medicines. This focus is likely and sciences sector? To what extent has
to remain in the post-COVID-19 era, which has placed the coronavirus (COVID-19) pandemic
access to affordable and innovative medicines, and been used as a ‘cover’ for non-essential
other critical healthcare products, even higher on collusion?
the political agenda. Mergers, and notably the risk of
‘killer acquisitions’ in the sector, such as the Illumina- Yuen: During the COVID-19 outbreak, competition
Grail deal, are also under increased scrutiny by the authorities indeed faced a difficult task of striking a
European Commission (EC), in particular in highly balance between ensuring that the competition rules
innovative sectors, including pharma and biotech. were being respected while avoiding a chilling effect
The concern is that the acquisition of small and on any necessary initiatives relating to the supply
start-up companies may be deployed as a strategy and distribution of essential products. Competition
by large established market players to remove authorities in Europe issued guidelines and ‘comfort
future competition, keeping prices high and reducing letters’ that recognised the need for flexibility in
innovation. the application of competition rules. At the same
time, authorities have also been increasingly
Yuen: European competition law enforcers have interested in pricing issues. For example, EU member
been busy in the last year. Life sciences companies state authorities have opened investigations into
are being scrutinised in the deals that they are doing, companies allegedly hiking up prices of masks and
in collaborations that they are entering into, in the hand sanitisers, while the EC secured commitments

on drug pricing in a rare excessive pricing case. These R&C: What steps have regulators
efforts show that the authorities are alive to the need taken to adapt competition/antitrust
for antitrust enforcement in relation to the supply, law and enforcement priorities to assist
distribution and pricing of drugs, especially during life sciences companies with meeting
these unprecedented times. the challenges caused by the COVID-19
pandemic, while also protecting
Antypas: Authorities in Europe have been trying consumers from unscrupulous business
to address the many challenges the pandemic has practices?
brought to the healthcare system. The key focus
for authorities has been to facilitate temporary Antypas: The unprecedented crisis showed that
cooperation mechanisms to ensure vaccine collective industry action was needed to effectively
production and critical medicines supply through address the key challenges of the pandemic. In
formal and informal guidance to industry. In parallel, response to the crisis, the EC took rapid action to
Europe has been working on a pharmaceutical ensure that competition rules did not act as an undue
strategy to create a future-proof regulatory deterrent for companies willing to cooperate. In its
framework promoting research and innovation while April 2020 ‘Temporary Framework Communication’,
addressing market failures, such as securing supply the EC allowed temporary and limited cooperation
chains. At the same time, regulators maintained a between competitors for the supply of essential
tough stance on anti-competitive business practices. products and services. It also issued two ‘comfort
Enforcement activity has been slow with onsite letters’ signing-off on specific industry projects
inspections being postponed due to COVID-19 to avoid shortages of critical hospital medicines
restrictions. However, as the pandemic started – ‘Medicines for Europe’ in April 2020 – and to
to recede, activity levels are returning to normal. upscale European production of COVID-19 vaccines
In June 2021, the EC carried out its first surprise – ‘Matchmaking Event’ in March 2021. At the same
inspection at company premises since the start of time, competition regulators warned against COVID-
the pandemic. Authorities have signalled that strong related ‘crisis’ cartels and have taken action against
action will be taken against companies engaging in suspected anticompetitive conduct during the
anti-competitive or unfair business conduct during pandemic, including price gouging for critical goods
the health crisis, for example by charging excessive such as masks and hand sanitisers.
prices.

Yuen: Competition regulators rose to the to evolve as the world transitions through
challenge of COVID-19 to provide guidance to the pandemic?
companies and assurances on their enforcement
priorities to consumers. For example, within weeks Yuen: It is interesting that the EC announced
of the outbreak being categorised as a pandemic by a change in its approach to reviewing mergers.
the World Health Organization (WHO), the EC and EU For some time, companies that did not meet the
member state authorities issued a joint statement merger control thresholds in Europe would not need
on the application of competition law in
relation to cooperation agreements for the
supply of scarce products. The statement
made it clear that the authorities would “Life sciences companies are being
not actively intervene in cooperations scrutinised in the deals that they are doing,
between companies where the efforts in collaborations that they are entering
were necessary and temporary. At the
into, in the supply structures that they
same time, authorities warned that price
gouging would not be tolerated. The
have set up and in their pricing decisions.”
EC also communicated that during the
exceptional circumstances brought on
May Lyn Yuen,
by the pandemic, cooperation between Hogan Lovells
companies, which may involve the
exchange of commercially sensitive
information, would either not be problematic under to be concerned about having their transactions
EU competition law or, because of the emergency assessed by the competition authorities. This has
situation and the temporary nature of the efforts, now changed. It is now clear that the EC will want
would not be an enforcement priority for the EC to seize jurisdiction over certain mergers where
provided that certain conditions were met. the transaction threatens to significantly affect
competition, regardless of whether European merger
R&C: Could you highlight any recent, filing thresholds are met. Most at risk include deals
high-profile competition/antitrust cases in the life sciences space involving nascent firms
and what they tell us about current with little or no turnover but where competition on
regulatory attitudes? How are these likely innovation is a key feature. As the world transitions

through the pandemic and M&A activity increases, R&C: What advice would you offer to
companies will need to keep in mind that their deals life sciences companies on managing
may need to be approved by the EC and prepare for their operations, business practices and
the timing implications of that. processes to ensure compliance with
competition/antitrust regulations?
Antypas: We will continue to see robust
enforcement action by the EC and national
competition regulators in antitrust and
mergers in the pharmaceutical and “Close scrutiny is expected to continue
healthcare sectors. Since 2009, the EC
with strong enforcement action against
has adopted several antitrust decisions
against pharmaceutical companies for
excessive pricing practices, and any
anticompetitive conduct. In February strategies that may weaken generic
2021, the EU’s first ever case concerning competition.”
excessive pharmaceutical pricing ended
with commitments by Aspen to radically
reduce its prices by 73 percent on average Irene Antypas,
Ashurst LLP
across Europe for six critical medicines.
Margrethe Vestager, commissioner for
competition at the EC, said this decision “gives a Antypas: Companies must understand the
strong signal to other dominant pharmaceutical risks of infringing EU competition rules and should
companies not to engage in abusive pricing practices determine the areas and divisions of their business
to exploit our health systems”. Unfair pharmaceutical where potential competition issues are most likely
pricing has also been the focus of recent national to arise. It is key for companies to develop a culture
enforcement, notably the UK Competition and of compliance, which involves putting in place an
Markets Authority. European regulators also continue effective and dynamic competition compliance
to scrutinise other types of abusive and collusive programme, including internal guidelines and
conduct in the healthcare sector. A formal EU do’s and don’ts for company staff. This should be
investigation was launched last year into Teva’s accompanied by internal reporting and escalation
alleged misuse of patent procedures to exclude mechanisms encouraging staff to flag potential
competitors. issues and concerns. Regular training should also

be provided for staff members most likely to be enforcers. Short, medium and long term planning will
confronted with high-risk situations, such as sales be important. In the early stages of an investigation,
personnel. Lastly, companies may conduct internal a level of cooperation is often advisable, as supplying
compliance audits from time to time to review incorrect or misleading information may have
specific business activities that can potentially raise negative consequences for the company, including
competition law issues. fines. The company will also need to keep an eye
on the long game as well. Investigations are time-
Yuen: It is important to invest in a good consuming, and their implications can drag on for
compliance programme. This means identifying the years, especially when follow-on damages actions
areas of risk in the business, building knowledge are factored in.
within the company of the importance of compliance,
providing guidelines on do’s and don’ts, engaging Antypas: If a competition authority suspects that
with employees on their concerns and, importantly, an infringement of competition law has occurred, it
getting buy-in from senior management on a usually starts with unannounced inspections – known
compliance strategy. Compliance programmes need as dawn raids – at company premises. Dawn raids
to be tailored to the culture of the company and may take place in multiple locations and countries
should be a welcomed learning experience and at the same time. Inspectors have wide investigative
platform for further engagement for employees, powers and increasingly rely on forensic software
rather than a mechanical box-ticking exercise. to search for and recover data. Failure to cooperate
during a dawn raid may attract significant fines, and
R&C: If a life sciences company does individuals may face civil or even criminal sanctions.
find itself subject to competition/antitrust At the same time, it is important to ensure that the
investigation or enquiry, how should it company’s rights and the limits on the inspectors’
respond? powers are respected, and that the impact of the
dawn raid on the day-to-day business is minimised. It
Yuen: Immediate actions include identifying the is therefore crucial that an effective internal response
breach and ensuring that the company has as full strategy is put in place to deal with potential dawn
an understanding as possible of the scope of the raids. All staff, including IT, must know how to deal
investigation it is involved in. Together with the with inspectors and what their legal obligations
assistance of its legal counsel, the company will and rights are. Following a dawn raid, it is key for
need to consider its strategy for engaging with the companies under investigation to develop a defence

strategy together with their in-house and external Ms Vestager also called for greater cooperation and
lawyers, evaluate the merits of the allegations being a coordinated approach on antitrust enforcement
made against the company, and where necessary, between Europe and the US in a number of industry
evaluate the benefits of an speedier resolution sectors, including the pharmaceutical sector. In this
through settlement – in cartel investigations only – context, the commissioner made specific reference
or commitments, which are not available for cartel to pharma companies using “new ways to fight off
cases. the threat that competition will eat away at their
profits, misusing the courts and the patent system
R&C: What are your predictions for to keep generics out, or buying up smaller rivals that
competition/antitrust activity in the life are developing competing drugs, only to further stifle
sciences sector as we proceed through competition”.
2022? Are we likely to see a rise in
enforcement action? Yuen: Life sciences will remain one of the key
areas of focus for European competition law
Antypas: It is expected that the EC and national enforcers in 2022. The more flexible and lenient
competition authorities in Europe will keep closely approach adopted during the COVID-19 pandemic will
monitoring effective competition in the life sciences eventually fall away as businesses and consumers
sector, and in the pharmaceutical sector in particular. become more accustomed to life with COVID-19. The
Close scrutiny is expected to continue with strong coronavirus outbreak also put practical obstacles
enforcement action against excessive pricing in the way of competition law enforcement. I would
practices, and any strategies that may weaken also expect that now that workforces are returning to
generic competition. In the recently published the office, unannounced inspections by enforcers to
‘Management Plan 2022’, the EC announced its plans gather evidence on alleged breaches of competition
to start more investigations on its own initiative – ex laws, such as dawn raids, will pick up. RC
&
officio – in all industry sectors. At the end of last year,

PERSPECTIVES
PERSPECTIVES
ET HICS A N D C O M P L I A N C E
I N CLI N I CAL T R I A L S : N EXT
GENE RATI O N
BY EZEQUIEL GARFINKEL, ROBERTA DRISCOLL AND CHRISTOPHER ASAKIEWICZ
> NOVARTIS RESEARCH & DEVELOPMENT
I
t has been more than two years since the technology disciplines and using data and analytics
coronavirus (COVID-19) pandemic changed our to understand the rise of new variants and patterns
lives. Apart from colossal changes to our own of their spread, to develop new technologies for
personal health, the ways we purchase goods, rapid diagnosis, and to conduct fast but still rigorous
how we educate our children, how we run multi- clinical trials focused on prevention and treatment.
participant events and even the vocabulary we use The world was waiting for urgent prevention and
(keeping ‘social distance’, ‘flattening the curve’ and therapeutic approaches to counter this disease.
drinking ‘quarantini’ cocktails), COVID-19 appears Consequently, there was considerable pressure
to have catalysed quantum leap changes in global to develop solutions as fast as possible. However,
sectors. the ‘traditional’ clinical trial model is not suited to
In healthcare, we witnessed how medical teams COVID-19 restrictions such as lockdowns or travel
in hospitals, scientists, researchers, small biotech restrictions. Therefore, design and execution of
firms and big pharma players made heroic efforts clinical trials needed to transform, moving toward
(jointly and separately) to fight the pandemic. The decentralised and hybrid trial models, characterised
entire ecosystem has been unleashing science and by virtual elements, advanced technologies (even

PERSPECTIVES
blockchain), apps and home visits and, as a practical while sailing into uncharted clinical trial waters, trials
matter, moving away from traditional face to face adhere to the highest ethical standards for clinical
interactions. Have we transformed the way we run research and are conducted in compliance with
trials in general? all applicable international guidelines and internal
It appears that the trend toward new and corporate policies, designed to protect participants’
innovative ways of conducting clinical research, rights and keep them safe.
which started before the pandemic, has accelerated.
While considering some of the key clinical trial Adopting new technologies to become
trends and ensuring the continued momentum more agile
of building society’s trust in the pharmaceutical Research moves at the speed of light and there are
industry, there is even a greater need to ensure that, always researchers willing to test their hypotheses

ETHICS AND COMPLIANCE IN CLINICAL TRIALS: NEXT GENERATION PERSPECTIVES
as fast as ideas present themselves. However, as privacy threats and give control of data back to the
the entire field moves toward embracing innovative user interacting with the technology.
solutions and new technologies, we need to make One of the most difficult challenges facing the
sure that the quality of data produced, as well as industry is to ensure that technology is used in a
the basic rules of the game, are not impacted by the responsible manner and serves a clearly defined
pandemic or whatever else the future may bring. goal. For example, automation can process
Unfortunately, neither regulatory nor compliance significantly larger datasets more quickly and with
frameworks move at the same pace as innovation. fewer errors than humans. Managing expectations
Given the challenges of the pandemic, today more is key.
than ever, clinical trial sponsors are exploring
the use and integration of new technologies into Prioritisation of decentralised trials
clinical practice, as complementary if not primary The COVID-19 pandemic significantly impacted
diagnostic tools. While these are clearly ‘outside most clinical research activities. Research and
the box’ solutions, it does not come without risk or development organisations had to undertake an
challenges, especially when the industry is trying to urgent critical assessment of their ability to run trials
build trust with society. in hospitals and clinical care facilities, which were
Integrating new technologies into clinical themselves already under tremendous pressure
trials presents challenges, not only for clinical to provide care and treatment for their patients.
trial participants and patients, but also for the In many cases, trials assessing new therapeutics
researchers utilising the technologies. There are were either significantly delayed or even cancelled,
concerns around bias, privacy, and liability when causing disruption to patients and participants.
something goes wrong. Clinical trial teams must As access to traditional clinical trial sites was
familiarise themselves with emerging technologies disrupted, industry sponsors and researchers
and plan proactively to anticipate undesired effects together were able to pivot from traditional clinical
which may manifest as disparate impacts or trial design to a ‘decentralised’ model: study drugs
discriminatory outcomes. Sponsors must ensure were shipped directly to trial participants, delivered
that researchers are transparent, not only during by home healthcare providers or administered by
the informed consent process for participants, but local healthcare providers. Routine trial activities
also in materials to help educate all those who are were conducted using telemedicine appointments
utilising the technology. Moreover, with the increase or home nursing. Technological devices were utilised
in cyber attacks, it is our ethical duty to address to remotely collect data directly from the trial

participant, typically using wearable devices and special storage, such as refrigeration or locked
telemedicine. storage boxes to prevent unauthorised access.
Although restrictions on travel will ease,
and access to healthcare facilities is more Evolving focus
readily available, the trend toward prioritising a The evolution of clinical trials toward a
decentralised model persists, because it has distinct decentralised model enables a focus on the needs
advantages over the traditional site-based model. of patients and research participants. As a result,
Participant recruitment and retention are improved ensuring that trials are conducted responsibly
by facilitating access to clinical trials, because may present new challenges. Certain geographic
people who, for whatever reason, are unable to locations may lack robust digital infrastructure and
travel to centralised trial locations, can successfully thereby limit participant engagement. Trials may
participate. A decentralised trial model can increase involve transfer of data using smartphone ‘apps’ or
the diversity of trial participants, which is a much- the internet, devices that might be inaccessible to
needed benefit. some individuals due to cost. As a result, people who
might qualify for enrolment may be unnecessarily
Home nursing and direct to patient excluded, and any efforts to overcome these
delivery limitations by providing adequate accommodations
The global pandemic also changed how patients raise questions about inducement. As diversity in
interacted with study staff at the clinical site. To clinical trials has become increasingly important, the
ensure the integrity of the study and the safety impact of decentralisation on the generalisation of
of patients and site staff, some trials required data obtained from such trials should be carefully
the provision of home nursing services. Instead assessed.
of traditional site visits, home nursing allows
medication to be administered and outcomes Evolving ethics and compliance
monitored in the safety of the patient’s home. This Decentralised trials utilise novel means of
presents several challenges, such as oversight, study engaging with, and empowering, patients and
training and adverse event reporting. Additionally, participants. Unfortunately, innovation evolves
some studies now deliver medication directly to much more quickly than regulation, and at present
patients. However, the regulations governing delivery timely and mature legal, ethical and compliance
of trial medications differ by region or across frameworks are lacking. Nonetheless, it remains of
borders. Some trial medications may also require the utmost importance that patients and participants

are not exposed to undue risk, and that their safety outputted in the blink of an eye. This is all done in
and privacy be protected at all times. This will require the context of prioritising projects and allocating
adapting and enhancing current standards, and budgets based on strong probabilities of technical
developing new standards, which will certainly be a success. The pandemic made us think differently.
key focus of ethics and compliance professionals.
Speed and cost versus quality

Speed, cost and quality are the
“The evolution of clinical trials toward
three key vectors which direct
decisions when designing a clinical
a decentralised model enables a focus
programme. Occasionally, when centre on the needs of patients and research
mass leans toward myopic business participants. As a result, ensuring that
considerations, disproportionally trials are conducted responsibly may
bigger emphasis is put on the first
present new challenges.”
two pillars, compressing timelines
and reducing costs, therefore losing
focus on quality. Quality means many
different things to different people. It can mean good Summary
clinical, manufacturing, laboratory or documentation Increasing competition, novel modalities and an
practices, or it can mean executing your programme explosion in biomedical advances have put pressure
ethically and with the utmost integrity. No matter on research and development professionals. With a
what your definition is, one can never lose sight global pandemic in the mix, this pressure increases
of this pillar, as removing it causes the whole and needs to be addressed with caution. The
foundation to fall. ways to handle it are novel: new and potentially
Before the pandemic, research and development untested technologies, decentralised or remote
teams were already under pressure to reduce cost trials, various direct patient interactions to prevent
and bring their products toward regulatory approval unnecessary visits to hospitals or clinics, and patient
quicker. Sample sizes got smaller using historical centricity while ensuring the protection and safety
controls or modelling, clinical programmes were of patients, caregivers, researchers, employees and
launched faster, recruitment has been competitive, their families. Close engagement with ethics and
and data has been received, processed and

compliance professionals will help navigate these Ezequiel Garfinkel

issues. Global Head, Ethics, Risk & Compliance, R&D
Novartis Research & Development
Ethics and compliance can help to prevent,
T: +972 54 467 0997
detect and respond to potential pitfalls by providing
E: ezequiel.garfinkel@novartis.com
educational material, tools and training developed
in collaboration with clinical trial teams. They serve
as experts in local laws and requirements and Roberta Driscoll
Director, Ethics, Risk & Compliance, R&D
can perform ongoing monitoring and share best
practices.
T: +161 78 713 610
Today’s ethical dilemmas will be tomorrow’s E: roberta.driscoll@novartis.com
compliance requirements. The profession is in
a unique position to support open discussions
on the ethical challenges that face research and Christopher Asakiewicz
Director, Ethics, Risk & Compliance, R&D
development teams. People should feel safe to talk
about the ethical dimensions of their decisions,
T: +186 27 788 309
which will help build trust with society. No one E: christopher.asakiewicz@novartis.com
should feel pressured to compromise quality
because of concerns over cost or timeline controls.
While ethics and compliance professionals
are there to detect and respond to existing and
emerging gaps, their primary tenet is to provide
support to prevent quality issues from occurring.
This will drive a culture of integrity and empower
teams to do what is right. Post-pandemic, the new
ways of doing things are indeed a challenge, but
opportunities are ahead of us. RC
&

HOT TOPIC
H OT T O P IC
DEVELOPMENTS IN
EUROPEAN ANTI-MONEY
LAUNDERING

DEVELOPMENTS IN EUROPEAN ANTI-MONEY LAUNDERING HOT TOPIC
PANEL EXPERTS
Joydeep Sengupta Joydeep Sengupta is a member of the compliance, investigations and

Counsel regulatory team at Mayer Brown’s Paris office, within the litigation and
dispute resolution department. He focuses on cross-border litigation,
Mayer Brown compliance and enforcement matters for financial institutions and
T: +33 (1) 5353 3949 corporations, including the resolution of administrative and enforcement
E: jsengupta@mayerbrown.com proceedings involving regulators and prosecutors. He has represented
major US and European banks, as well as global corporations, in internal
investigations related to US and European anti-money laundering,
economic sanctions, market manipulation and anti-corruption laws.
Hannah Meakin Hannah Meakin is a financial services regulation lawyer based in

Partner London. Her practice focuses on market infrastructure, commodities
derivatives and FinTech. She advises on all aspects of compliance with
Norton Rose Fulbright LLP relevant PRA and FCA requirements and has particular knowledge of
T: +44 (0)20 7444 2102 brokerage, exchange trading, clearing, settlement, custody, client money
E: hannah.meakin@nortonrosefulbright. and wholesale conduct. She helps clients understand and implement
financial services legislation, including MiFID II, MAR, EMIR and the CRR,
com and has led client projects on each of these.
Andrea Huber Andrea Huber is a partner and member of Pestalozzi’s financial services
Partner group specialising in banking and regulatory matters including FinSA and
FinIA, asset management and investment funds, FinTech, capital market
Pestalozzi transactions, compliance and white-collar crime. She regularly represents
T: +41 (44) 217 9241 clients in proceedings before the Swiss Financial Market Supervisory
E: andrea.huber@pestalozzilaw.com Authority (FINMA), the SIX Swiss Exchange and the CDB Supervisory
Board (VSB Aufsichtskommission).
Eric Russo Eric Russo is a partner at Quinn Emanuel Urquhart & Sullivan LLP.
Partner His practice focuses on white-collar crime, regulatory investigations,
compliance and litigation. He advises and assists global corporations
Quinn Emanuel Urquhart & Sullivan LLP and their managers in the conduct of internal investigations and in
T: +33 (1) 7431 3520 the context of enforcement proceedings, in Europe and in the US.
E: ericrusso@quinnemanuel.com His expertise also covers financial market abuses and corporate and
commercial litigation. Formerly a public prosecutor, Mr Russo carried out
several landmark criminal investigations related to money laundering and
international corruption.

R&C: Could you provide a general published ‘FINMA Risk Monitor’ also highlights
overview of money laundering activity in the fact that Switzerland is particularly exposed
Europe? What trends have you observed to money laundering risk. New customers of the
in recent years? Swiss asset management industry are often found
in emerging markets where there is a significant risk
Meakin: Ilicit activity continues to be a prevalent of corruption. Experience shows that, in addition
issue. Over the last few years, money laundering to wealthy private clients who often qualify as
has increased and, according to Europol, around 1 politically exposed persons (PEPs), state-owned
percent of the European Union’s (EU’s) annual gross or state-related enterprises and sovereign wealth
domestic product is “detected as being involved funds are also involved in financial flows associated
in suspect financial activity”. This is due to the with corruption and embezzlement. The risks are
expanding nature of predicate offences moving increased further by complex structures that can
from traditional nefarious activity of crime and cloud transparency on the beneficial ownership
drug-related offences to more niche and intricate of assets concerned. These structures include
methods which technological advancement has domiciliary companies, fiduciary relationships and
nurtured. There is an increased risk presented by the insurance wrappers.
surge in popularity of virtual currencies that allow
for increased anonymity. Moreover, most recently, Russo: It is possible to observe that money
the change in behaviours due to the coronavirus laundering in recent years combines older methods
(COVID-19) pandemic has led to new money with newer ones that have been developing through
laundering activity. time. Recent money laundering trends are related
to the increasing importance of digital services.
Huber: Anti-money laundering (AML) is and Indeed, it is reported that money launderers now
remains a highly critical issue in Switzerland as a increasingly rely on the virtual assets sector,
leading global cross-border wealth management meaning their methods increasingly include the use
hub for private clients. A look at the latest annual of cryptocurrencies, and other components of the
report from the Swiss Financial Market Supervisory rapidly evolving ecosystem of decentralised finance.
Authority (FINMA) shows that the Anti-Money This alternative system removes the traditional
Laundering Act (AMLA) is not only one of the focus forms of control that banks and institutions
points of conduct supervision by FINMA but also have on financial flows and services because of
plays a central role in enforcement. The recently reduced traceability. The more limited regulation of

decentralised finance compared to the traditional R&C: To what extent has the coronavirus
banking sector is also a facilitating factor. (COVID-19) pandemic increased the
opportunities for money laundering,
Sengupta: Europe has seen a tremendous particularly with the mass shift to remote
regulatory and enforcement focus on money working?
laundering in recent years, with multiple domestic
and cross-border investigations bringing to Huber: Reports to Switzerland’s Money
light increasingly complex typologies of money Laundering Reporting Office (MROS) rose 25 percent
laundering. They often involve multicurrency in 2020, with many of them related to COVID-19
fund flows over long periods involving offshore credits. MROS received 5334 such reports in 2020,
jurisdictions, obscure shell companies and complex concerning more than 9000 business relationships.
transactions involving unusual asset classes. High- Nearly 90 percent of these reports came from banks.
profile financial scandals, such as the Panama They included 1046 reports relating to COVID-19
Papers, Pandora Papers, Paradise Papers, the credits granted by financial institutions (FIs) under
Russian Laundromat and Swissleaks, have touched the guarantee of the Swiss federal government. They
nearly every major financial centre in Europe, concerned 1054 loans granted by 43 different banks,
including the private banking sector. Decades of totalling approximately CHF149.6m. MROS further
financial scandals and terrorist attacks have led EU warned that the pandemic has provided criminals
countries to adopt an AML-countering the financing with new opportunities for illegal enrichment, thus
of terrorism (CFT) framework that includes, among increasing the risk of money laundering. While new
other things, EU AML Directives, as well as the technologies facilitate efficiency improvements in
recommendations of the Financial Action Task Force financial services, the threats of money laundering
(FATF). Actors such as Moneyval, the Council of and the financing of terrorism are also heightened
Europe body assessing compliance with AML/CFT, due to the potential for greater anonymity along with
and the Egmont Group, the international platform the speed and cross-border nature of transactions.
for secure exchange of expertise and financial
intelligence between financial intelligence units Russo: The COVID-19 pandemic has indeed
(FIUs) for AML/CFT, have also had a significant impact pushed individuals and companies into remote
on the European prevention and enforcement working and increased online activity. This, in turn,
landscape in recent years. has fostered an emergence of cyber crime, including
email and SMS phishing attacks, ransomware

and business email compromise scams. FATF has Meakin: The COVID-19 pandemic has led to an
highlighted that such illicit behaviours have created increase in opportunities for individuals involved
new sources of proceeds for illicit actors. The in money laundering. There was a vast change in
layering of illicit revenue has also benefitted from customer attitude and behaviours and, as a result,
the increase in remote transactions through misuse the way in which customers utilise the financial
of the formal banking system, the decentralised system. During this period there was significant
banking sector and investment in cryptocurrencies. uptake in digital services. Money launderers were
Sengupta: Stay at home orders and

remote working have shifted dependence
on technology to new heights, fostering “In view of constant technological
an increased reliance on the digital world. changes, corporations can no longer rely
Opportunities for money laundering arise
on manual KYC processes to get by in
from hidden information regarding the
ultimate beneficial owners, the origin or
their AML efforts.”
final destination of funds. Remote working
also reduces the opportunity for in-person
contact with clients and site visits with Eric Russo,
intermediaries, which may make it easier Quinn Emanuel Urquhart & Sullivan LLP
to conceal or disguise certain types of
information, and is detrimental to proper third party able to evolve their techniques, leading to a well-
due diligence and know your customer (KYC) checks. publicised rise in fraud, with vulnerable individuals
FATF produced a helpful report in May 2020 detailing often being the target. In relation to the mass shift
COVID-19-related money laundering and terrorist to remote working, it placed more pressure on the
financing risks and policy responses. This report lists system to detect and stop money laundering, in real-
increased fraud, including impersonation of officials, time.
counterfeiting, fundraising for fake charities and
fraudulent investment scams, cyber crime, business R&C: What legal and regulatory
email compromise scams and ransomware attacks, developments have been aimed at
which have contributed to greater money laundering tackling money laundering across Europe?
activities. To what extent have authorities increased

their anti-money laundering (AML) due diligence (CDD) and beneficial ownership. Third,
monitoring and enforcement efforts? a sixth directive on AML/CFT (AMLD), replacing
the existing Directive 2015/849/EU, the fourth AML
Russo: On 21 June 2021, the European
Commission (EC) released an elaborate
package of legislative proposals to
strengthen the EU’s AML and CFT rules, “The increase in the number of MROS
as a way to close loopholes money reports indicates a cultural shift as well
launderers may use. This package includes as better monitoring systems, but also
the establishing of a new EU AML/CFT
the continued existence of a number of
authority, a new EU regulation on AML/
significant risks.”
CFT containing directly-applicable rules
in EU member states, and a revision of
Regulation 2015/847/EU on Transfers of
Andrea Huber,
Funds to trace transfers of crypto assets. Pestalozzi
It constitutes adapting the regulation
toward newer methods of fraud observed
during the pandemic by closing gaps that may exist directive as amended by the fifth AML directive.
in the financial system and focusing on increased Finally, a revision of the 2015 regulation on transfers
coordination between EU member states, such as of funds to trace transfers of crypto assets. In
increased information sharing and means of action. addition, in December 2021, the European Banking
Authority (EBA) decided to strengthen its AML/CFT
Meakin: There have been significant supervision by issuing its revised guidelines on risk-
developments in the legal and regulatory system based supervision of credit and FIs’ compliance with
within the EU. In July 2021, the EC published AML/CFT requirements.
a package of legislative proposals aimed at
strengthening the EU’s AML and CFT rules. The Sengupta: One of the most significant recent
package consists of four legislative proposals. First, a European AML developments was the AML and
regulation establishing a new EU AML/CFT authority. CFT legislative package in 2021, which contains
Second, a regulation on AML/CFT, containing directly- four legislative texts aiming at harmonising AML
applicable rules, including in the areas of customer laws across member states. Firstly, the EC has put

forward a draft proposal for an AML regulation, better monitoring systems, but also the continued
which will give more detail into CDD requirements existence of a number of significant risks.
and adapting third country policy. Secondly, the
6AMLD provides details on the beneficial ownership R&C: What solutions are being deployed
register and strengthens cooperation between FIUs. by companies in Europe to tackle money
Thirdly, there are proposed amendments to an EU laundering? To what extent is technology
regulation to facilitate the tracing of transfers of being used to enhance processes,
crypto assets. Finally, and perhaps most importantly, warnings systems and controls?
a regulation establishing the authority for AMLA
has been proposed, to ensure more harmonised Sengupta: The European AML landscape is
monitoring and enforcement. This European body diverse and FIs must keep pace with developing
will monitor developments across member states rules and regulations in order to meet their
and third countries, establish a central database compliance obligations, as enforcement actions are
compiling information from supervisory authorities, on the rise. Supervisory authorities have the power
and analyse the information collected to support, to impose a set of sanctions that are effective,
facilitate and strengthen cooperation and exchange proportionate and dissuasive, so it is essential that
of information. In terms of enforcement, it is also the applicable AML regulations are properly applied.
tasked with ensuring group-wide compliance FIs must meet more and more obligations to fight
carrying out supervisory reviews and assessments. money laundering and terrorist financing, and
prevent fraud. Innovative technologies, frequently
Huber: FINMA has been dealing with five dubbed ‘RegTech’, can automate some of these
enforcement cases in 2020 in connection with processes and simplify the management of risks
Venezuelan oil conglomerate PDVSA. These cases related to regulatory non-compliance. The EBA
clearly illustrate that a bank’s compliance framework wants to boost the adoption of these solutions by
must be adapted in line with risk appetite, harmonising rules within the EU and improving
institutions must establish the provenance of assets market knowledge. KPMG identified more than 240
and whether the clients concerned are indeed the startups in Europe, including about 50 in France, in
beneficial owners, and they must report any dubious its overview of the RegTech ecosystem, and AML is
relationships to MROS. The increase in the number the most represented segment.
of MROS reports indicates a cultural shift as well as

Huber: Money laundering is a serious problem for

the global economy. Customer risk-rating models
are one of the primary tools used by FIs to detect
money laundering. The models deployed by most
institutions nowadays are based on an assessment
of risk factors, including the customer’s profession,
salary and the banking products used. Such
information is collected when an account is opened,
but it is infrequently updated. Based on the law as
currently in force in Switzerland, the contracting
party only has to be identified again if doubts arise in
the course of the business relationship regarding the
information on the identity of the contracting party
or the beneficial owner. FATF qualified the lack of an
explicit obligation to ensure that customer data is up
to date as a significant deficiency in its 2016 country
report. Under the revised AMLA, a regular review of
all business relationships, in particular with regard to
KYC, is therefore required.
Meakin: The advancement in technology, while

leading to new and innovative ways for nefarious
actors to money launder, has also equally posed
significant opportunity for compliance and the fight
against money laundering. Many software providers
are available that aim to protect companies
from financial crime and make it easier to detect
finance crime. This software includes sanction
screening, politically exposed person screening,
automated identification and verification services,
and automated transaction-monitoring software.

Most technological solutions can be calibrated and

tailored, which further enhances the ability to tackle
money laundering.
Russo: In view of constant technological changes,

corporations can no longer rely on manual KYC
processes to get by in their AML efforts. Instead, they
need to adopt more advanced solutions that can
spot suspicious behaviour in online account activity
using multitiered identity management tools that
can quickly report or block any suspicious activity.
The pandemic and remote work have accelerated
advances in areas such as identity verification. The
focus through this shift has been improving data
quality and using data analytics, machine learning
and automated processes, such as screening, alert
remediation and transaction tracking – motivated in
part by the emerging requirement for perpetual KYC.
In addition, organisations will need to continuously
monitor customers after onboarding to detect
any changes in status that may increase their risk
level. Finally, because of increasing levels of crypto
crime, the more sophisticated countermeasure now
appears to be the development and deployment of
blockchain KYC solutions.
R&C: Do you believe companies need

to enhance the due diligence and
background checks they carry out on their
business partners and customers?

Huber: As of 1 July 2022, Swiss financial Russo: In the EU, each member state has an
intermediaries must verify the identity of beneficial AML supervisory authority which is responsible
owners and periodically review and update client for monitoring the national AML/CFT regime and
files instead of merely identifying them, as was verifying compliance by reporting entities. Such
the case up to now. Pursuant to the new law, the authorities can impose fines for non-compliance
financial intermediary must exercise due diligence or even report the case to another regulator. The
required under the circumstances to establish and US and the UK generally follow an equally punitive
verify the identity of the beneficial owners. Based on regime in the application of money laundering
the government dispatch, the financial intermediary rules and sanctions. In recent years, significant
may take a risk-based approach and, therefore, apply fines and other sanctions have been imposed on
different measures to ensure the plausibility of the EU banks operating abroad. It is important that
beneficial owner’s information. The required form companies, and especially banks, enhance the due
and depth of the review, however, is unclear under diligence and background checks they carry out to
the new statutory amendments. avoid sanctions. Moreover, French legislators have
introduced strict obligations in terms of third party
Meakin: CDD is the foundation of the KYC due diligence for both anti-corruption and AML.
principle. The KYC principle is a requirement for Disregarding appropriate diligence and checks can
companies to ensure that they understand who also lead to sanctions by regulatory authorities.
their customers are, their financial behaviour and Given the risk incurred in terms of sanctions,
the extent of the money laundering risk they present companies are encouraged to further enhance third
by doing business with them. As such, CDD remains party due diligence and to continue to develop new
one of the most important ways to combat money tools.
laundering. Companies are required to adopt a
risk-based approach to compliance, and with this Sengupta: For many companies operating in
apply enhanced CDD measures where required. high-risk sectors of the economy, or with multiple
Companies should continue to remain vigilant and touchpoints with high-risk jurisdictions, it is
use their risk appetite, their understanding of a advisable to enhance their due diligence policies and
customer and their activities to guide the extent of background checks based on the level of risk and
CDD measures conducted. using a defensible methodology. The EU perceives
due diligence as an essential element in combatting
money laundering. However, while historically

due diligence was only applied to customers, entity or the type of transaction in question. Thus,
it is becoming increasingly common with other a private bank establishing a new foreign client
stakeholders, such as partners, consultants and relationship with the purpose of performing high-
suppliers. It may also be necessary to renew due value commercial transactions using a complex
diligence and background checks periodically, and structure would need to apply higher standards
especially in light of any negative news or material than a routine relationship with a domestic client
change in the entity. The EU AMLDs
provide different levels of customer
due diligence: simplified, normal and
“Companies should continue to remain
enhanced measures. Enhanced due
diligence measures must be put in place
vigilant and use their risk appetite, their
when a product or transaction presents understanding of a customer and their
a high risk of money laundering and activities to guide the extent of CDD
terrorism financing and for any particularly measures conducted.”
complex transaction of an unusually high
amount that does not appear to have any
economic justification of lawful purpose. Hannah Meakin,
Norton Rose Fulbright LLP
R&C: What advice would you
offer to companies operating in Europe operating domestically in a low-risk sector of the
on establishing AML controls that can economy. Large EU countries may have more
detect suspicious activities and serve as restrictive obligations than other countries which
an effective red flag system? may be difficult to implement, but compliance is
essential to effectively fight money laundering and
Sengupta: Companies are required to comply terrorist financing. Because enforcement actions
with national laws and regulations applicable in the vary significantly from jurisdiction to jurisdiction,
jurisdictions in which they operate. This includes legal advice should be sought as to whether a
following the obligation to detect and report declaration should be made.
suspicious transactions consistent with national
laws and industry best practices. These obligations Russo: Companies probably need to have a
and control systems may vary based on the type of constant and sophisticated KYC approach and tools

due to how rapidly money laundering methods are investment because it calls for not only sufficient
evolving and how difficult it can be to have real-time experienced resources, but also for advanced
data processing and analysis. The role of artificial technology that can support the AML compliance
intelligence (AI) must not to be neglected in this function of the financial intermediary to better
respect. AI can be very helpful to monitor and assess identify, measure, monitor, control and report on
the multitude of cross-border transactions that take money laundering and the financing of terrorism
place over very short periods of time.
Meakin: Effective controls are a

vital cog in the AML wheel. FIs need “The European financial centres that
to continuously assess, review and, frequently serve as entry-points for
where needed, update their governance
proceeds of crime into the EU are
parameters on suspicious activities. AML
can be a fast-moving environment and
expected to face heightened scrutiny.”
risks can change at a moment’s notice.
Ensuring FIs have the right mechanism to
translate changes effectively through the Joydeep Sengupta,
business is critical – human determination Mayer Brown
is key. This becomes even more
challenging with complex international organisations, risks. Failure to have an effective AML compliance
so carefully managed information collaboration programme can result in enforcement action from
across the group is going to help. While technology FINMA, including heightened regulatory scrutiny,
is a key enabler for suspicious activity detection, it costly remediation efforts and legal costs, as well as
is important FIs have the right manual controls and reputational damage. It further needs to be noted
oversight to support and ultimately report this. More that cryptocurrencies are often used in connection
generally, they need to ensure that routine training with cyber attacks or as means of payment for illegal
is carried out, and that the audience is as broad as trading on the dark web. Money laundering risks can
needed. be significant for FinTech companies as well.
Huber: We strongly recommend having a robust R&C: How do you envisage the fight
AML programme in place. This requires substantial against money laundering in Europe

developing in the months and years Europe. More streamlined and directly applicable
ahead? Are you optimistic about the legal requirements, as well as a centralised
prospects for improved systems that lead supervisory framework, including the prospective
to a drop in financial crime? introduction of a single EU AML authority, are
expected to address the main shortcomings in AML/
Russo: The EU approach is very regulation- CFT enforcement in Europe – essentially, national
based. It seeks to implement common AML rules fragmentation and the lack of a consistent approach
throughout the EU to combat cross-border money to cross-border cooperation. This, coupled with
laundering more efficiently, especially in terms of continued technological developments allowing
increased information sharing. It is certain that in the firms to deploy more advanced systems and
future, stakeholders can expect first and foremost procedures to comply with AML/CFT requirements,
a more heavily regulated financial sector, in all should result in an overall improvement in global
its aspects. Moreover, KYC and AML compliance, efforts against financial crime.
in general, will be increasingly digitalised, as it
allows for these processes to keep up to date with Huber: The risks from complex and ever more
sophisticated methods used by cyber criminals sophisticated money laundering schemes will
and to respond better to legal and regulatory certainly increase in the future. Not only will
requirements. Finally, green crime is a new global detection systems improve, money launderers will
threat that is likely to go hand in hand with money also get more sophisticated. For instance, as banks
laundering. Green crime is very lucrative, posing and consumers push for the simplification and
risks to environmental and financial ecosystems by digitalisation of onboarding, new risks will arise.
exploiting natural resources. This type of crime is Therefore, financial intermediaries will need to
growing significantly each year. Therefore, we can improve their AML surveillance systems continuously
expect this concerning issue to be tackled by AML in line with applicable laws and regulations. In line
actors in the near future. with the continued and increased regulatory regime,
support for technology will be a prerequisite to
Meakin: With the recently proposed overhaul of enable financial intermediaries to further collaborate
the European legislative framework governing AML/ in building and improving their systems.
CFT efforts, it is clear that the fight against financial
crime remains and will continue to remain a priority Sengupta: The fight against money laundering
for decision makers and enforcement authorities in in Europe is expected to strengthen considerably,

especially in light of recent developments involving

economic sanctions targeting financial transactions
and assets relating to Russian oligarchs and Russian
PEPs. The luxury real estate sector, investment-based
‘golden visa’ schemes, the art and cryptocurrency
worlds are all expected to face increased AML
scrutiny in light of sanctions against Russia. The
creation of the new AMLA entity at the European
level is expected to strengthen cooperation
between different European jurisdictions, given
the multijurisdictional footprint of most money
laundering activity. The European financial centres
that frequently serve as entry-points for proceeds of
crime into the EU are expected to face heightened
scrutiny. RC
&

EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R w w w. f t i c o n s u l t i n g . c o m
FTI Consulting
FTI Consulting is an independent global

business advisory firm dedicated to helping
organisations manage change, mitigate
risk and resolve disputes: financial, legal,
operational, political & regulatory, reputational
KEY CONTACTS
and transactional. FTI Consulting professionals, Andrew Durant

Senior Managing Director
located in all major business centres throughout
London, UK
the world, work closely with clients to anticipate,
T: +44 (0)20 3727 1144
illuminate and overcome complex business E: andrew.durant@fticonsulting.com
challenges and opportunities.
Piers Rake
Managing Director
London, UK
T: +44 (0)20 3727 1876
E: piers.rake@fticonsulting.com
Graham Handy
Managing Director
London, UK
T: +44 (0)20 3727 1018
E: graham.handy@fticonsulting.com

EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R w w w. k p m g . c o m
KPMG
At KPMG, our audit, tax and advisory

professionals support financial services clients
with deep technical and industry experience,
and provide actionable operational, financial
and regulatory insights that help you cut
KEY CONTACTS
through complexity. With more than 6000-plus Brian Hart

Principal
professionals, including over 800 partners and
New York, NY, US
managing directors, covering financial services
T: +1 (917) 287 4512
sectors in more than 80 offices throughout E: bhart@kpmg.com
the country, these professionals are deeply
experienced in the issues, challenges, trends
John Kemler
and risks unique to financial services companies.
Principal
New York, NY, US
T: +1 (347) 754 2133
E: jkemler@kpmg.com
Greg Matthews
Partner
New York, NY, US
T: +1 (201) 621 1156
E: gmatthews1@kpmg.com

EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R w w w. p e s t a l o z z i l a w. c o m
Pestalozzi
Pestalozzi is a multicultural Swiss business law

firm focusing on high-end work for domestic
and international clients since 1911. Pestalozzi
lawyers are strong and empathic personalities,
singled-out by a truly independent approach to
KEY CONTACT
their advice and representation of their clients’ Andrea Huber

Partner
interests. With over 100 professionals in Zurich
Zurich, Switzerland
and Geneva, the firm is at home in Switzerland’s
T: +41 (44) 217 9241
two main commercial hubs – and has developed E: andrea.huber@pestalozzilaw.com
a wealth of experience its key industries of
banking, life sciences, commodity trading
and insurance. While being locally embedded,
Pestalozzi has also developed sought-after
expertise in dealing with multijurisdictional
transactions and disputes.

EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R w w w. s a s. c o m
SAS
No matter what role risk plays in your

organisation, SAS has proven methodologies
and practices to help you meet regulatory
demands with confidence. SAS’ high-powered
analytics empowers users to increase efficiency,
KEY CONTACT
transparency and profitability. Risk is at the core Alex Kwiatkowski

Director, Financial Services, Global
of banking, and SAS’ seamless risk framework
Industry Marketing
enables a risk-aware culture and optimises
Marlow, UK
capital and liquidity. How do we know? SAS T: +44 (0)1628 490 246
provides award-winning risk management to E: alex.kwiatkowski@sas.com
customers globally.

EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R w w w. c o r p o r a t e c o m p l i a n c e. o r g
Society of Corporate
Compliance and Ethics (SCCE)
Society of Corporate Compliance and

Ethics (SCCE) is a non-profit, member-based
association serving 6500-plus members in
over 100 countries. Founded in 2004, SCCE
KEY CONTACT
Gerry Zack
is dedicated to supporting compliance and
Chief Executive
ethics professionals across all industries and
Minneapolis, MN, US
promoting the lasting success and integrity T: +1 (952) 567 6215
of organisations worldwide. SCCE offers 45- E: gerry.zack@corporatecompliance.org
plus educational conferences a year, weekly
webinars, publications, training resources,
and certification and networking opportunities
to support practitioners as they grow in
their careers and develop and maintain their
compliance and ethics programmes.

EDITORIAL PARTNERS
E D I T O R I A L PA RT N E R w w w. w o l t e r s k l u w e r. c o m
Wolters Kluwer
Wolters Kluwer is a global leader in

information services and solutions for
professionals in the health, tax and accounting,
risk and compliance, finance and legal sectors.
The group helps its customers make critical
KEY CONTACT
decisions every day by providing expert Mike MacDonagh

Director of Content Strategy
solutions that combine deep domain knowledge
London, UK
with advanced technology and services.
E: mike.macdonagh@wolterskluwer.com
Founded in 1836 in the Netherlands, the
group serves customers in over 180 countries,
maintains operations in over 40 countries and
employs 19,200 people worldwide.

EDITORIAL PARTNERS
ORGANISATION
ISACA
ISACA is a global association helping individuals and

enterprises achieve the positive potential of technology.
Today’s world is powered by information and technology, and
ISACA equips professionals with the knowledge, credentials,
education and community to advance their careers and
transform their organisations. With a presence in 188 countries,
including more than 220 chapters worldwide and offices in both
the US and China, ISACA leverages the expertise of its 460,000
engaged professionals – including its 140,000 members – in
information and cyber security, governance, assurance, risk and
innovation, as well as its enterprise performance subsidiary,
CMMI Institute.
Kerris Lee
Global Director of Enterprise Risk Management
Chicago, IL, US
E: klee@isaca.org
www.isaca.org

& risk
RC &
compliance
APR-JUN 2022
www.riskandcompliancemagazine.com

Risk and Compliance Apr-Jun 22

Uploaded by

Copyright:

Available Formats

Risk and Compliance Apr-Jun 22

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk and Compliance Apr-Jun 22

Uploaded by

Copyright:

Available Formats

risk &

Inside this issue:

2 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

014 FEATURE 038 PERSPECTIVES

No part of this publication may be copied, reproduced, transmitted ONE-ON-ONE INTERVIEW

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 1

072 PERSPECTIVES 095 PERSPECTIVES

077 PERSPECTIVES 099 PERSPECTIVES

081 PERSPECTIVES 105 MINI-ROUNDTABLE

089 PERSPECTIVES 119 HOT TOPIC

2 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

Conducting Compliance Investigations

Get more information

Welcome to the thirty-eight issue of Risk

4 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 5

6 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 7

8 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 9

10 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 11

Appetite for enforcement For Mr EI-Hindi, once illicit activity is confirmed,

12 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 13

14 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 15

a formal rule, it is often as effective and can

16 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 17

Transition risks financial stability reports and special publications.

18 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

demonstrate that they are protecting stakeholder

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 19

FTI Consulting is an independent global business

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 21

Fabyola En Rodrigues Fabyola En Rodrigues is a partner and leads Demarest’s white-collar

22 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

other crimes – but also at the legislative

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 23

24 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 25

26 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 27

Rodrigues: The effectiveness of the legal and

Cadavid: To gauge the effectiveness of the legal

28 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

there has been a high success rate in the fight

Rassi: At least on a national level, LATAM

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 29

the parent company was accused of

30 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 31

32 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 33

34 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 35

36 RISK & COMPLIANCE Apr-Jun 2022 www.riskandcompliancemagazine.com

are even more important as they allow companies

www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2022 37