Supply chain due diligence act will enter into force on 1 January 2023, are you ready?

The German Parliament (“Bundestag”) adopted the “Act on Corporate Due Diligence in Supply Chains” (Supply Chain Due Diligence Act – “Act” or “LkSG”), and the act will enter into force on 1 January 2023. Originally adopted on 11 June last year, 2021, the act aims to improve the protection of the environment and international human rights by setting binding standards for large companies and their value chains. 

Background

Following the 2011 UN Guiding Principles on Business and Human Rights (UNGPs), Germany adopted a National Action Plan on Business and Human Rights, which recalled (but without setting legal standards) that companies should respect human rights in their operations, their value chains, and it is a well-known fact that most human rights violations occur at the beginning of the supply chain. But, and unsurprisingly, ten years after the adoption of the UNGPs, according to a study commissioned by the government:

  • only 13-17% of German companies were considered to be “in compliance” with their obligations
  • while 83-87% were not, and
  • less than 1% were classified as “companies with an implementation plan” concerning these obligations.

As part of the fight against human rights violations and environmental degradation, the LkSG act notably aims to protect people from modern slavery, forced labour, human trafficking, hazardous work and exploitation under the standards of the International Labour Organisation (ILO) and the relevant articles of the International Covenant on Economic, Social and Cultural Rights (UN Social Covenant). 

The LkSG act is the first in Germany to establish binding standards for companies concerning human rights and the environment. This is a huge milestone as it marks a shift away from the voluntary standards and self-regulation principles. 

Who is affected?

  • From 1 January 2023 onwards: All companies with at least 3,000 employees that have their head office, administrative seat or statutory seat in Germany OR companies that have a branch in Germany and usually employ at least 3,000 employees in this branch;
  • From 1 January 2024 onwards: All companies with at least 1,000 employees that have their head office, administrative seat or statutory seat in Germany OR companies that have a branch in Germany and usually employ at least 1,000 employees in this branch.

Even if companies with fewer employees are not addressees of the LkSG Act, they may still be indirectly affected; therefore, due diligence obligations could still apply. This is because the companies directly affected would be obliged to enforce compliance to the best of their ability with human rights in their supply chain. The measures necessary for this can have a direct impact on their suppliers, for example, through the implementation of a code of conduct. In addition, the directly affected companies will often be dependent on the active support of their suppliers and thus have this support be contractually assured, e.g. in the form of reporting obligations as part of their risk analysis.

New risk management and reporting duties for businesses

With newly imposed due diligence obligations on environmental protection and on human rights, businesses must introduce iterative and ongoing, or in certain circumstances ad hoc, due diligence processes specified by the LkSG.

Identification and management of an organisation’s supply chain and the risks that come with it require the implementation of due diligence processes. The term “supply chain” refers to all products/services of a business, including all manufacturing and services, in Germany and/or abroad, from the extraction of raw materials to their delivery to the end customer. Furthermore, due diligence processes should implement the following criteria: 

  • type and scope of the business activities of the company subject to the due diligence obligations,
  • the ability of the company subject to the due diligence obligations to exert influence (so-called leverage),
  • typically expected severity of the violation, and
  • type of contribution by the company subject to the due diligence obligations to cause a violation. 

Who is CRI® Group?

Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk ManagementEmployee Background ScreeningBusiness IntelligenceTPRMDue DiligenceCompliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds B.S. 102000:2013 and B.S. 7858:2012 Certifications and is an HRO certified provider and partners with Oracle.

In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body that provides education and certification services for individuals and organisations on a wide range of disciplines and ISO standards, including ISO 31000:2018 Risk Management- GuidelinesISO 37000:2021 Governance of OrganisationsISO 37002:2021 Whistleblowing Management SystemISO 37301:2021 (formerly ISO 19600) Compliance Management system (CMS)Anti-Money Laundering (AML); and ISO 37001:2016 Anti-Bribery Management Systems ABMS. ABAC® offers a complete suite of solutions designed to help organisations mitigate the internal and external risks associated with operating in multi-jurisdiction and multi-cultural environments while assisting in developing frameworks for strategic compliance programs. Contact ABAC® for more on ISO Certification and training.

GDPR vs. UK-GDPR; the laws Post Brexit

The General Data Protection Regulation (GDPR) is a regulation in EU law that was implemented on the 25th of May 2018 and concentrates on data protection and confidentiality in the European Union and the European Economic Area; alongside this, the GDPR is also used to address the transmission of personal data outside the EU and EEA areas. The EU Commission announced on 28 June 2021 that adequacy judgments for the UK have been passed, so what does that mean for the GDPR rules?

The Brexit transition phase concluded on the 31st of December 2020 and as a component of the new trade agreement, the EU has come to an agreement to postpone the transmission limitations for at least four months, which can then be stretched out to six months (recognised as the bridge). The European Commission published its draft decisions on the 19th of February 2021  regarding the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate which implies that much of the data can resume the stream from the EU and the EEA devoid of the need for supplementary precautions. Nevertheless, it is vital to take note of the fundamental reality that the adequacy decisions do not cover data conveyed to the UK for the principles of immigration control, or where the UK immigration immunity is appropriate. For this nature of data, distinct regulations are employed, and the EEA dispatcher wants to set other transfer safeguards in place. September 2021 saw WhatsApp being handed the second highest fine under EU GDPR (General Data Protection Regulation) rules and the biggest fine ever from the Irish Data Protection Commission due to their lack of understanding towards the new GDPR laws – had they done their due diligence, they may have been able to avert such a hefty fine. Our Due diligence 360° services provide the specialised intelligence needed by global financial institutions and multinational corporations to guarantee complete compliance with anti-money laundering (AML) regulations and legislations.

Find out more about compliance below or download our free brochure.

FIND OUT MORE or DOWNLOAD THE BROCHURE

The draft decisions will at this point be deemed by the European Data Protection Board (EDPB) and a committee of the 27 EU Member Governments.  If the committee accepts the draft decisions, then the European Commission can formally adopt them as legal adequacy decisions.  If adequacy decisions are not implemented at the end of the bridge and allocations from the European Economic Area (EEA) to the UK will require compliance with EU GDPR transfer constraints.

What is the UK-GDPR?

The United Kingdom General Data Protection Regulation (UK-GDPR) is the UK’s national data privacy law that is the proxy for the EU’s GDPR after Brexit; it is fundamentally the equivalent to the EU’s GDPR but altered to accommodate national regions of regulation. The UK-GDPR will regulate personal data and demand the same legal grounds for managing personal data.

The GDPR is indeed still retained in domestic law as the UK GDPR, although the UK has the freedom to maintain the framework under evaluation. The ‘UK GDPR’ as it’s known as, rests adjacent to a revised edition of the DPA 2018. It is also essential to note that the fundamental ethics, constitutional rights, and responsibilities remain as they were but that there are connotations for the regulations on transmissions of individual data between the UK and the EEA.

The UK GDPR also pertains to regulators and processors established out of the UK if their managing pursuits correlate to:

  • presenting commodities or services to persons in the UK; or
  • supervising the conduct of persons taking place in the UK.

Similarly, there are also outcomes for UK regulators who have an institution in the EEA, have consumers in the EEA, or observe individuals in the EEA. The EU GDPR still pertains to this handling as data can still flow freely from the EEA because the EU have adopted adequacy decisions about the UK, but the European data protection mandates has altered the way you can interact. CRI® Group’s own exclusive, expert-developed 3PRM™ services help you proactively mitigate risks from third-party affiliations, protecting your organisation from liability, brand damage, and harm to the business. Whether your organisation has a large, well-established third-party program, is in the early stages of development, or is anywhere in between, the 3PRM™ solution can improve the health of your program and future-proof your entire business in many forms.

Find out more about 3PRM™ below or download our free brochure.

FIND OUT MORE or DOWNLOAD THE BROCHURE

Which rules apply?

Whilst the adequacy judgments stay in order, the UK GDPR is still valid and is expected to remain so until the 27th of June 2025. The EU Commission will be supervising advancements in the UK on a constant basis to guarantee that the UK will continue to deliver a comparable degree of data protection. The Commission is still able to revise, postpone, or rescind the decisions if concerns cannot be settled. EU data subjects or an EU data protection authority can also instigate a lawful dispute regarding the decisions in which the Court of Justice of the European union would then have to determine whether the UK did essentially deliver comparable security.

In the absenteeism of an EU GDPR adequacy decision, the Frozen GDPR would be valid to subjective data of the basis of if:

  • it was administered in the UK under the EU GDPR before 01 January 2021; or
  • it’s being administered in the UK on the basis of the Withdrawal Agreement

Conversely, the UK-GDPR does increase on -and diverge from- the EU GDPR in noteworthy approaches that will make modifications to the legal environment of data protection in the UK.

UK-GDPR expands and changes the European GDPR

The areas increased on by the UK-GDPR are:

  • National security
  • Intelligence services
  • Immigration

These regions, are per definition, are outside the scope of the European GDPR the three of them are deemed to be extra-national regulation from the EU devoid of powers to govern affairs of national confidence in constituent nations. Nevertheless, the UK-GDPR sets out specific concessions by which the customary welfare of personal data can be circumvented, e.g., when in matters of national security or in matters of immigration. It also applies the same requirements for collection and processing of personal data to the intelligence services. A further significant change is that the Information Commissioner, who was the leading data protection authority in the UK today, became the primary director, monitor and enforcer of the UK-GDPR.

Are you post-Brexit GDPR compliant? 

The UK-GDR would now entail your organisation’s site or application to request for the user’s approval prior to accumulating and managing data via cookies. It involves that your organisation not amassing more data than is truly mandatory and to also make it as straightforward for your users to rescind authority to the application of data as it is to give it. Transparency is key in the UK-GDPR and requires clarification of how long data is stored and how you will be processing users’ personal data.

Let’s Talk!

It’s always great to have a helping hand when it comes to compliance and risk management – especially with all the new changes expected to take place ahead of securing the integrity and morality across corporate culture. Take a proactive stance with the highest level of expertise as a part of your essential corporate strategy. Contact us today to learn more about our full range of services to help your organisation stay protected.

GET IN TOUCH

Inadequate due diligence hit Space-transport SPAC Momentus $8 million SEC fine

Home | All Regions | United Kingdom, London

Inadequate due diligence hit SPAC Momentus $8 million SEC fine

Inadequate due diligence hit SPAC Momentus $8 million SEC fine after misleading investors. The Securities and Exchange Commission (SEC) has charged the Momentus particular purpose acquisition company (SPAC), its sponsor SRC-NI, the sponsor’s CEO Brian Kabot, the company, and founder Mikhail Kokorich – which involved in a $1.2 billion space-transport SPAC for defrauding investors and obscuring the CEO’s status as a US national security risk.

The Fraud Claimed

The SPAC, Stable Road Acquisition Corp, had sought to merge with Momentus, a private start-up, to take it public. Momentus’s key offering was a “microwave electro-thermal water plasma thruster,” a way of zapping water vapour to propel a spacecraft, intending to transport satellites into space.

But Momentus’s propulsion tech failed to show results, according to SEC filings. A test mission fell well short of the company’s benchmarks, and a former Momentus employee said that the test yielded “no data to suggest that that thruster would deliver an impulse of any commercial significance.”

According to the SEC’s settled order, Kokorich and Momentus, an early-stage space transportation company, repeatedly told investors that it had “successfully tested” its propulsion technology in space when, in fact, the company’s only in-space test had failed to achieve its primary mission objectives or demonstrate the technology’s commercial viability.

The order finds that Momentus and Kokorich also misrepresented the extent to which national security concerns involving Kokorich undermined Momentus’s ability to secure required governmental licenses essential to its operations.

Join our mailing list and get exclusive industrial insights for subscriber-only!

The compliance issue: Inadequate due diligence

The SEC’s settled order finds that Stable Road repeated Momentus’s misleading statements in public filings associated with the proposed merger and failed its due diligence obligations to investors.

According to the order, while Stable Road claimed to have conducted extensive due diligence of Momentus, it never reviewed Momentus’s in-space test results or received sufficient documents relevant to assessing the national security risks posed by Kokorich.

The order finds that Kabot participated in Stable Road’s inadequate due diligence and filed its inaccurate registration statements and proxy solicitations. The SEC’s complaint against Kokorich includes factual allegations that are consistent with the findings in the order.

“This case illustrates risks inherent to SPAC transactions, as those who stand to earn significant profits from a SPAC merger may conduct inadequate due diligence and mislead investors. Stable Road, a SPAC, and its merger target, Momentus, both misled the investing public. The fact that Momentus lied to Stable Road does not absolve Stable Road of its failure to undertake adequate due diligence to protect shareholders. Today’s actions will prevent the wrongdoers from benefitting at the expense of investors and help to better align the incentives of parties to a SPAC transaction with those of investors relying on truthful information to make investment decisions.

SEC Chair Gary Gensler

The litigation against Momentus, Stable Road, and Kabot

Associate Director of the SEC’s Division of Enforcement, Anita B, mentioned in her statement that Momentus’s former CEO alleged to have engaged in fraud by misrepresenting the viability of the company’s technology and his status as a national security threat, inducing shareholders to approve a merger in which he stood to obtain shares worth upwards of $200 million.

The SEC’s order finds that Momentus violated scienter-based antifraud provisions of the federal securities laws and caused sure of Stable Road’s violations. It also considers that Stable Road violated negligence-based antifraud provisions of the US federal securities laws as well as specific reporting and proxy solicitation provisions.

The order finds that Kabot violated provisions of the federal securities laws related to proxy solicitations. Kabot and SRC-NI caused Stable Road’s violation of Section 17(a)(3) of the Securities Act of 1933. Without admitting or denying the SEC’s findings, Momentus, Stable Road, Kabot, and SRC-NI consented to an order requiring them to cease from future violations. Momentus, Stable Road, and Kabot will pay civil penalties of $7 million, $1 million, and $40,000, respectively.

Inadequate due diligence hit SPAC Momentus $8 million SEC fine. Source: US Securities and Exchange Commission 

What do you actually know about the integrity of the 3rd party and their way of doing business? Do they adhere to (inter)national regulations on anti-bribery and anti-corruption? Is it possible that there is a liability risk?

Due diligence on potential business partners when adding a new vendor or even hiring a new employee is vital to confirm the legitimacy and reduce the risks associated with such professional relationships. Global integrity DueDiligence360TM investigations provide your business with the critical information it needs in making sound decisions regarding mergers and acquisitions, strategic partnerships, and the selection of vendors, suppliers, and employees. It will ensure that working with an, i.e. potential trade partner will ultimately achieve your organisation’s strategic and financial goals.

At CRI Group, we specialise in Integrity Due Diligence, working as trusted partners to businesses and institutions worldwide. Our people work with energy, insight and care to ensure we provide a positive experience to everyone involved – clients, reference providers and candidates. CRI’s unique identity and vision evolved from our fundamental desire to support our clients and their candidates. Safeguard your business and its integrity with DueDiligence360™.

Our DueDiligence360™ expose vulnerabilities and threats that can cause serious damage to your organisation and can significantly reduce business. CRI Group is trusted by the world’s largest corporations and consultancies – outsource your due diligence to an experienced provider, and you will only ever have to look forward, never back.

CRI Group investigators employ a proven, multi-faceted research approach that involves a global array of databases, courts and public record searches, local contacts, industry and media resources, and in-depth web-based research. Our resources include:

  • International business verification
  • Individual business interest search
  • Personal profile on individual subjects
  • Company profile on corporate entities
  • Historical ownership analysis
  • Identification of subsidiaries & connected parties
  • Global/national criminality & regulatory records checks
  • Politically Exposed Person database
  • International digital media research
  • Company background analysis
  • Industry reputational assessment
  • FCPA, UK Anti-Bribery & corruption risk databases
  • Global terrorism checks
  • Global financial regulatory authorities checks
  • Money laundering risk database
  • Financial reports
  • Asset tracing
  • Country-specific databases that include litigation checks, law enforcement agencies & capital market, regulators

Protect your reputation and the risk of financial damage and regulator action using our detailed reports. They enhance your knowledge and understanding of the customer, supplier, and third-party risk, helping you avoid those involved with financial crime.

DueDiligence360™ from CRI Group

WHAT DO YOU ACTUALLY KNOW ABOUT THE INTEGRITY OF THE PARTY & THEIR WAY OF DOING BUSINESS? DOES OR DID THIS PARTY ADHERE TO (INTER)NATIONAL REGULATIONS ON ANTI-CORRUPTION & ANTI-BRIBERY? IS IT POSSIBLE THAT THERE IS A LIABILITY RISK?

At CRI Group, we specialise in Integrity Due Diligence, working as trusted partners to businesses and institutions across the world. Our people work with energy, insight and care to ensure we provide a positive experience to everyone involved – clients, reference providers and candidates.

CRI’s unique identity and vision evolved from our fundamental desire to support our clients and their candidates. Safeguard your business and its integrity with DueDiligence360™.

Our DueDiligence360™ expose vulnerabilities and threats that can cause serious damage to your organisation and can significantly reduce business. CRI Group is trusted by the world’s largest corporations and consultancies – outsource your due diligence to an experienced provider and you will only ever have to look forward, never back. Clients who partner with us benefit from our:

Expertise
CRI Group has one of the largest, most experienced and best-trained integrity due diligence teams in the world.

Global scope
Our multi-lingual teams have conducted assignments on thousands of subjects in over 80 countries, and we’re committed to maintaining and constantly evolving our global network.

Flexibility
Our DueDiligence360TM service is flexible and can apply different levels of scrutiny to the subjects of our assignments, according to client needs and the nature of the project.

About CRI Group

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk ManagementEmployee Background ScreeningBusiness IntelligenceDue DiligenceCompliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, the CRI Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001 Anti-Bribery Management SystemsISO 37301 Compliance Management Systems and ISO 31000 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations.

UK solicitor sentenced to four years in prison over £2.3m fraud

UK solicitor, Andrew Davies defrauding his firm £2.3m jailed

A former senior partner, the UK solicitor, has been jailed for four years after defrauding his firm out of a total of £2.3m. Andrew Davies, 59, paid personal invoices to himself from the business and under-declared £1.1m in stamp duty land tax to HM Revenue and Customs (HMRC) for over nine years.

Davies pleaded guilty to one count of fraud by false representation at Reading Crown Court in 2019 and was sentenced to four years imprisonment in January this year. As a senior partner at the firm, Andrew Davies managed to defraud it out of the money by paying personal invoices to himself from the business account.

The 59-year-old also under-declared £1.1m in Stamp Duty Land Tax to HMRC over nine years, over-declaring tax to clients and then taking money from the solicitor’s firms account for himself, both defrauding the company he worked for and HMRC at the same time.

Davies also raised invoices to pay over £1.6 million to his friend Stephen Allan, who worked as a property developer and was a firm client. The 62-year-old from Bishop’s Stortford was convicted at Reading Crown Court on one count of money laundering and jailed for three years.

In a statement, police mentioned the convictions and sentencing of a solicitor’s firm in Berkshire defrauded out of £2.3m between 2010 and 2017.

Allan then made smaller payments into Davies’ account and also pocketed around £400,000 himself. The solicitor extracted funds from the firm’s client account, paying it to Allan in transactions described as ‘fees’, but there was no known work for this.

Davies of The Street, West Clandon, Guildford, and Allan of Thornberry Road, Bishops Stortford, Hertfordshire, were charged by police officers in August 2019.

The statement did not name the firm, but a Solicitors Regulation Authority notice has previously stated that Davies worked for Reading firm Pitmans LLP, which has since become part of another practice. Davies has already been struck by the Solicitors’ Disciplinary Tribunal and ordered to pay £17,000 in costs.

Investigating officer Detective Constable Katie Taylor of Thames Valley Police’s Economic Crime Unit said: ‘In this case, a solicitor trusted to safeguard client funds abused this position and systematically defrauded his firm of large sums of money for his benefit.

‘He then used a corrupt relationship to launder the proceeds of his crime through a property developer. These professional enablers of organised crime represent a significant risk, and we hope that the conviction and sentence, in this case, will act as a deterrent to others.’

Source: Financial Crime News & The Law Society Gazette

 

Get exclusive insights curated for subscriber-only when you join our mailing list.

About CRI Group

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk ManagementEmployee Background ScreeningBusiness IntelligenceDue DiligenceCompliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, the CRI Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001 Anti-Bribery Management SystemsISO 37301 Compliance Management Systems and ISO 31000 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations.

You suspect employee fraud. Now what?

When any type of fraud, including employee fraud, is discovered, it’s usually by surprise. That’s because most of us aren’t used to looking for criminal behaviour inside our own organisation. We trust…
Read More

John Wood Group to pay $177 million to settle bribery charges inherited through its merger

John Wood Group bribery probe trace back to its merger with Amec Foster Wheeler Plc.

John Wood Group Plc has agreed to pay $177 million to settle the UK led bribery and corruption probe into a British engineering firm it acquired in 2017. The settlement is part of a so-called deferred prosecution agreement with the Serious Fraud Office and the US Department of Justice concerning Amec Foster Wheeler Plc.

The UK agreement is still subject to court approval. As part of the deal, the company can avoid prosecution for three years if it cooperates in the continuing bribery probe. Wood Group’s payment is one of the largest ever obtained in the UK led bribery and corruption case. The biggest was a $1.2 billion settlement with Airbus SE that also involved the US and French authorities.

In 2017, the SFO opened an investigation into Amec’s use of third parties to gain contracts, just weeks after Shareholders approved wood Group’s proposed acquisition. The DOJ said the probe concerned a scheme to pay bribes to officials in Brazil for a $190 million contract to design a gas-to-chemicals complex.

As part of the deal announced, at least $10.1 million will settle charges brought by the US Securities and Exchange Commission. The DOJ said it would get about $18.4 million to resolve its criminal charges in the Brazil bribery probe. Amounts to be paid to the UK and Brazil are yet to be made public.

Wood Group announced that it was close to a settlement. It originally said it expected a deal for $186 million, with about $60 million paid in the first half of 2021 and the rest over three years. The company also agreed to pay $10 million to Scottish authorities earlier this year to settle the case.

“The investigations brought to light unacceptable, albeit historical, behaviour that I condemn in the strongest terms,” Wood Group Chief Executive Officer Robin Watson said in a statement. “Although we inherited these issues through acquisition, we took full responsibility in addressing them, as any responsible business would.”

The company has “cooperated fully with the authorities” and “taken steps to improve further our ethics and compliance program from an already strong foundation,” Watson said. “I’m pleased that, subject to final court approval in the UK, we have been able to resolve these issues and can now look to the future.”

The agreement comes amid criticism of the SFO and its inability to prosecute individuals after securing settlements with companies. Earlier this year, the SFO dropped its probe into former Airbus directors and was dealt a humiliating setback after its trial against two former Serco Group Plc directors fell apart because it failed to disclose evidence.

In May 2021, the SFO opened one of its biggest investigations into suspected fraud and money laundering concerning GFG Alliance and its financing agreements with Greensill Capital. It was after months of intense pressure from lawmakers to investigate Sanjeev Gupta’s empire.

John Wood Group bribery probe

Source: Financial Crimes News

Join our mailing list and get exclusive industrial insights for subscriber-only!

The importance of due diligence in merger and acquisition to avoid a similar incident happened like in John Wood Group.

Due diligence is understood as the reasonable steps taken to satisfy legal requirements in the conduct of business relations. That allows you to reduce risks – including risks arising from the FCPA (Foreign Corrupt Practices Act) and the UKBA (UK Bribery Act), to make informed decisions and to pursue takeovers or mergers with more confidence.

Unlike other kinds of control (audits, market analysis, etc.), it must be completely independent and rely as little on information provided by the researched subject. The other important difference lies in the methodology: commercial or financial due diligence analyses available information, investigative type provides reliable and pertinent, but raw, information.

Due diligence on potential business partners when adding a new vendor or hiring a new employee is vital to confirm the legitimacy and reduce the risks associated with such professional relationships. Global integrity due diligence investigations provides your business with the critical information it needs to make sound decisions regarding mergers and acquisitions, strategic partnerships, and the selection of vendors, suppliers, and employees.

It will ensure that working with an, i.e. potential trade partner will ultimately achieve your organisation’s strategic and financial goals. CRI Group investigators employ a proven, multi-faceted research approach that involves a global array of databases, courts and public record searches, local contacts, industry and media resources, and in-depth web-based research. Our resources include:

  • International business verification

  • Individual business interest search

  • Personal profile on individual subjects

  • Company profile on corporate entities

  • Historical ownership analysis

  • Identification of subsidiaries & connected parties

  • Global/national criminality & regulatory records checks

  • Politically Exposed Person database

  • International digital media research

  • Company background analysis

  • Industry reputational assessment

  • FCPA, UK Anti-Bribery & corruption risk databases

  • Global terrorism checks

  • Global financial regulatory authorities checks

  • Money laundering risk database

  • Financial reports

  • Asset tracing

  • Country-specific databases that include litigation checks, law enforcement agencies & capital market regulators

DueDiligence360™ from CRI Group

WHAT DO YOU ACTUALLY KNOW ABOUT THE INTEGRITY OF THE PARTY & THEIR WAY OF DOING BUSINESS? DOES OR DID THIS PARTY ADHERE TO (INTER)NATIONAL REGULATIONS ON ANTI-CORRUPTION & ANTI-BRIBERY? IS IT POSSIBLE THAT THERE IS A LIABILITY RISK?

At CRI Group, we specialise in Integrity Due Diligence, working as trusted partners to businesses and institutions across the world. Our people work with energy, insight and care to ensure we provide a positive experience to everyone involved – clients, reference providers and candidates.

CRI’s unique identity and vision evolved from our fundamental desire to support our clients and their candidates. Safeguard your business and its integrity with DueDiligence360™.

Our DueDiligence360™ expose vulnerabilities and threats that can cause serious damage to your organisation and can significantly reduce business. CRI Group is trusted by the world’s largest corporations and consultancies – outsource your due diligence to an experienced provider and you will only ever have to look forward, never back. Clients who partner with us benefit from our:

Expertise
CRI Group has one of the largest, most experienced and best-trained integrity due diligence teams in the world.

Global scope
Our multi-lingual teams have conducted assignments on thousands of subjects in over 80 countries, and we’re committed to maintaining and constantly evolving our global network.

Flexibility
Our DueDiligence360TM service is flexible and can apply different levels of scrutiny to the subjects of our assignments, according to client needs and the nature of the project.

About CRI Group

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk ManagementEmployee Background ScreeningBusiness IntelligenceDue DiligenceCompliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, the CRI Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001 Anti-Bribery Management SystemsISO 37301 Compliance Management Systems and ISO 31000 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations.

Corporate Fraud and Corruption: affect on UK businesses in the 2021

CRI® Group and its ABAC® Center of Excellence were featured in Financier Worldwide’s InDepth Feature: Corporate fraud and corruption 2021. In this edition, CRI® Group’s CEO Zafar Anjum and ABAC®’s Scheme Manager Huma Khalid talk about how corporate fraud and corruption affect businesses not only in the UK and UAE, but across the globe, and provide solutions and insights for businesses to become better protected from corporate fraud, bribery and corruption.

Q. To what extent have you seen a notable rise in the level of corporate fraud, bribery and corruption uncovered in the UK?

A. The COVID-19 pandemic has created increased opportunities for fraud worldwide. The UK is not immune, unfortunately, and such a disruptive event as the pandemic increases the likelihood that normal safeguards and risk management controls can be bypassed and subverted. There has been an increase in reported fraud and corruption cases over the past year. A survey of fraud experts by the Association of Certified Fraud Examiners (ACFE) in August 2020 showed that 77 percent were seeing an increase in fraud. Perhaps not surprisingly, cyber fraud is the fastest-growing problem area, but there has also been an uptick in unemployment fraud. This is bad news in the UK, where fraud is our most common crime, costing the country £190bn annually, according to the Royal United Services Institute (RUSI).

Q. Have there been any legal and regulatory changes implemented in the UK designed to combat fraud and corruption? What penalties do companies face for failure to comply?

A. There is proposed legislation, supported by the secretary of state of the UK’s Department of Business, Energy and Industrial Strategy, that would increase accountability for corporations that produce falsified financial statements. This includes a provision that would require company directors to personally sign off on their corporation’s financial statements, under penalty of fines and possible prison time. Under the Sarbanes-Oxley Act in the US, the penalty for falsely certifying such statements is steep: up to 20 years in prison and up to $5m in fines, and the UK is looking at similar measures to step up its fight against fraud and corruption. The UK also recently approved the formation of an audit, reporting and governance authority (ARGA) that should come into force within the next two or three years. Accordingly, the UK is taking a stronger stance against fraud going forward.

Q. In your opinion, do regulators in the UK have sufficient resources to enforce the law in this area? Are they making inroads?

A. Combatting fraud is never straightforward. When looking at progress in detecting and preventing fraud, it sometimes feels like a question of whether the glass is half full or half empty. For example, the Serious Fraud Office (SFO) brought 13 fraud defendants to trial in 2019 and 2020, with a 95 percent fouryear success rate by case. Many of these represent large frauds, and they are meaningful wins, but how many more fraudsters are out there undiscovered? Other bodies, including Her Majesty’s Revenue and Customs (HMRC), among others, also have key roles to play in investigating fraud, but a considerable amount of fraud is still investigated and prosecuted at the local level. It is important for leaders in the UK to know what resources law enforcement have and where they need training and support in the fight against fraud.

Q. If a company finds itself subject to a government investigation or dawn raid, how should it respond?

A. Any investigation, and especially a raid, can be an incredibly stressful time for a company and its employees. The important thing is to not panic – the investigators have a job to do, and the sooner they get to the truth of the situation, the better for everyone. Companies should direct their management and their employees to cooperate fully, while also engaging legal counsel to properly protect the corporation from future litigation. If fraud is detected, it is a criminal matter and the company should make a good faith effort to work with prosecutors and regulators, while making sure to document all control measures and prior steps taken to manage fraud risk. Having a track record of meeting compliance requirements and having proper internal controls in place at the time fraud occurs could have a mitigating effect in terms of potential prosecution and penalties down the road.

Q. What role are whistleblowers playing in the fight against corporate fraud and corruption? How important is it to train staff to identify and report potentially fraudulent activity?

A. Employees are a company’s first line of defence against fraud and corruption. But training them to recognise the red flags of fraud is only half of the process. The company must also implement a reporting system that is anonymous and easy to use, so that employees are encouraged to report any suspicions. Then, the company must follow through and fully investigate any reports that do come in. If it does not, whistleblowers will believe that combatting fraud and corruption is not a corporate priority, and the tips will stop coming in. How important are those tips? According to the ACFE, they are by far the highest detection method for fraud, well above audits and other means. The company should communicate that a whistleblower hotline or online reporting system is available, and that there is a zero-tolerance policy for any type of retaliation against whistleblowers. Over time, the tips will come in.

Q. What advice can you offer to companies on conducting an internal investigation to follow up on suspicions of fraud or corruption?

A. Investigations can be challenging, and they require expertise. For example, there are rules for collecting and handling evidence, including physical evidence and witness statements, that must be followed for such evidence to be admissible in court. There are also laws in the UK dealing with privacy and the rights of the accused. The bottom line is that a company already dealing with a potentially costly and damaging fraud scenario should not risk adding more legal trouble through a faulty investigation. Hire experts who deal with corporate crime and specialise in fraud and corruption cases. Like any other area of expertise, they will have the knowledge and resources to help proceed with an investigation and lead it to the most favourable outcome for your company. If you already have anti-fraud professionals on staff, let them take the lead, but provide outside resources as needed.

Q. What general steps can companies take to proactively prevent corruption and fraud within their organisation?

A. A fraud prevention strategy has many different elements, and the sooner companies implement them, the sooner they can begin to work together in a proactive way to prevent fraud. Mandating employee training, such as ISO 37001 ABMS, having an ethical code of conduct signed by every member of staff, providing regular and surprise audits, and implementing a fraud reporting system are all effective ways to help prevent and detect fraud and corruption. None of these methods is strong enough on its own to properly protect organisations. But together, they can be very effective. It is also important to set a ‘tone at the top’, from ownership, directors and management on down, that fraud will not be tolerated. Anti-fraud controls only work if the company sees them through and thoroughly investigates every report. When fraud is confirmed, any perpetrators should be terminated and potentially prosecuted, sending a message of zerotolerance.

Meet Zafar ZAFAR ANJUM, Group Chief Executive Officer

Zafar Anjum is founder and group CEO at CRI® Group, and its ABAC® Center of Excellence. He uses his extensive knowledge and expertise in creating stable and secure networks across challenging global markets. For organisations needing large project management, security, safeguard and real-time compliance applications, Mr Anjum is the assurance expert of choice for industry professionals.

Corporate Research and Investigations | t: +44 (0)7588 454 959 | e: zanjum@crigroup.com

Meet HUMA KHALID,  Scheme Manager

Huma Khalid, as scheme manager, is responsible for leading ABAC. Ms Khalid’s responsibilities include planning and overseeing all aspects of the ABAC programme, which include certification and training. Additionally, she oversees the compliance department for the implementation, management and internal audit of CRI® Group’s and ABAC compliance programmes

ABAC® Center of Excellence Limited | t: +44 (0)777 652 4355 | e: huma.k@abacgroup.com

About CRI® Group

Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business IntelligenceDue Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI® Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.

Cyber security: how to maintain GDPR compliance?

The European Union’s (EU) General Data Protection Regulation (GDPR) came into force in 2018. The GDPR was a response to massive worldwide data breaches that were undermining the trust and security of private citizens whose personal information was at stake. As this data was exposed by both hackers and, in some cases, simply through poor security measures, governments of the EU felt it was time to create a strong piece of governance to bolster protection. While the initial rollout of GDPR held some uncertainty and unknowns for organisations subject to its guidelines, there is now a much clearer picture of how its standards apply. The punishments for being caught out of compliance can be severe: Violators of the GDPR may be fined up to €20 million or up to 4 percent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

Cybersecurity is a priority for the management

Even with extremely high fines and stringent requirements, GDPR violations and data breaches have been skyrocketing across the world. In 2020, the overall increase of fraudulent activities has been detected, based on ACFE’s “Fraud in the Wake of COVID-19: Benchmarking Report”: 77% of survey participants have seen an increase in the overall level of fraud as of August, compared to 68% who had observed an increase in May. Earlier we wrote how the COVID-19 crisis triggered fraudulent activities and what can businesses do to support anti-fraud movements in their organisations and to strengthen their immunity to fraud. However, cyber-attacks are on the rise – the survey by the gov.uk continues to show that cybersecurity breaches are a serious threat to all types of businesses and charities. 39% of businesses and 26% of charities reported having cybersecurity breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).

The study suggests that the risk level is potentially higher than ever under COVID-19 and that businesses are finding it harder to administer cybersecurity measures during the pandemic: 35% of businesses compared to 40% last year are now deploying security monitoring tools. This reduction suggests that these organisations might simply be less aware than before of the breaches and attacks their staff are facing.

However, among those that have identified breaches or attacks, around 27% of businesses experience them at least once a week. The most common by far are phishing attacks (83%, and 79% in charities), followed by impersonation (for 27% and 23%). Based on a survey by the gov.uk, despite COVID-19 stretching many organisation’s cybersecurity teams to their limits, cybersecurity remains a priority for management boards. But it has not necessarily become a higher priority under the pandemic. Three-quarters (77%) of businesses say cybersecurity is a high priority for their directors or senior managers, while seven in ten charities (68%) say this of their trustees.

The most notable data breaches

In the climate where organisations are putting more emphasis on strengthening their online security systems, there is no shortage of data breaches or GDPR violations. Our experts have noticed and shortlisted a few most notable cases in any order for you to be aware:

1. Booking.com

The very recent case, when travel booking website Booking.com has been hit with a  €475,000 ($560,000) fine after failing to report a data breach within the time period mandated by the GDPR. It happened back in 2018 when telephone scammers targeted 40 employees at various hotels in the United Arab Emirates (UAE). The hackers were able to get login creations for the booking system and to access the personal details of more than 4000 customers who booked hotel rooms via booking.com. The scammers exposed the credit card details of 283 customers, and in 97 cases the CVV code was also compromised. Based on GDPR, the data breach must be reported within 72 hours. Booking.com was late for 22 days (!) to report the breach to the Dutch Data Protection Authority and was issued a fine in April 2021, as reported by Forbes.

2. Twitter

Another company that was late to report the security flaw is Twitter – it was discovered in December 2018 but the social media giant did not report it to Ireland’s Data Protection Commission (DPC) until the following month. As a result, Twitter has been told to pay a €450,000 GDPR fine by Ireland’s data regulator for failing to report a 2018 data breach in the legally required timeframe. The DPC also determined that Twitter failed to adequately document the breach, another requirement under GDPR.

3. Vodafone

The firm that has been warned or fined smaller amounts on at least 50 occasions between January 2018 and February 2020, is in the news again: the Spanish data protection authority has fined Vodafone €8.15 million (approximately £7 million) for aggressive telemarketing tactics and repeated data protection failures. The fine was issued as a result of an investigation that was prompted by hundreds of complaints, with the regulator discovering a system that held up to 4.5 million contact lists purchased from third parties without user consent.

4. Facebook

And another social media giant – Facebook. Ireland’s data protection watchdog is demanding answers from Facebook over the release of records on 533 million people that appeared to stem from the social media site. As reported in April 2021, a spokesman for the Data Protection Commission (DPC) – which regulates Facebook in the European Union – said “a dataset, appearing to be sourced from Facebook, has appeared on a hacking website this weekend for free and contains records of 533 million individuals.”

5. H&M

The Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed. H&M’s GDPR violations involved the internal monitoring of employees. After employees took vacation or sick leave, they were required to attend a return-to-work meeting. Some of these meetings were recorded and accessible to over 50 H&M managers. It has violated the GDPR’s principle of data minimisation — don’t process personal information, particularly sensitive data about people’s health and beliefs, unless you need to for a specific purpose.

6. Google

The biggest penalty (€50 million) was issued to Google for its alleged failure to provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and obtain users’ valid consent to process their personal data for ad personalisation purposes. 

COMPLIANCE & ETHICS HOTLINES, REPORT NOW

How to maintain GDPR compliance

What can we learn from these case studies? Maintaining GDPR compliance is a complex process, and requires a lot of diligent work. At CRI Group, we recommend looking at it as a part of your risk management strategies, together with your compliance policies and procedures.

To help you with maintaining compliance with GDPR, our integrity due diligence experts created the following top 10 GDPR best practices for any business or entity that deals with collecting, storing or using personal information:

1. Employ a Data Protection Officer (DPO)

It is a GDPR requirement that entities who carry out regular and systematic monitoring of individuals on a large scale, or large-scale processing of certain special categories of data, have an assigned DPO. It is also recommended, however, for all other entities to help ensure data security. While the GDPR does not specifically list the necessary training or qualifications of a DPO, the regulation does require the DPO to have “expert knowledge of data protection law and practices” (Digital Guardian, 2019). Implement thorough background screening processes and make sure they are trained and qualified to be your DPO.

2. Train your employees

Ensure that all personnel are aware of the GDPR and your organisation’s commitment to compliance. Make sure that all leaders, and especially key personnel charged with collecting, handling or storing data, understand their responsibilities under GDPR. Make date protection training a regular part of your employee curriculum.

3. Confirm the legality of your data collection

GDPR requires that you have a legal basis to collect personal data. For most businesses, the following are the most likely to be applicable:

  • The information is necessary to perform a contract between the organisation and the individual;
  • You have a legal obligation to process the data (such as a court order);
  • The organisation has a legitimate interest in collecting and processing the data – in other words, there needs to be a relationship and business reason to collect the date (it cannot be random);
  • The individual has provided direct consent to the processing of the data.

4. Maintain thorough records

For larger organisations (more than 250 employees), GDPR requires that records of data collection and processing be maintained. Again, this is also a best practice for smaller organisations, as well. It can help establish that the organisation is dutifully complying with the data protection principles in GDPR. Take inventory and make a record of the data you have collected and are storing to date. Create a detailed matrix to understand what types of data you are holding, where/how it is collected, how and where it is held, and whether it is still needed. Based on this information, you can also develop a data-retention policy to govern how long personal data is kept and stored. Keeping data on file longer than needed is a liability, and serves no business purpose.

5. Establish consent policies for data

For some of your records, consent is your lawful basis for holding it. Under GDPR, it is no longer acceptable to assume consent in your collected data, or treat silence as consent. Create clear and unambiguous consent forms for your data collection that demonstrate adherence to GDPR principles. And remember, under GDPR, you must make it a simple process for an individual to withdraw their consent at any time.

6. Perform due diligence on third-parties

Under GDPR, your organisation is responsible if third-party partners collect, store or manage data for your organisation. You must ensure their compliance with GDPR as if it is your own since they are responsible for your data. This is the time to update your contracts with them to include compliance measures, as needed. It is also important that you review their control systems and their data handling processes. They must be comprehensive and meet all of the GDPR requirements to keep data secure. CRI Group’s third-party risk management experts can help you conduct effective reviews of your partners and their processes.

7. Be responsive

Under GDPR, your organisation must respond to requests from individuals whose data you have collected and/or are storing. These requests are spelt out as individuals rights in regards to their personal data and they include the following:

  • Right to be informed about what data is collected and why;
  • Right of access to data that has been collected;
  • Right to rectification/correction of inaccurate data;
  • Right to erasure of data (“right to be forgotten”);
  • Right to restrict processing of personal data;
  • Right to data portability;
  • Right to object to use of data; and
  • Right not to be subject to automated decision making, including profiling.

Have a process in place to timely respond to requests and provide data when requested in order to stay in compliance.

8. Have written policies in place

Develop your internal policies in regards to GDPR and how you protect personal data, and communicate them across your organisation. Take special note to spell out policies on data retention, cross-border processing of data, and how you collect and handle data for persons under the age of 16, as GDPR has special requirements in regards to children’s data.

9. Conduct risk assessments

GDPR requires Data Protection Impact Assessments in certain cases. These assessments measure your organisation’s ability to protect personal data and risks associated with that protection. If your data processing is considered high-risk, uses new technology, or deals in large-scale processing of data in certain categories, the assessments are required – but for any organisation, they are recommended. Data protection experts at an outside firm like CRI Group can help you prepare robust risk assessments and follow-up plans to address their results.

10. Be prepared for a breach

A worst-case scenario in data security is a breach that exposes personal information. Under the steps above, your organisation should be well-positioned to prevent or limit any breach to your data security. However, you should always have a contingency plan in place to immediately respond to a breach should it occur. Understand that GDPR requires that the applicable EU data protection supervisory authority be notified within 72 hours of a breach. Gone are the days where a company can announce it weeks or even months after the fact. Be ready to notify the affected individuals that their data has been compromised, so that they can take the appropriate steps to respond.

Organisations don’t like to think about the impact of a data breach – but major cases have pushed governments to act in the public’s interest. Perhaps nowhere is this more true than in the EU, where the GDPR is now the governing policy for organisations that deal with individuals’ personal data. By being proactive with the steps above, your organisation can be better prepared and maintain compliance with the GDPR. Most importantly, you will have the confidence and trust of your consumers through effective best practices in handling and protecting their data. CRI Group’s experts are here to help. Contact us today so that we can walk you through the steps of GDPR compliance. If you have any further questions or interest in implementing compliance solutions, please contact us.

Who is CRI Group?

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business IntelligenceDue Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.

Stay updated on the go

Sign up for risk management, compliance, corporate and background investigations, business intelligence and due diligence related news, solutions, events and publications.

BS7858:2019 – everything you need to know and more!

The recent update of the BS7858 standard, “Screening of Individuals Working in a Secure Environment – Code of Practice,” places emphasis on the risk assessment of secure environment workers. The code focuses on the need for tighter controls over the pre-employment screening – and periodic re-screening – of individuals, who in their positions could potentially benefit from illicit personal gain, become compromised, or take advantage of other opportunities for creating breaches of confidentiality, trust or safety.

What is BS7858?

BS7858 stands for “Screening of Individuals Working in a Secure Environment – Code of Practice,” The BS7858 is a code of practice released by BSI (British Standards Institution), a business standards company which supports companies in achieving excellence within their field, and continuously boosting performance. Introduced in 2013, the standard was updated in September 2019 and is now considered to be the industry standard for all screening in employment, despite its original intention for use in security environments only. This code was meant to provide a critical security standard that guided employers on the screening process for security staff before offering full employment. However, the new update has widened the scope of this code.

This British Standard helps employers to screen personnel before they employ them. It gives best-practice recommendations, sets the standard for the  screening of staff in an environment where the safety of people, goods or property is essential. This includes data security, sensitive and service contracts and confidential records. It can also be applied to situations where security screening is in the public’s interest. It sets out all the requirements to conduct a screening process. It covers ancillary staff, acquisitions and transfers, and the security conditions of contractors and subcontractors. It also looks at information relating to the Rehabilitation of Offenders and Data Protection Acts. CRI Group is the first and only investigative research company in the Middle East to receive the certifications BS7858:2019 and BS102000:2013, Code of Practice for the Provision of Investigative Services from internationally recognised training and certification body BSI. 

Change of scope

The change of scope is possibly the biggest change of the standard. In the old document, the standard concerned the security sector only. However, the scope has been amended to allow organisations in all environments to adopt the standard when employee screening. And due to the current pandemic, this update is more significant than ever. There is a specific section of the standard that relates to risk management which states: “An integral part of risk management is to provide a structured process for organisations to identify how objectives might be affected. It is used to analyse the risk in terms of consequences and their probabilities before the organisation decides what further action is required”.

BS 7858:2019 lays out the scope of “obtaining personal background information to enable organisations to make an informed decision, based on risk, on employing an individual in a secure environment.” Those workers include business owners, directors, partners, silent partners and shareholders holding more than 10% of the business; managers, area managers, department managers, screening managers and staff; installers and service crew; security personnel; and office supervisors and staff with access to customer and system records.

The amended guidelines of the standard put the onus on the organisation’s top management to demonstrate that they are focused on the aspects of the business where the most risk lies, and the particular personnel roles that are involved within those risks areas. This is particularly important because, as the standard states, the “organisation retains ultimate responsibility for an outsourced screening process and is required to review the completed screening file.” Risks assessment includes examining specific roles that involve financial tasks, data security, management of goods, property risks or any number of “people risks” such as roles with direct access to vulnerable adults and children.

To that end, management is charged with ensuring that the organisation has proper and adequate resources and infrastructure in place to manage the adequate vetting of high-risk personnel. Management is tasked with the response and that there is a firm commitment at the top level to manage and support the coordination required to execute the screening process. Finally, management is tasked with ensuring that such responsibilities are correctly assigned and communicated throughout the organisation. The guideline also eliminates from its original text in 2012, a requirement to produce character references as part of the screening process. This decision was based on the supposition that such references are now deemed as potentially weak and difficult to verify. Managing risk effectively is essential to ensure businesses succeed and thrive in an environment of constant uncertainty. ISO 31000 aims to simplify risk management into a set of clearly understandable and actionable guidelines, that should be straightforward to implement, regardless of the size, nature, or location of a business.

BS7858:2019, a new way to mitigate employee risk during COVID-19

The far-reaching impact of the COVID-19 outbreak has affected virtually every business and economic sector worldwide, and depending on the global region, has hampered (on various levels) the ability to conduct proper and thorough background screening investigations. In the United Kingdom and the United Arab Emirates, the countrywide lockdowns forced leaders to close sites and send their workforce home. Many are having to learn how to manged people working from home (WFH) or remotely for the first time. The previous concerns about productivity, privacy and protecting sensitive information only grew more with the practice of WFH. They highlighted the vital importance of pre-employment background screening and background investigations. BS 7858:2019: the revised Standard for screening individuals working in secure environments offers a complete solution.

The revised BS7858 standard enables organisations to demonstrate a commitment to safeguarding their businesses, employees, customers and information utilising widely accepted methods that focus on risk assessment and top-down management involvement in the company’s employment policies and practices. In establishing policies and procedures around the standard, organisations can show that they place a high value on hiring individuals who possess integrity. Organisations can then task them with responsibilities designed to keep their co-workers, customers and information safe from the opposing forces that have become more prevalent in today’s ever-changing COVID-19 world. Find out more on how you can mitigate employee risk during this pandemic with BS7858:2019.

Playbook BS7858:2019, everything you need to know and more!

The price of a bad hire has far-reaching consequences for any business, including productivity loss, decreased employee morale, risks to employee safety and increased exposure to costly negligent hiring claims and potentially devastating litigation. The premise behind the standard is to safeguard employers from harmful or fraudulent hires.

Cases of organisations that forego conducting due diligence on a new hire – especially a hire with high-risk exposure – often end badly for those organisations. At CRI Group we know how important is your background screening to your company’s success and to give you an idea of what is new we have produced this playbook detailing the differences between BS7858:2012 standard and the new BS7858:2019 standard.

BS 7858:2019 playbook: everything you need to know and more!

Download FREE BS7858 playbook

Managing your people through COVID-19

The COVID-19 pandemic is undeniable affecting the world. And the situation is changing at an hourly rate as we go into a second global lockdown. Businesses are having to adapt quickly to survive, i.e. cutting steps in their hiring process, and no-one knows how this will play out. However, there are ways you can mitigate the impact, learn how with this FREE ebook.

Taken as a whole, this ebook is the perfect primer for any HR professional, business leader and companies looking to avoid employee background screening risks. It provides the tools and knowledge needed to stay ahead of COVID-19 effectively. Read the answers to the following questions:

  • How to turn the tide’ on coronavirus crisis?;
  • COVID-19 Action point checklist;
  • Background Screening: Essential Checks;
  • 6 steps for good practice in connection with COVID-19;
  • 11 Steps to Reduce Personnel Costs;
  • COVID-19 General advice;
  • How to remove any danger to your business during COVID-19;
  • … and more!
COVID-19 background screening and all you need to know | eBook | MockUp

Download your FREE playbook 

 

 

Frequently asked questions about background checks

Get answers to frequently asked questions about background checks / screening cost,  guidelines, check references etc.

This eBook is a compilation of all of the background screening related questions you ever needed answers to:

  • Does a candidate have to give consent to process a background check / screening?
  • How long does it take to conduct a background check?
  • When should I conduct pre-employment checks?
  • How often should I screen employees?
  • How to collect references and what to ask?
  • How much does it cost to conduct background checks?
  • What is the difference between employment history verification and employment reference?
  • How do I check on entitlement to work?
  • How to conduct identity checks?
  • What will a financial regulatory check show?
  • Is it possible to identify a conflict of interest during checks?
  • What is a bankruptcy check?
  • What about directorships and shareholding search?
  • Can I have access to a criminal watch list?
  • Anti-money laundering check?
  • Can we conduct FACIS (fraud and abuse control information system) searches?
  • … and MORE!
 

FAQ employee background screening | eBook | MockUp

Taken as a whole, is the perfect primer for any HR professional, business leader and companies looking to avoid employee background screening risks. It provides the tools and knowledge needed to make the right decisions.

DOWNLOAD THE EBOOK


Let’s Talk!

BS7984:2008 accredited companies (such CRI Group) highlight to their clients that their security personnel are staff that can be trusted and relied upon to complete a high-quality job as the screening process highlights the level of conduct that they have presented in the past. This reassures the safety of the people, goods and property that they have been hired to protect. If you have any further questions or interest in implementing compliance solutions, please contact us.

About the Author

Zafar I. Anjum, is Group Chief Executive Officer of Corporate Research and Investigations Limited “CRI Group” (www.crigroup.com), a global supplier of investigative, forensic accounting, integrity due diligence and employee background screening services for some of the world’s leading business organizations. Headquartered in London (with a significant presence throughout the region) and licensed by the Dubai International Financial Centre-DIFC, the Qatar Financial Center-QFC, and the Abu Dhabi Global Market-ADGM, CRI Group safeguards businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. CRI Group maintains offices in UAE, Pakistan, Qatar, Singapore, Malaysia, Brazil, China, USA, and the United Kingdom.

Zafar Anjum, MSc, MS, LLM, CFE, CII, MABI, MICA, Int. Dip. (Fin. Crime), Int. Dip. (GRC)
CRI Group Chief Executive Officer
37th Floor, 1 Canada Square, Canary Wharf, London, E14 5AA, United Kingdom
t: +44 207 8681415 | m: +44 7588 454959 | e: zanjum@crigroup.com

Who is CRI Group?

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business IntelligenceDue Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.

Q&A: Corporate Fraud and Corruption in UK is growing, FAST!

Corporate fraud and corruption is growing in United Kingdom (UK). In a devastating article, Oliver Bullough proved that UK is quickly becoming the money-laundering capital of the world. In addition, the most recent The Guardian article “If you think the UK isn’t corrupt, you haven’t looked hard enough” by  highlighted that billions of pounds of COVID-19 contracts issued by the government without competition, have reportedly cost taxpayers £800 for every protective overall delivered, and appear to have been issued to dormant companies, with several of them have benefited from this largesse are closely linked to senior figures in the government.  Read more about the situation in UK in the answers to the following questions:

  • To what extent are boards and senior executives in UK taking proactive steps to reduce incidences of fraud and corruption from surfacing within their company?
  • Have there been any significant legal and regulatory developments relevant to corporate fraud and corruption in UK over the past 12-18 months?
  • When suspicions of fraud or corruption arise within a firm, what steps should be taken to evaluate and resolve the potential problem?
  • Do you believe companies are paying enough attention to employee awareness, such as training staff to identify and report potential fraud and misconduct?
  • How has the renewed focus on encouraging and protecting whistleblowers changed the way companies manage and respond to reports of potential wrongdoing?
  • and much more…

Q. To what extent are boards and senior executives in your region taking proactive steps to reduce incidences of fraud and corruption from surfacing within their company?

Anjum: Business leaders in the UK recognise that being proactive against fraud and corruption is about more than just protecting the business – which is critical – but it is also a key component of growing and connecting to more opportunities. According to the World Bank, business grows an average of 3 percent faster where corruption is low. One way for organisations to demonstrate their commitment to preventing bribery and corruption is to engage in ISO 37001 certification. We expect to see more UK companies seeking certification and we expect this trend to increase as organisations look to set themselves apart from their competitors.

Q. Have there been any significant legal and regulatory developments relevant to corporate fraud and corruption in UK?

Anjum: Perhaps the biggest development, by extension, was the official beginning of the Brexit process and its potential impact on how the region continues to enforce and regulate against bribery and corruption. While the UK has a solid record thus far in combating fraud, the Organisation for Economic Co-operation and Development (OECD) recently warned that pressure from businesses to weaken bribery laws, coupled with an inability of the government to focus on non-Brexit issues, have increased the risks that bribery and corruption could increase.

The civil society group Corruption Watch has voiced similar complaints and has noted with concern new settlements that allow companies to resolve investigations with just a fine and an apology. The Serious Fraud Office (SFO) is tasked with policing this volatile landscape, and does so at a time when it has just appointed an interim director, pending the appointment of a new permanent director.

The shifting economic conditions surrounding Brexit have raised uncertainty and vulnerability. Learn how the “Brexit Poses New Bribery & Corruption Challenges” with this ebook. READ MORE!

Q. When suspicions of fraud or corruption arise within a firm, what steps should be taken to evaluate and resolve the potential problem?

Anjum: Any allegation of fraud, including bribery and other forms of corruption, is very serious and requires expert handling. Only those trained in investigative techniques, including thorny issues such as evidence collection and the interviewing of witnesses and suspects, should be engaged to help establish the facts of the case.

To be clear, not all suspicions lead to fraud – trained investigators understand this, and will approach any allegations from an objective, fact-finding point of view. One critical thing to remember is that companies do not get a chance for a ‘do over’ if they bungle an investigation.

Q. Do you believe companies are paying enough attention to employee awareness, such as training staff to identify and report potential fraud and misconduct?

Anjum: We definitely see awareness of fraud and corruption moving in the right direction among business leaders and their employees. This is evident when companies engage in certification courses such as ISO 37001, which certifies that an organisation has implemented reasonable and proportionate measures to prevent bribery.

Q. How has the renewed focus on encouraging and protecting whistleblowers changed the way companies manage and respond to reports of potential wrongdoing?

Anjum: In the UK, there is a strong emphasis on encouraging and protecting corporate whistleblowers because the statistics show that fraud is most often uncovered by tips. Employees truly are the first line of defence against corruption. This change in approach and attitude has exposed two issues that need attention, however.

First, the worker needs to understand what constitutes fraudulent behaviour – otherwise, how will he or she know what to report? That is where a training protocol like ISO 37001 comes in, with a curriculum to help educate a company’s workforce on the red flags of fraud and how to identify it. Second, employees must know how to report fraud.

A hotline or other reporting system is useless if the company does not properly communicate how to engage it – or that it exists at all.

Q. Could you outline the main fraud and corruption risks that can emerge from third-party relationships? In your opinion, do firms pay sufficient attention to due diligence at the outset of a new business relationship?

Anjum: Many business leaders have learned the hard way that new partnerships require more than just handshakes, optimism and a basic level of fact-checking. To be protected, an organisation should engage an expert due diligence firm before undertaking any merger, acquisition, partnership or other third-party engagement.

Some of the risks of inadequate due diligence include merging with an international business embroiled in several behind-the-scenes legal battles, discovering your new partner is a credit risk, has claimed bankruptcy or is faced with debtor filings, learning that your new overseas contractor has none of the industry experience it claimed, affiliating with a partner that is rife with conflicts of interests and, worst of all, having your own organisation’s reputation damaged or destroyed through the actions of a third-party.

Q. What advice can you offer to companies on implementing and maintaining a robust fraud and corruption risk management process, with appropriate internal controls?

Anjum: No matter your location, industry or the size of your organisation, having a fraud and corruption risk management process is a must.

Step one is to establish a zero-tolerance stance against fraud. This is done by communicating the right ‘tone at the top’ across the entire organisation, spelling out the leadership’s stance against corruption. An ethical code of conduct should be adopted and signed by all employees from top to bottom, and the organisation’s hiring policies should include thorough pre-and-post employment background screenings.

The organisation should engage in ISO 37001 certification to ensure that employees are trained to recognise and report bribery and other types of fraud, and that proper controls and compliance procedures are in place to limit the company’s exposure and risk. Finally, the company should conduct regular audits, and encourage whistleblowing through an anonymous reporting system.

At CRI® Group we use our extensive knowledge and expertise in creating stable and secure networks across challenging global markets. for organisations needing large project management, security, safeguard testing and real time compliance applications, CRI® Group is the assurance expert of choice for industry professionals.

Speak up – report any illegal, unethical, or improper behaviour

If you find yourself in an ethical dilemma or suspect inappropriate or illegal conduct, and you feel uncomfortable reporting through normal channels of communication, or wish to raise the issue anonymously, use CRI® Group’s Compliance Hotline. The Compliance Hotline is a secure and confidential reporting channel managed by an independent provider. When reporting a concern in good faith, you will be protected by CRI® Group’s Non-Retaliation Policy.

About CRI® Group

Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business IntelligenceDue Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI® Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.

Meet our CEO

Zafar I. Anjum, is Group Chief Executive Officer of CRI® Group (www.crigroup.com), a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations.  Headquartered in London (with significant presence throughout the region) and licensed by the Dubai International Financial Centre-DIFC, the Qatar Financial Center-QFC, and the Abu Dhabi Global Market-ADGM, CRI® Group safeguards businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. CRI Group maintains offices in UAE, Pakistan, Qatar, Singapore, Malaysia, Brazil, China, USA, and the United Kingdom.

Contact CRI® Group to learn more about its 3PRM-Certified™ third-party risk management strategy program and discover an effective and proactive approach to mitigating the risks associated with corruption, bribery, financial crimes and other dangerous risks posed by third-party partnerships.

CONTACT INFORMATION

Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime) | CRI® Group Chief Executive Officer, 37th Floor, 1 Canada Square, Canary Wharf, London, E14 5AA United Kingdom

t: +44 207 8681415 | m: +44 7588 454959 | e: zanjum@crigroup.com

Download 2018 annual reviews by CRI® Group:

  • Click here to download the review of UAE (Mr. Zafar Anjum, CEO at CRI® Group)
  • Click here to download the review of UK (Mr. Zafar Anjum, CEO at CRI® Group)
  • Click here to download the review of Pakistan (Ms. Fatima Farrukh, Compliance professional at CRI® Group)
  • Download the Financier Worldwide 2018 reprint about the situation in the UK.

FAQ: Employment Screening

Want to know what red flags are most often found on résumés and employment applications? CRI® Group’s EmploySmart™ experts provided some statistics on their latest pre-and post-employment screening engagements, giving insights into where companies are most vulnerable in the hiring process. The operations team found that providing incorrect employment details is the most common red flag, as it was uncovered in about 4.5 per cent of background screenings. This is followed by providing incorrect education degree details and having adverse media (unfavourable news or online mentions), both at 2.33 per cent.

Most employers would probably say that when it comes to educational background, the only thing worse than providing incorrect degree information would be outright claiming a fake degree – which occurred in nearly 2 per cent of cases. Other red flags included:

  • Having a criminal record (1.5 per cent).
  • A civil litigation record (1.27 per cent).
  • Providing a fake address (also 1.27 per cent).

To round out the findings, the operations team found bankruptcy records, fake certificates and negative references among 0.85 per cent of those screened.

Get answers to frequently asked questions about background checks/screening cost, guidelines, check references etc. This eBook is a compilation of all of the background screening related questions you ever needed answers to:

  • Does a candidate have to consent to process a background check/screening?
  • How long does it take to conduct a background check?
  • When should I conduct pre-employment checks?
  • How often should I screen employees?
  • How to collect references, and what to ask?
  • How much does it cost to conduct background checks?
  • What is the difference between employment history verification and employment reference?
  • How do I check on entitlement to work?
  • How to conduct identity checks?
  • What will a financial regulatory check show?
  • Is it possible to identify conflict of interest during checks?
  • What is a bankruptcy check?
  • What about directorships and shareholding search?
  • Can I have access to a criminal watch list?
  • Anti-money laundering check?
  • Can we conduct FACIS (fraud and abuse control information system) searches?
  • … and MORE!

Taken as a whole, it is the perfect primer for any HR professional, business leader and company looking to avoid employee background screening risks. It provides the tools and knowledge needed to make the right decisions.

Download your “Employee Background Screening FAQ” FREE ebook now!

FAQ employee background screening

FAQ employee background screening

 

 

 

 

 

 

 

 

 

 

 

 

About CRI® Group

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business IntelligenceDue Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI® Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.