Appointment of Data Protection Officer under GDPR
There is the growing misconception surrounding the need for appointing a Data Protection Officer (DPO) under GDPR which is effective on 25th May 2018. The role of DPO is critical for correct implementation of the newly drafted regulation. Relating to this, the organisation needs to ask itself four main questions before appointing a DPO which are:
- Do they even need to appoint a DPO?
- Should they need a DPO anyway for safe measures of compliance?
- Can the role of DPO be outsourced?
- Will the DPO be personally liable?
- When should a DPO be appointed?
I will start by answering the first question. According to article 37(1), GDPR requires data controllers and processors to designate a DPO in any case where:
- The processing is carried out by a public authority or body;
- The ‘core activities’ of the controller/ processor consist of processing operations which ‘require regular and systematic monitoring of data subjects on a large scale’; or
- The core activities of the controller/ processor consist of processing on a large scale of ‘special categories of data’ or personal data relating to criminal convictions and offences.
As per the definition private sector companies will not need to appoint a DPO. Majority of the private companies do not engage in monitoring of personal data, therefore in their course of administration they will not need a DPO. For ready and seamless implementation of the three criteria stated above guidance of Article 29 of Working Party Guidelines on DPO’s issued in 2016 and then 2017 can be sought so that correct measures are taken.
The second question of whether DPO is needed anyway for safe measure of compliance can be answered by making use of Article 37(5) which basically lays down the requirements and puts an organisation under obligation to appoint someone which has adequate knowledge of data protection law and practices, in short, the qualification required for appointment of DPO. Generally, there may be someone who will be fulfilling the role of DPO to be required to meet the standard under GDPR for compliance under Article5(2). The Guidelines also suggest that the knowledge must commensurate with experience, complexity and sensitivity of data with expertise in European data protection laws and with in-depth GDPR knowledge.
It is important to note that the actual role of DPO will be different from that of a normal employee or a contractor in that case as DPO are independent species not bound by the administration and are to operate freely out of their will. This means that they cannot be assigned task or instructed to do tasks assigned by the CEO or the central administration. The level of impartiality needs to be maintained separately from the organisation so there is no corruption and bias in the process of compliance structure when adhering to the GDPR regulation. In line with this the DPO’s employment status is protected under Article 38(3) of the GDPR, which means they cannot be dismissed or be sanctioned by the organisation from performing or not performing tasks. Therefore, the appointment of a DPO will be a critical juncture in the implementation of GDPR as this will determine the future of compliance standards set and met in the organisation.
Can the role of DPO be outsourced? This is answered under the Article 37(6) of the GDPR which makes it simplistically clear that DPO can be an employee or a contractor. Giving the concerns and apprehensions raised in the above paragraph, many experts in the field of compliance are of the opinion such role needs to be outsourced, rather than being in-house. However, there is no straightforward answer and depends on the requirement and load of the organisation compliance setup. The DPO needs to be involved as per the regulation in a “proper and timely manner, in all issues which relate to the protection of personal data”. The Guidelines state that controllers and processors must develop data processing guidelines or programmes that set out when can the DPO be consulted. If this method is conducted, organisations can perform much productively and meet their compliance goals.
Is DPO personally liable? The Working Party Guidelines state that DPO will not be personally liable in case of noncompliance with GDPR. However, the GDPR text is silent on the issue of liability and the text does not say much and is in fact silent on this. DPO’s will need to be cautious regardless.
Organisations need to decide on the appointment of the DPO and who will be the best one for their need. For this they must conduct their background screening through tools such as EmploySmart™ and finalise candidate fit for this role so that it sits well with the newly identified governance structure of the organisation. Using appropriate background checks will ensure that Data Protection Officers skills are identified before the finalisation of the job. Ultimately what is a better fit for the business, will be determined by the decision-making heads of the organisation as the time is shrinking. Consensus on DPO is the need of the hour.
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
Mexico’s Government Is Blocking Anti-Corruption
While many countries and their leaders are making strides against fraud and corruption, some national governments can’t seem to get out of their own way. Such appears to be the case right now in Mexico, where the Mexican government is accused of blocking its own anti-corruption initiatives that were launched earlier this year.
According to an article in The New York Times, “Mexico’s Government Is Blocking Its Own Anti-Corruption Drive, Commissioners Say,” members of a commission put in charge of the anti-corruption effort allege that their efforts to investigate various scandals are being thwarted by the government. As the article reports:
Marred by scandals that have embroiled his administration, his allies and even his own family, Mr. Peña Nieto agreed to the creation of a broad anti-corruption system last year that was enshrined in the Constitution, a watershed moment in Mexico.
But after nine months of pushing to examine the kind of corruption that ignited public outrage and brought the new watchdog into existence, some of its most prominent members say they have been stymied every step of the way, unable to make the most basic headway. At least one of the commissioners quoted in the article is entirely frank as to why they think the government is throwing up road blocks. And it’s more insidious than run-of-the-mill bureaucratic stalling.
“They are panicked that maybe we will go too hard and unravel something, find individuals responsible for corrupt acts,” José Octavio López said. He worked in the administration the last time Mr. Peña Nieto’s party held the presidency, in the 1990s, and is now part of the new National Anti-Corruption System.
“They are used to appointing someone they control,” Mr. López said of the government. But when officials learned that he and others on the new commission wanted to act with impartial independence, he added, “they didn’t like that.”
The fact is that corruption ranks among the worst problems around the world, affecting business, governments, economies and populations. Despite Mexico’s current problems, countries in all corners of the globe are enacting more stringent laws and regulations to try and stem the tide of criminal behavior and financial loss.
CRI Group’s experts have worked with clients at all stages of the process – from conducting due diligence and putting controls in place to protect against fraud and meet compliance requirements, to being called in after-the-fact when fraud has already occurred. Any business leader will attest that the former is a much better situation than the latter. Trying to recover lost funds, repair a damaged reputation and rebuild a business that has been devastated by fraud is a long an uphill battle.
That’s why CRI Group is designed to help organisations be proactive in preventing and detecting fraud and corruption. In 2016, the company launched ABAC® Center of Excellence (ABACGroup.com) – an independent certification body established for ISO 37001:2016 ABMS. The Center provides ISO 37001 training, and its certification services are accredited by the Emirates International Accreditation Center (EIAC).
ABAC® Center of Excellence is made up of experienced experts that have tailored many of the world’s prominent standards, and our tutors will turn you into a professional in embedding it to boost your company to its peak in performance. At ABAC® CoE, we provide you training to constantly enhance your knowledge and task your agents to improve more with following subjects:
- ISO 37001:2016 Anti-Bribery Management System Certification
- ISO 31000:2009 Risk Management Standard
- ISO 19600:2014 Compliance Management System (CMS) Standard
- ISO 37001:2016 Lead Auditor Training
- ISO 37001:2016 Internal Auditor Training
- ISO 37001:2016 Introductory Course
At ABAC Center od Excellence, we are immensely committed to the highest ethical standards. Our goal is to enact excellence a convention for companies worldwide. Corruption and fraud aren’t going to go away. And in spite of setbacks in Mexico and some other countries, new rules and regulations are being enforced every day around the world requiring that companies demonstrate integrity, ethical behavior and compliance.
ISO 37001:2016 Anti-Bribery Management System certification is offered under CRI Group’s ABAC® Centre of Excellence, an independent certification body established for Anti-Bribery Management System training and certification, ISO 37301 Compliance Management Systems and Risk Management System certification. The program will be tailored to your organisation’s needs and requirements. For assistance in developing and implementing a fraud prevention strategy, contact ABAC today or get a FREE QUOTE now!
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
Rio de Janeiro law demonstrates
The time is quickly coming to an end when companies could expect to be successful in business without having a strong emphasis on compliance and ethics. The latest evidence of that is the fact that in Brazil, which has been stricken with high-profile fraud scandals in recent years, a new rule requires any companies doing business with the state of Rio de Janeiro to implement an integrity program.
This goes a clear step further than more broad regulations that require compliance programs as a factor of consideration. The Rio de Janeiro law mandates that companies have such programs in place if they contract with the state, or face legal consequences.
According to an article at Global Compliance News, “Brazil: New mandatory compliance programs between companies and Rio de Janeiro State,” the new measure has the following aims:
The law sets forth that its goal is to protect the public administration from irregularities, guarantee that the contracts are executed in compliance with the applicable laws, minimise risks, bring more transparency to contracts and improve the quality of contractual relations.
The law follows the Brazilian Anti-Bribery Law, and “mandates the existence of a compliance program in companies which enter into contracts, partnerships, concessions, or public-private partnerships, with the public administration of the state of Rio de Janeiro, in amounts higher than the legal threshold for the public tender category of competitive tender …” It applies to the following:
- Business organisations and sole proprietorships, incorporated or not, regardless of the type of organisation or the corporate model adopted.
- Foundations, associations of entities or persons.
- Foreign companies with headquarters, branch or representation in the Brazilian territory, incorporated legally or not, even if temporarily.
There is no reason to think that the State of Rio de Janeiro will be the last to institute a strict law of this nature. That is just one of the reasons why CRI Group is helping organisations around the world develop and enhance their own compliance and due diligence programs.
Our CRI Certification program provides certification and continuous training to constantly enhance your knowledge and expand your employees’ skills and understanding of third-party risk management, compliance, anti-bribery and anti-corruption methods and best practices, and helps you stay in compliance with international laws and regulations, as well as local rules such as Rio de Janeiro’s mandatory compliance requirement.
Accredited certification and training
CRI’s Certification body, ABAC Center of Excellence, provides certification and training to businesses seeking to validate or expand their existing compliance frameworks by implementing the latest in best practice due diligence processes and procedures necessary for pursuing and maintaining global third-party affiliations.
- ISO 37001:2016 Anti-Bribery Management System Certification
- ISO 31000:2009 Risk Management Standard
- ISO 19600:2014 Compliance Management Standard
ISO 37001 Training options
The ABAC Center of Excellence is made up of experienced experts that have tailored many of the world’s prominent standards and our tutors will turn you into a professional in embedding it to boost your company to its peak in performance. At ABAC Center of Excellence, we provide you training to constantly enhance your knowledge and task your agents to improve more with following subjects:
- ISO 37001:2016 Lead Auditor Training
- ISO 37001:2016 Internal Auditor Training
- ISO 37001:2016 Introductory Course
- ISO 37001:2016 Impact on Business
ISO 37001 Benefits to You
- Provides training with cutting-edge methods and best practices for your team
- Curriculum is tailored to your organisation’s needs, and on your schedule
- Increases your organisation’s reputation and transparency among stakeholders and partners
Be proactive in keeping your organisation ahead of the curve with new laws and regulations everywhere – and anywhere – you conduct business. Contact ABAC Center of Excellence today and learn how we can help.
FCPA Corporate Enforcement Policy is out
On November 29, 2017, Deputy Attorney General Rod Rosenstein revealed the implementation of the FCPA Corporate Enforcement Policy (“Enforcement Policy”), which endeavours to supplemental reassure voluntary disclosure of FCPA violations by companies. The Enforcement Policy attempts to elucidate certain viewpoints of the FCPA Pilot Program launched by the Fraud Section in April 2016 and removes its “pilot” status by incorporating the general framework for credit for voluntary disclosure of FCPA violations into the United States Attorney’s Manual (USAM). For more information, please read the USAM insert below:
9-47.120 – FCPA Corporate Enforcement Policy
I. Credit for Voluntary Self-Disclosure, Full Cooperation, and Timely and Appropriate Remediation in FCPA Matters
Due to the unique issues presented in FCPA matters, including their inherently international character and other factors, the FCPA Corporate Enforcement Policy is aimed at providing additional benefits to companies based on their corporate behaviour once they learn of misconduct. When a company has voluntarily self-disclosed misconduct in an FCPA matter, fully cooperated, and timely and appropriately remediated, all in accordance with the standards set forth below, there will be a presumption that the company will receive a declination absent aggravating circumstances involving the seriousness of the offence or the nature of the offender. Aggravating circumstances that may warrant a criminal resolution include, but are not limited to, involvement by executive management of the company in the misconduct; a significant profit to the company from the misconduct; pervasiveness of the misconduct within the company; and criminal recidivism.
If a criminal resolution is warranted for a company that has voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated, the Fraud Section:
- Will accord, or recommend to a sentencing court, a 50% reduction off of the low end of the U.S. Sentencing Guidelines (U.S.S.G.) fine range, except in the case of a criminal recidivist; and
- Generally will not require appointment of a monitor if a company has, at the time of resolution, implemented an effective compliance program.
To qualify for the FCPA Corporate Enforcement Policy, the company is required to pay all disgorgement, forfeiture, and/or restitution resulting from the misconduct at issue.
II. Limited Credit for Full Cooperation and Timely and Appropriate Remediation in FCPA Matters Without Voluntary Self-Disclosure
If a company did not voluntarily disclose its misconduct to the Department of Justice (the Department) in accordance with the standards set forth above, but later fully cooperated and timely and appropriately remediated in accordance with the standards set forth above, the company will receive, or the Department will recommend to a sentencing court, up to a 25% reduction off of the low end of the U.S.S.G. fine range.
III. Definitions
a. Voluntary Self-Disclosure in FCPA Matters
In evaluating self-disclosure, the Department will make a careful assessment of the circumstances of the disclosure. The Department will require the following items for a company to receive credit for voluntary self-disclosure of wrongdoing:
- The voluntary disclosure qualifies under U.S.S.G. § 8C2.5(g)(1) as occurring “prior to an imminent threat of disclosure or government investigation”;
- The company discloses the conduct to the Department “within a reasonably prompt time after becoming aware of the offence,” with the burden being on the company to demonstrate timeliness; and
- The company discloses all relevant facts known to it, including all relevant facts about all individuals involved in the violation of law.
b. Full Cooperation in FCPA Matters
In addition to the provisions contained in the Principles of Federal Prosecution of Business Organizations, see USAM 9-28.000, the following items will be required for a company to receive credit for full cooperation for purposes of USAM 9-47-120(1) (beyond the credit available under the U.S.S.G.):
- As set forth in USAM § 9-28.720, disclosure on a timely basis of all facts relevant to the wrongdoing at issue, including: all relevant facts gathered during a company’s independent investigation; attribution of facts to specific sources where such attribution does not violate the attorney-client privilege, rather than a general narrative of the facts; timely updates on a company’s internal investigation, including but not limited to rolling disclosures of information; all facts related to involvement in the criminal activity by the company’s officers, employees, or agents; and all facts known or that become known to the company regarding potential criminal conduct by all third-party companies (including their officers, employees, or agents);
- Proactive cooperation, rather than reactive; that is, the company must timely disclose facts that are relevant to the investigation, even when not specifically asked to do so, and, where the company is or should be aware of opportunities for the Department to obtain relevant evidence not in the company’s possession and not otherwise known to the Department, it must identify those opportunities to the Department;
- Timely preservation, collection, and disclosure of relevant documents and information relating to their provenance, including (a) disclosure of overseas documents, the locations in which such documents were found, and who found the documents, (b) facilitation of third-party production of documents, and (c) where requested and appropriate, provision of translations of relevant documents in foreign languages;
Note: Where a company claims that disclosure of overseas documents is prohibited due to data privacy, blocking statutes, or other reasons related to foreign law, the company bears the burden of establishing the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents;
- Where requested, de-confliction of witness interviews and other investigative steps that a company intends to take as part of its internal investigation with steps that the Department intends to take as part of its investigation; and
- Where requested, making available for interviews by the Department those company officers and employees who possess relevant information; this includes, where appropriate and possible, officers, employees, and agents located overseas as well as former officers and employees (subject to the individuals’ Fifth Amendment rights), and, where possible, the facilitation of third-party production of witnesses.
c. Timely and Appropriate Remediation in FCPA Matters
The following items will be required for a company to receive full credit for timely and appropriate remediation for purposes of USAM 9-47-120(1) (beyond the credit available under the U.S.S.G.):
- Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;
- Implementation of an effective compliance and ethics program, the criteria for which will be periodically updated and which may vary based on the size and resources of the organisation, but may include:
- The company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated;
- The resources the company has dedicated to compliance;
- The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
- The authority and independence of the compliance function and the availability of compliance expertise to the board;
- The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment;
- The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors;
- The auditing of the compliance program to assure its effectiveness; and
- The reporting structure of any compliance personnel employed or contracted by the company.
- Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred;
- Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications; and
- Any additional steps that demonstrate recognition of the seriousness of the company’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.
IV. Comment
Cooperation Credit: Cooperation comes in many forms. Once the threshold requirements set out at USAM § 9-28.700 have been met, the Department will assess the scope, quantity, quality, and timing of cooperation based on the circumstances of each case when assessing how to evaluate a company’s cooperation under the FCPA Corporate Enforcement Policy.
“De-confliction” is one factor that the Department may consider in determining the credit that a company will receive for cooperation. The Department’s requests to defer investigative steps, such as the interview of company employees or third parties, will be made for a limited period of time and will be narrowly tailored to a legitimate investigative purpose (e.g., to prevent the impeding of a specified aspect of the Department’s investigation). Once the justification dissipates, the Department will notify the company that the Department is lifting its request.
Where a company asserts that its financial condition impairs its ability to cooperate more fully, the company will bear the burden to provide factual support for such an assertion. The Department will closely evaluate the validity of any such claim and will take the impediment into consideration in assessing whether the company has fully cooperated.
As set forth in USAM 9-28.720, eligibility for full cooperation credit is not predicated upon waiver of the attorney-client privilege or work product protection, and none of the requirements above require such waiver. Nothing herein alters that policy, which remains in full force and effect. Furthermore, not all companies will satisfy all the components of full cooperation for purposes of USAM 9-47.120(2) and (3)(b), either because they decide to cooperate only later in an investigation or they timely decide to cooperate but fail to meet all of the criteria listed above. In general, such companies will be eligible for some cooperation credit if they meet the criteria of USAM § 9-28.700, but the credit generally will be markedly less than for full cooperation, depending on the extent to which the cooperation was lacking.
Remediation: In order for a company to receive full credit for remediation and avail itself of the benefits of the FCPA Corporate Enforcement Policy, the company must have effectively remediated at the time of the resolution.
The requirement that a company pay all disgorgement, forfeiture, and/or restitution resulting from the misconduct at issue may be satisfied by a parallel resolution with a relevant regulator (e.g., the United States Securities and Exchange Commission).
Public Release: A declination pursuant to the FCPA Corporate Enforcement Policy is a case that would have been prosecuted or criminally resolved except for the company’s voluntary disclosure, full cooperation, remediation, and payment of disgorgement, forfeiture, and/or restitution. If a case would have been declined in the absence of such circumstances, it is not a declination pursuant to this Policy. Declinations awarded under the FCPA Corporate Enforcement Policy will be made public.
Source: https://www.justice.gov/
Saudi Arabia corruption sweep signals a major shift
The news broke across Saudi Arabia and the world like a bombshell: a wide-ranging corruption sweep across the country had netted 11 princes, four sitting cabinet members and a dozen former government ministers. Among those detained included billionaire Saudi Prince Alwaleed Bin Talal. Saudi Arabia corruption sweep signals a major shift
Within days, the surprise action was being hailed as a possible “sea change” in the Middle East and beyond, signalling that an entire country had grown fed up with fraud and unethical conduct and suggesting the possibility that others might do the same.
A cost of doing business?
In many countries, bribes, collusion, backdoor deals and other forms of corruption are still considered a part of “business-as-usual.” Many organisation leaders who condone or even play along with such conduct worry that the implementation of strong anti-corruption laws and reforms might have a chilling effect on business.
Saudi Arabia sees it the opposite. According to an article in the Middle East Monitor, “Saudi: Anti-corruption drive will help boost development”, the Saudi Cabinet says that cracking down on corruption “will boost sustainable development in the Kingdom.”
Anti-fraud experts agree. When laws are enforced as intended and corrupt behaviour is punished, business and competition is allowed to thrive in an economic system as intended. The only ones who lose are unethical business leaders who seek to bend the rules to gain an unfair advantage.
Paving the way for better business
According to a CNBC article, “Billionaire Saudi Prince Alwaleed Bin Talal arrested in corruption crackdown”, the crackdown was deemed necessary for the future of business in Saudi Arabia:
The anti-corruption sweep is taking place against a backdrop of reform in Saudi Arabia, and the impending launch of an initial public offering for state-owned oil giant Saudi Aramco next year. The IPO is expected to be the largest in history, and Aramco is widely expected to dual-list shares on an international exchange.
Saudi Arabia’s Finance Ministry, for its part, said Sunday that the kingdom’s decision to set up an anti-corruption committee and detain prominent figures enhanced confidence in the rule of law, Al Arabiya television reported.
The decisions preserve Saudi Arabia’s investment climate, the Saudi-owned television channel said.
The news from Saudi Arabia underscores how critical it is for any organisation to get its integrity due diligence and compliance measures in proper order and create a zero-tolerance environment for corruption and fraud. A proactive way to do that is to engage CRI Certification, a special program administered by CRI Group and its ABAC Center of Excellence.
ISO 37001:2016 for your organisation
CRI Certification’s ISO 37001:2016 certifies that your organisation has implemented reasonable and proportionate measures to prevent bribery. These measures involve top-level leadership, training, bribery risk assessment, third-party risk management, integrity due diligence, financial and commercial controls, reporting, audit and investigation.
The 3PRM-Qualified™ training and 3PRM-Certified™ certification process for ISO 37001:2016 helps your company address bribery in all its forms, including:
- In the public, private and not-for-profit sectors
- By the organisation
- By the organisation’s personnel acting on the organisation’s behalf or for its benefit
- By the organisation’s business associates acting on the organisation’s behalf or for its benefit
- Of the organisation
- Of the organisation’s personnel in relation to the organisation’s activities
- Of the organisation’s business associates in relation to the organisation’s activities
- Direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party)
ISO 37001:2016 takes into account a compendium of international best-practices, enabling your organisations to apply and implement uniform anti-bribery measures irrespective of the various countries in which they operate.
Contact CRI Group and learn more about how ABAC Certification can help your company today.
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
Data breach is a security disaster
The latest massive data breach might be the most serious yet. Equifax Inc, a U.S.-based consumer credit reporting agency, announced this month that it had fallen victim to a cybersecurity breach that exposed the personal data of more than $143 million consumers.
The stunning revelation has caused enormous concern across the U.S. and the world. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. To make things worse, it collects more than enough data to make identity thieves salivate: Equifax has personal data from consumers that includes full names, Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers.
The implications go beyond the 143 million people who must now closely monitor their credit indefinitely for any signs of identity theft. It also has possible criminal ramifications, as USA Today reports that some executives at the company are being investigated for allegedly unloading stock before the breach was announced (see “Feds reportedly investigate Equifax executives’ stock sales”).
How can this happen? How can a company responsible for safeguarding the most critical personal information imaginable find itself admitting to such a massive security failure? Unfortunately, it’s not uncommon for organisations to fall victim to those who would steal data. While it may be on a smaller scale than Equifax, it happens around the world regularly.
That is why CRI® Group has a team of trained corporate security & resilience experts who are focused on protecting such valuable information on every level. After all, it’s too late after a breach has occurred. An organisation can face criminal and civil penalties, not to mention the loss of trust and reputation among all of its stakeholders. A data breach tells consumers that you cannot protect their data and thus are not to be trusted with their business.
CRI® Group’s corporate due diligence services experts ask the hard questions, especially for any organisation conducting business on a global level. For example:
How do you manage the risks to digital and physical assets? CRI® Group can put measures that provide layers of cybersecurity resilience to thwart hackers and those trying to steal your data.
How quickly can we respond to a serious business crisis? CRI® Group’s corporate due diligence services can help you detect breach attempts before they succeed and have a chance to damage your business.
Can the organisation rely on our third-party business partners to maintain appropriate levels of control? One of your biggest risks is what happens outside of your organisation. Our third party risk management and due diligence services can help detect weaknesses among your partners and alert you to risk areas.
The team at CRI® Group can help you road map these risks and have sufficient action plans to deal with unforeseen threats to your business. Some risk factors cannot be completely avoided. But with the proper response plans in place, we can help bolster your corporate security and resilience and help you protect your stakeholders’ valuable data. Learn more.
Who is CRI® Group?
Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds B.S. 102000:2013 and B.S. 7858:2012 Certifications and is an HRO certified provider and partner with Oracle.
AML and Pakistan compliance failures
Pakistan’s biggest lender, Habib Bank Ltd, faces compliance failures. Habib Bank is in trouble with the New York State Department of Financial Services (DFS). The DFS is the governing body that regulates financial services and products (including those subject to the New York insurance, banking and financial services laws). According to media reports, the DFS is seeking to impose a fine of up to $630 million for “grave” compliance failures. The accusation relates to anti-money laundering rules and sanctions at Habib Bank’s single U.S. branch.
A Reuter’s article from August 28 reports that such a penalty would be “the largest-ever faced by a Pakistani financial institution.” The DFS said in a filing that HBL’s compliance was “dangerously weak” and that “serious and persistent” failings found at its New York branch appeared to affect the entire Habib banking enterprise, posing “grave risks” to the banking system.
In response, HBL said that it would fight the DFS over the proposed fine.
Nausheen Ahmad, the bank’s company secretary, said in a statement on Monday that DFS did not recognise “the significant progress that HBL has made at its branch in New York” and that the bank would vigorously contest the proposed fine in U.S. courts.
Anti-money laundering (AML) efforts by the DFS and other regulatory bodies worldwide are serious business. Multinational organisations, and especially financial institutions, must employ the toughest AML compliance controls and standards to avoid the risk of even appearing to run afoul of AML laws.
That’s why CRI® Group advises clients to have robust AML controls in place, especially when dealing in business overseas and entering into any new partnerships or mergers.
To have insufficient controls and be charged with engaging in money laundering can have any of the following negative consequences:
- Damaged corporate reputations and brand devaluation
- Eroding employee morale
- Potential consumer boycotts
- Negative investor perceptions
- Possible legal action
- Fines and potential jail terms for directors
CRI® Group’s Investigative Due Diligence services provide the specialised intelligence needed by global financial institutions and multinational corporations to guarantee complete compliance with anti-money laundering (AML) regulations and legislation involving trans-national implications.
Contact CRI® Group today and learn more about how your organisation can remain in full compliance with all applicable AML laws and regulations, giving you, your partners and your clients the confidence of knowing that the organisation, and its reputation, are protected from the negative consequences of money laundering.
Who is CRI® Group?
Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds B.S. 102000:2013 and B.S. 7858:2012 Certifications and is an HRO certified provider and partner with Oracle.
Investigation reveals employee embezzlement
What does an embezzler spend their money on? In the case of a New York man’s alleged fraud, just about everything, apparently. A recent investigation reveals comptroller’s spending spree. Recent news articles report that Mark Cina, a comptroller at two companies in Poughkeepsie, New York, is accused of embezzling $2.5 million over six years (2009-2015). In case you are wondering if he stashed the money away somewhere for safe keeping, the answer would seem to be no, according to the feds.
Instead, he spent it gambling, paying his rent, dining out and plenty of other expenses. In fact, the Poughkeepsie Journal provides an extended list of alleged expenses in an article published Saturday, “Feds: Dutchess man embezzled millions, spent $457,000 at mini-mart.” Here’s the eye-opening laundry list:
- $457,000 at a mini-mart
- $180,000 at a gas station
- $25,000 for rent
- $125,000 for personal credit card bills
- $599,000 in non-payroll checks, payable to Cina
- $282,000 in checks payable to cash
- $825,000 in cash withdrawals
As if that’s not enough, the Journal adds: “Cina also allegedly spent money at pharmacies, medical and dental facilities and a rental car company.” Cina is being investigated by the U.S. Postal Inspection Service, Internal Revenue Service and Dutchess County District Attorney’s Office. He could face up to 20 years in prison if convicted.
How can this happen? Aside from the staggering amount of the fraud, it’s important to know that employee embezzlement is not rare. Anyone with opportunity and access to an organisation’s funds could potentially steal – sometimes over and over again, for years. It’s often a matter of a trusted employee having too much control over the organisation’s finances, with no checks on that control and no proper fraud prevention measures in place.
At CRI Group, we know that fraudsters, cyber attacks, third-party risks, disrupted supply chains and other unforeseen, uncontrollable factors can pose serious harm to your business and cause major concern. Today, smart business owners and executives are asking hard questions, especially before conducting business on a global level:
- How do we manage the risks to digital and physical assets?
- Does the organisation have the appropriate controls and contingency plans in place to protect our business?
- How quickly can we respond to a serious business crisis?
- Can the organisation rely on our third-party business partners to maintain appropriate levels of control?
The team at CRI Group can help you road map these risks and have sufficient action plans in place to deal with unforeseen threats to your business. Some risk factors cannot be completely avoided. But with the proper response plans in place, we can help bolster your corporate security and resilience, ensuring that your company will overcome such challenges and protect your future success.
Don’t let your organisation become a cash cow for someone else’s gambling expenses, dinner tabs or rent payments. CRI Group’s experts are trained to work with your organisation to find vulnerabilities to fraud, and eliminate or mitigate your risk factors.
Following a thorough fraud risk assessment, we tailor a fraud prevention strategy that’s the perfect fit for your organisation to detect and prevent fraud and corruption. With the proper controls in place, you can avoid unforeseen crises like the one in Poughkeepsie, New York.
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
COVID-19: 5 ways is changing business
COVID-19 has significantly changed the business landscape. With budgets slashed, events cancelled, and consumer behavior shifting, businesses are having to change too. PwC’s 2020 Global Consumer Insights survey shows a shift in the consumer’s priority with 69% saying that they are caring more about their mental health and physical fitness and 63% want to eat healthier as a direct result of the COVID-19 pandemic. Filip Lozie, Partner at PwC Belgium, says: “While certain trends have been on the upswing for quite some time, our research shows that the pandemic has sharpened consumers’ desire for transparency, sustainability and convenience. Consumers now expect their health and safety to be prioritized. In our 11 years of surveying consumers around the globe, we have never documented such a clear convergence of themes around transparency, sustainability, and social consciousness. At such a pivotal moment, the need for consumer-facing companies to establish trust with potential customers could not be any clearer.”
Here are six ways the COVID-19 is changing business as we know it.
-
New ways of working
More than 1.54 million people are currently working from home (WFH). With 60% of the UK’s adult population WFH during the lockdown, each of these workers will save £44.78 (on average) by cutting out things like commuting and buying lunch out. Adding to this, many people are also currently working on reduced pay or furloughed. This period has given people the opportunity to reflect and access their priorities and old habits. With 92% of workers believing that they are well equipped to WFH and four in 10 London buyers already considering moving to the countryside, employees are sold on the benefits of WFH.
With two-thirds of employers reporting increased productivity for remote workers compared to in-office workers, businesses are also discovering the benefits of a remote and flexible workforce. From a recruitment perspective, when hiring and keeping top talent, be able to offer a flexible working culture will become a crucial factor, whilst from a revenue perspective, flexible working means less office space and more money saved. From a productivity perspective and with 83% of employees feeling that they do not need an office to be productive and 65% feeling more productive at home, businesses seem to be sold on WFH.
-
Going digital
Being a digital-first brand isn’t a new concept, but with people no longer be able to pop to the shops, it’s now critically important to any business. COVID-19 has automatically put digital-first businesses ahead of the competition. Since the COVID-19 pandemic, online purchases via smartphones have increased by 45%, and sales via laptop have increased with 41% so being digital-first is key to getting people talking, reaching new audiences, and continuing to grow.
On top of their existing digital offerings, some brands are even taking a step further by creating immersive experiences, entirely online. From the National Theatre streaming live critically acclaimed performances to Joe Wicks’ PE workouts, even Carlsberg, Budweiser and Rémy Martin have partnered with e-commerce giant JD.com to provide online clubbing.
In fact, 86% of consumers say they’ve changed their behaviour as a direct result of Covid-19. Now that in-person events have been cancelled to no date for a come back; the only way businesses can survive is taking a digital-first approach.
-
Increased demand for direct-to-consumer brands
Over the past few years, Direct to Consumer (DTC) brands have exploded. Forbes reported in their article (2019) DTC Brands Are Getting A Lot Of Attention And Growing Fast that DTC advertising increased 50% in the past year. Cutting out the middleman empowers businesses to build stronger customer relationships by offering more competitive prices. DTC brands ability to adapt has seen DTC businesses thrive during COVID-19.
While many traditional businesses are (still) struggling to manage the complexity of international supply chains, DTC brands have modified theirs to continue running smoothly. For example, Bloom & Wild stopped relying on growers from the continent and are now outsourcing entirely from the UK.
As more consumers discover the benefits of going direct, DTC brands from beauty to biotech will continue to gain prominence post-COVID-19. With time passing and brand loyalty, sinking in demand is likely to continue post-COVID-19. Retailers with extensive supply chains need to review and refine their models in order to compete in today’s environment and tomorrow post-COVID-19.
As Cheryl Calverley, chief marketing officer of e-commerce retailer Eve Sleep, told The Drum: “The reason we sell directly to consumers online is that it is the most efficient way, and it is never to be gimmicky. Brands that don’t do it properly will get found out.”
-
Sustainable growth
With one third (36%) of worldwide consumers spending less because of the COVID-19 outbreak, many businesses have seen their budgets disappear, and they have had to rethink their strategies, customer acquisition and retention strategies. There’s more scrutiny than ever on ROI – for many businesses, untraceable campaigns no longer are viable options. Instead, brands are turning to less traditional channel but more measurably effective ways, such as referral programmes.
Prior to COVID-19, 44% of businesses focused primarily on new customer acquisition, despite it being five times more expensive than focusing on existing customers. The current climate is prompting more leaders to realise the untapped value of their existing customers. Businesses are focusing on brand-building and customer retention strategies that engage with happy existing customers for long-term results.
-
Living brand values
Brands have got away with simply saying the right things. However, COVID-19 has changed what consumers expect. Companies that helped during the COVID-19 crisis are getting far more attention in the press and on social media than any clever or expensive business strategy stunt could achieve. Equally, those falling short are being called out – i.e. Virgin Atlantic and Victoria Beckham.
The importance of brand values is reiterated by how supporting the public has been towards local businesses. COVID-19 has shifted consumers loyalties to support the small business more than ever. Small acts such as ordering food from a family-run restaurant or following a Zoom workout from a local instructor have a lasting impact, and brands should quickly understand that if they want to success post-COVID-19.
In April, the importance of brand-building in the current climate was evident with an increase of almost 40% on spending at local off-licences, greengrocers and convenience stores.
Preparing for the times ahead
It takes 21 days to form a habit, and after six months of COVID-19 lockdowns, quarantines and self-isolations, consumer buying habits are certainly different from where they were before the pandemic hit. COVID-19 has forced businesses to rethink their offerings, strategies and brand. As we emerge from this crisis, effective long-term strategies will be key to any business success in the post-COVID-19 competitive landscape. With most companies believing they could be ready to restart business as normal with just three weeks’ notice, the key to success is to reactivate their customer acquisition and retention strategies now.
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.
In 2016, the CRI Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
European regulators face-off with Facebook
Facebook is discovering, along with other companies, that Europe is serious about data protection and privacy rules. The massive social media corporation is being fined by France, and is under investigation in several other European countries, for how it handles individuals’ information. Facebook European regulators face-off
At the heart of the issue is how it tracks both users and non-users, and how it uses data for advertising purposes. According to an article in the Guardian, “Facebook facing privacy actions across Europe as France fines firm €150k,” the company is being investigated in Belgium, the Netherlands, Germany and Spain. It stands to reason that additional probes could be on the way.
Facebook is arguing that the Irish data protection authority should be the superseding authority since the company’s European headquarters are located in Dublin. This defence is not likely to fly among regulators in various EU countries that are enacting stricter data and privacy protections on behalf of their citizens.
Data protection and information security is a huge issue right now in Europe and around the world. Major breaches have caused loss of trust and subsequent financial loss among large corporations. The failure to protect consumers’ data can cause serious reputational harm to any company, not to mention lead to legal liability and possible fines.
The Facebook case exemplifies another angle to the privacy issue: What happens when a company’s own policies run counter to what regulators have determined are fair and reasonable privacy protections? Essentially, investigators in France and elsewhere allege that Facebook’s practices exploit their own users’ information and violate their right to privacy.
As the Guardian article states:
From data privacy to heavy criticism over how the social network takes down objectionable and extremist content, Facebook has found itself in the centre of a EU-US storm that is likely to rage for the next few years.
The storm won’t settle down anytime soon. The fine in France is arguably just a pittance for a corporation like Facebook. But fines could increase dramatically if new legislation takes effect:
A new EU data protection law is set to enter into force in 2018 that could fine companies up to 4% of their global turnover. Countries including France also want to give domestic data regulators more teeth through increased maximum fines.
Companies of any size should pay attention, especially if they conduct business in Europe or across international borders in general. Data protection and privacy will continue to drive new debate and likely evolving rules on what is fair play, and what constitutes a violation.
There will also continue to be an intense focus on what companies are doing to protect their users’ information from security breaches. Experts at CRI Group can help any organisation evaluate their current system and help implement robust protections that meet compliance standards and instil confidence among their consumers. Customers expect the highest level of protection, and companies must deliver on that promise.
Who is CRI Group?
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.
In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.
CONTACT US
Headquarter: +44 7588 454959
Local: +971 800 274552
Email: info@crigroup.com
Headquarter: 454959 7588 44
Local: 274552 800 971
Email: info@crigroup.com
NEWSLETTER SUBSCRIPTION