New Articles

SURVEY: RISK MANAGEMENT CONCERNS RISE AT PORTS AROUND THE WORLD

risk management

SURVEY: RISK MANAGEMENT CONCERNS RISE AT PORTS AROUND THE WORLD

The deadly spread of COVID-19, and the economic and trade disruption the pandemic has caused, is prompting port managers to examine new ways to improve risk management and digital processes.

Those are the conclusions in the latest biennial global ports survey conducted by Remy InfoSource, which was established in 2001 in the Netherlands to provide artificial intelligence diagnostic solutions to the high-tech and transportation industries. The lifecycle contract management specialist is now based on Australia.

The “2020 iSpec Ports Industry Survey” was undertaken during the height of worldwide economic lockdowns in the second quarter of 2020 and on behalf of iSpec, the world’s leading web and mobile-based software procurement solution for buyers of capital intensive outsourced projects such as ports.

The survey revealed that 51 percent of port executive respondents now identify risk management as the key area they would like to improve on in the future, up from 32 percent in the previous iteration of the iSpec Ports Industry Survey in 2018. That year, the top two areas for improvements noted by ports and terminal executives were shorter lead times and more standardization.

“I think it’s no surprise that in such an uncertain world the importance of risk management has increased dramatically,” says Pieter Boshoff, CEO of Remy InfoSource. “Disruption to supply chains has increased across the globe causing operational and investment uncertainty and, with social distancing rules, also changing the way we all conduct our business.

“Managing that risk has become a major challenge at ports, particularly when it comes to managing outsourced equipment tender and procurement projects that are often complex in nature and frequently involve multiple vendors.”

Port operators represented 71 percent of the respondents to the 2020 iSpec Ports Industry Survey, up from 58 percent in 2018. More than two thirds of respondents are responsible for the procurement of quay cranes, reach stackers and trailers.

Asked how the COVID-19 lockdown had affected the way ports were conducting business, 41 percent of global respondents said the pandemic had required a shift to more digital collaboration, 49 percent said more projects were now on hold, and 62 percent said they were now working from home more often.

The 2020 iSpec Ports Industry Survey also found that “quality” has become the leading reason for customer/supplier disputes. In the 2018 survey, “delays” was cited most often as the cause of customer/supplier disputes.

“No matter what the business, the spread of coronavirus has forced executives to find new ways of conducting business and for the most part this means turning to digital solutions,” Boshoff explained. “There is no doubt in my mind that this is a trend that will accelerate in the future. It is becoming abundantly clear that for many businesses there are benefits and efficiencies in the new online and outsourced methods they have developed during the pandemic. I think many of the work processes adopted during lockdowns, particularly around communication, will outlast the coronavirus crisis and become part of our normal way of working.”

compliance

SUPPLY CHAIN COMPLIANCE CHALLENGES AND SOLUTIONS

In the current trade atmosphere both domestic and international supply chain players have a myriad of concerns to consider while determining the next step in successful operations. Specifically, in 2020, these concerns have challenged shippers, carriers, manufacturers, distributors and other trade players to mitigate risk in new ways on an almost monthly basis.

The year kicked-off with the highly anticipated IMO 2020 regulation disrupting ocean shippers and carriers. IMO 2020 left many scratching their heads and trying to figure out the best way to navigate compliance and the latest trade tariffs without halting operations. For the most part, shippers were prepared, and IMO wasn’t nearly as scary as doomsayers made it out to be. However, for those that waited until the last minute to implement required changes, the transition left some compliance pains and costs that were avoidable.

Fast-forward to mid-January, and the appearance of the COVID-19 pandemic. Global trade and its supply chains were abruptly impacted, as the coronavirus started in China and eventually moved on to Italy, South Korea and other global markets. Businesses rapidly started temporarily shutting down amid a global panic. Supply and demand shifted while talk of force majeure slips—acknowledgements that contracts cannot be fulfilled due to unforeseen circumstances—shined a light of hope for the devastated Chinese suppliers. As of the second week in March, the National Trade Promotion System confirmed the issuance of more than 4,000 force majeure certificates as the U.S. prepared for the virus to disrupt domestic markets and business.

“The virus is the primary cause of the supply-chain impact but the secondary causes coming from the virus include financial, regulatory, compliance and legal,” explained David Shillingford with Resilience360 at the 2020 Modex conference. “One thing supply chains hate is variance, and there’s going to be a lot of variance and volatility on the demand side.”

So, what do these things have to do with compliance? The answer is all-encompassing. These and other disruptions will ultimately prove which players in the supply chain can stand the test of compliance and regulation risk mitigation and which ones are simply unprepared. For now, companies across the supply chain would be doing themselves a favor by reviewing regulations, disclosures and other compliance-related documentation and processes to ensure the highest level of compliance is achieved, if not already. As the National Law Review puts it in the article “Managing the Commercial Impact of the Coronavirus: An Effective Supply Chain Response Plan:”

Public companies should review and make accurate required disclosures, in the event that business operations are impacted such that a reporting requirement is triggered. All companies who are parties to credit agreements and other financing arrangements should review existing MAC clauses, and potential impacts on the borrower’s financial covenant compliance, in order to determine whether any proactive conversations with lenders may be warranted.

The takeaway is simple: Proactive measures should be in place among all links in the supply chain before, during and after major industry disruptions and changes in policy, regardless of the specific market operations. Factors including transparent communications, emergency planning and navigating an evergreen supply chain atmosphere can prevent costly fines and waste. Shifts in supply and demand are inevitable and it’s not a matter of if regulations will be accounted for, it’s a matter of when they will be accounted for. Don’t wait until your business is required to prove compliance. Instances like a global health crisis are one of many examples of how noncompliant companies can create unneeded delays or worse if found to be noncompliant. Visibility is key and it starts with your business knowing every moving part of the chain and your involvement with its success.

Visibility tools are every company’s best friend when it comes to compliance, providing a new level of security for both small and large-scale operations. Compliance issues come in a host of various forms from cyber risk and government sanctions to ethical trade practices and supporting sustainable practices and demand. And more recently, global supply chains have been shaken by natural disasters and global health concerns. Whether it’s a natural or unnatural occurrence, there’s no reason to be unprepared when it comes to compliance and preparation. These are all issues that require accountability on behalf of the partners involved. Ignorance is not excuse in the modern age where technology advancements, procurement and systems of checks and balances are created at each point.

“Knowing who you’re doing business with and ensuring your supply chain is compliant isn’t just a necessity; it’s good for the bottom line,” states Hemanth Setty, senior product director, Supply Chain Management & Compliance Solutions at Dun & Bradstreet, in his blog “7 Steps to Supply Chain Compliance.” Setty dives into why and how companies are challenged with a new list of onlookers requiring compliance and an ongoing approach rather than quick fixes to placate regulators.

He notes that the modern supply chain player now has “investors, suppliers, partners, customers and the media” to satisfy when it comes to compliance. Solutions presented keep department collaborations and meeting the expectations of customers at the top. But before a company can meet expectations, they must understand exactly what is expected and that requires transparency from the beginning, throughout the chain. This includes a pulse check on data and ensuring it’s up to date and preparing for the unexpected. Setty also advises that all corporate policies and procedures are understood across the board to avoid inconsistencies when onboarding new vendors and adding to the business.

The subject of compliance doesn’t have to be messy. In fact, the solution to many compliance issues is clear. When compliance is a priority in business, all other parts of the chain follow suit. Keep communications open and well understood, keep ethics at the forefront of operations, and be mindful of the changing regulations and potential disruptors that can easily shake the bottom line. Understand what expectations are and how critical it is to meet them. Utilize technology to support large-scale supply chains and eliminate mistakes with updated data and processes.

Caesar Act

State and Treasury Departments Designate 39 Entities under “Caesar Act” Syria Sanctions

New U.S. sanctions on Syria took effect on June 17, 2020, as a result of the “Caesar Syria Civilian Protection Act of 2019” (“Caesar Act”) that was signed into law on December 20, 2019, as part of the National Defense Authorization Act for Fiscal Year 2020. The Caesar Act is named after a Syrian photographer who documented abuses in the Assad regime’s prisons.

Pursuant to the Caesar Act and Executive Order 13894, the U.S. State and Treasury Departments announced 39 new additions to the Specially Designated Nationals and Blocked Persons List (the “SDN List”) maintained by the Treasury Department’s Office of Foreign Assets Control (“OFAC”). The Treasury and State Departments also promised that more SDN List designations will follow. The 39 designated entities include regime officials, members of the ruling Assad family, the Fourth Division of the Syrian Arab Army, and an Iran-sponsored militia. The new designations also include 20 private companies.

While most of the designated entities are holding companies based in Syria, several are based outside of Syria in Lebanon, Canada, and Austria. Although the U.S. has consistently imposed blocking sanctions to generally prohibit U.S. persons from transacting with Syria, the Caesar Act now imposes additional secondary sanctions which apply to foreign companies or individuals who “facilitate the Assad regime’s acquisition of goods, services, or technologies” that support regime military activities as well as Syria’s oil and gas industries. The Caesar Act also mandates sanctions on those profiting from reconstruction activities in government-controlled areas of Syria, according to the U.S. Department of State’s fact sheet on the matter.

We encourage clients and companies to familiarize themselves with the Caesar Act.  Non-U.S. companies should be aware of this expansion of the State and Treasury Departments’ authority to impose U.S. secondary sanctions in transactions involving Syria.

____________________________________________________________

Grant Leach is an Omaha-based partner with the law firm Husch Blackwell LLP focusing on international trade, export controls, trade sanctions and anti-corruption compliance.

Camron Greer is an Assistant Trade Analyst in Husch Blackwell LLP’s Washington D.C. office.

B20

B20 Saudi Arabia – Leadership in Challenging Times through Integrity and Compliance

As countries around the globe push to reopen in the face of the COVID-19 pandemic, the business community is struggling with the decision to relax compliance standards as a means to remain agile and navigate a pressing shortage of goods and services. Yet these times necessitate an even greater commitment to integrity.

B20 Saudi Arabia, the voice of the global business community to the G20, recognizes the ethical challenge posed by the COVID-19 health and economic crisis to both businesses and governments and has committed to addressing the issue of corruption by recognizing Integrity & Compliance as one of its key priority areas.

Corruption remains a significant risk for businesses across the world. The cost of corruption is estimated to be five percent of the annual global GDP, i.e. US$3.6 trillion, a price we cannot afford in these times. We have also seen corruption is a key barrier to achieving the UN Sustainable Development Goals (SDGs), such as the elimination of poverty and hunger, promoting a peaceful and inclusive society, improving education, quality of life, and the infrastructure of each state. The B20 Integrity & Compliance Taskforce’s work, therefore, aims to advance the global anti-corruption agenda, touching upon key relevant topics such as responsible business conduct, consumer protection, the fight against corruption, and other efforts at the foundation of a healthy business environment.

Recently I had the opportunity to interview Mathad Al-ajmi, Vice President and General Counsel at Saudi Telecom Company (stc) and Chair of the B20 Saudi Arabia Integrity & Compliance Taskforce. As a prominent attorney and business leader, Mr. Al-ajmi has been influential to the Pearl Initiative, a global coalition of business leaders from the Gulf Region aimed at fostering a corporate culture of accountability and transparency to ensure all applicable international laws and frameworks are upheld within Saudi Arabia, throughout the Middle East, and across the globe.

During my interview with Mr. Al-ajmi, he reinforced that integrity is not merely anti-bribery, but rather something much broader. He believes that to create an open, transparent and legitimate world economy, the members of the global marketplace must be in alignment with the terms and conditions of participating in that economy, both for developing and developed countries. The goal of the B20 Integrity & Compliance Taskforce is to ensure a robust compliance and controls program that is sustainable, globally successful across languages, and able to be implemented proactively.

Mr. Al-ajmi also spoke about how developing economies and micro, small and medium-sized enterprises (MSMEs) will bear the brunt of business loss from the pandemic, making it doubly important they are able to access monetary government support through legitimate channels. The most vulnerable populations, most often coming from developing markets, are those who are disproportionately impacted by corruption – corruption costs developing countries US$1.26 trillion every year and represents a major obstacle to investment, further negatively impacting economic growth and job prospects for these markets in the long term.

MSMEs, Mr. Al-ajmi noted, play a pivotal role in jump-starting the economy in that they account for more than half of most countries’ GDP and are responsible for almost seven in every 10 jobs. Often operating in difficult economic environments, MSMEs are highly vulnerable to corruption, although they may be less likely than large companies to be involved in large-scale influence-peddling scandals, which is why they are one of the B20’s cross-cutting focuses. Simultaneously, MSMEs typically lack the resources, knowledge, and experience to implement effective anti-corruption measures and conduct their business in compliance with international standards and the applicable international laws and frameworks, making their engagement a cornerstone of the B20’s Integrity & Compliance taskforce work.

The B20 will present its policy recommendations to the G20 during the B20 Summit scheduled for October in the form of policy papers to be drafted by each taskforce, including Integrity & Compliance. While the recommendations and priorities in those papers are not yet published, Mr. Al-ajmi outlined a number of key themes in our discussion that he and his task force feel are an integral part of supporting transparency in the global business community:

-Leveraging new technologies with regards to the management of corruption and fraud-related risks.

-Proposing an anti-corruption technology roadmap to both the private and public sector as a strategic vision by adopting technological solutions for identified risk areas.

-Developing digital identities and public national registers to reduce anonymity and increase both transparency and accountability of beneficial owners and third parties. The adoption of these solutions will further enable addressing the challenges of cross-border quality data sharing.

-Ensuring heightened integrity and transparency in public procurement through open bidding processes from multiple vendors, with specific certification criteria to ensure compliance with applicable international laws and frameworks.

-Collectively pursuing and legislating the implementation of responsible business on a global basis in each country, leveraging the applicable international laws and frameworks.

-Supporting code-of-conduct compliance programs to monitor capital spending as emerging market infrastructure projects continue.

-Continuing to align government officials with private industrial programs through compliant lobbying programs and monitoring.

-Protecting whistleblowers by adopting mechanisms and practices in line with leading global practices.

-Strengthening corporate governance in public and private sector companies, such as through yearly certifications for all employees to understand governance regulations.

-Widely and publicly prosecuting bribery to set examples.

-Partnering with and leveraging the expertise of global institutions to improve national anti-corruption plans.

-Actively empowering women across the supply chain by promoting their participation in a wide range of public, economic and political spheres in combating corruption.

As Mr. Al-ajmi reinforced to me, none of these efforts will succeed if we are not operating in a transparent, integrity-driven business environment. Ultimately, this is what the B20 hopes to accomplish through the work of this critical taskforce, ensuring integrity is part of the global business community and society writ large. I am confident the B20 and specifically its Integrity & Compliance Taskforce will have a positive influence on the G20 Summit and look forward to the release of the policy recommendations during the B20 Summit scheduled for October.

_________________________________________________________________

If you have any questions or would like help in the area of Compliance and Controls please do not hesitate to contact me at frank@ationadvisory.com or visit my website at www.ationadvisory.com

Frank and his team at Ation Advisory Group have successfully remediated clients from FCPA and British Anti-Bribery investigations. His team has implemented over 45 global FCPA Certification Programs and Compliance and Controls improvement projects which prevented violations and Improved Goodwill and overall value for a domestic or international organizations seeking to sell, partner with a JV or obtain contracts or new business with government officials and private enterprise.

wayfair decision

How the U.S. Supreme Court Wayfair Decision Affects Small Business

The Wayfair Case

In 1992, the Supreme Court, in a case referred to as “Quill,” ruled that the lack of substantial physical presence in a state is sufficient grounds to exempt a business from having to collect and remit sales or sellers use taxes to a state.

This precedent protected small businesses from “burdensome” administrative processes that would have interfered with and limited interstate commerce.

The “Quill” case ruling laid down the law that ruled our land until June 21st, 2018.

On that day, the current Supreme Court reversed the “Quill” decision in a new case referred to as Wayfair.

Economic Nexus

Economic nexus, as established in the Wayfair case, was defined as $100,000 or 200 transactions per year shipped to South Dakota residents or companies as the threshold for requiring an out of state company to be subject to sales and use tax collection.

In the 2018 Wayfair decision, the Supreme Court said states could require companies with an “economic nexus” to their state to collect sales and use taxes.

The potential to encumber small businesses who sell outside of their home state by forcing them to track and comply with a different set of sales tax laws for each state is a very real burden.

Non-compliance can result in penalties and back taxes.

Compliance

Without an automated solution, managing compliance could be a full-time job due to the complexities of state tax regulations.

This may include navigating 10,000 plus sales tax jurisdictions across the country, many of which are amorphous and do not conform to city or county boundaries, or zip codes.

Compliance may require using different tax bases (taxable product categories, i.e., clothing, food items, etc.) in each state (except for the SST member states who agree to standard taxability within their state).

Another obstacle can be figuring out all the arcane rules related to taxability of handling, shipping and certain product usage rules that also vary from state to state.

Learning to use each state’s portal to report and pay sales and use taxes (even as these are being changed to keep up with reporting changes) could prove to be challenging.

Compliance could require monitoring sales tax changes across the same 10,000 plus jurisdictions and tracking their own sales dollars and transaction counts by state.

Tracking the different thresholds of each state on how soon they must begin collecting sales and use tax after hitting that state’s threshold amount (believe it or not at least one state expects tax on the first transaction after the threshold is reached) can provide even more complexity.

Resellers & Exemption Certificates

I’ll share a story that I recently heard from a former state sales tax auditor.

He found that many distributors do not do a good job of administering the resale exemption certificates issued by the state that the reseller’s customers reside in.

And if that certificate was not properly filled out and signed, he would then disallow the exemption and all that revenue would be declared taxable.

In addition, penalties and interest would be added on top of the uncollected tax.

Since every state has its own forms for resale certificates and its own rules for renewal of certificates (or not), administration is not a small task. And unfortunately, a task that is sometimes not given the importance it deserves until an audit is coming.

You Have Options

It would be much better to prepare before the states start their hunt for revenue so you can formulate a plan, rather than wait.

We suggest first and foremost if you get a letter from another state asking you to provide information to them, call your lawyer and your sales-tax-specialist accountant immediately, and before you provide any information discuss your situation and your options.

In addition to planning to handle these new requirements, we encourage small business owners to build your infrastructure and prepare your data so that you can handle this.

___________________________________________________________

John Miller is President of Passport Software, Inc., a leading provider of accounting, manufacturing, distribution and business software solutions for small to medium-sized businesses. Founded in 1983, Passport Software’s goal is to help clients with the effective use of technology in order to focus on profitability and improving their business processes.

This article was originally published in smallbizclub.com. Republished with permission.

COVID-19

The Human Factor of the Novel Coronavirus (COVID-19) and Corruption

With the explosive spread of Coronavirus (COVID-19) hospitals, healthcare providers and all citizens are finding a shortage of goods and services and employees are under increased pressure to preserve and excel in their current roles.

Unfortunately, in this time of crisis corruption is thriving and some aim to profit from others’ misfortune and push companies to the brink to maintain profits.

Around the world, countries are reporting shortages in both medicines and medical supplies due to COVID-19. All of these factors put additional strain on already fragile procurement processes and increases the risk that suppliers, knowing that government and individuals have little choice but to pay, demand higher prices.

In these challenging times having open and transparent contracting processes in place helps mitigate these risks. With nowhere to hide, corrupt actors are unable to practice price gouging and must charge governments and individuals reasonable prices.

The stockpiling of supplies such as masks, gloves, and hand sanitizers are also contributing to shortages in medical supplies. In attempts to profit from public panic, some traders have been inflating prices for ordinary consumers.

After pressure from the Department of Justice, Amazon has implemented an effort to remove tens of thousands of deals from merchants that it said attempted to price-gouge customers. The world’s largest online retailer has faced scrutiny over the health-related offers on its platform, and earlier this week, Italy launched a probe into surging prices around the internet for sanitizing gels and hygiene masks. At the same time, Italy battles the biggest outbreak in Europe.

There are lessons to be learned in health-sector Corruption elsewhere from prior epidemics such as Ebola and SARS where procurement and contracting wrongdoing led to deadly consequences. In prior epidemics, Corruption compromised containment efforts, when corrupt actors used petty bribes and other favors to avoid quarantines, roadblocks, and safe body collection procedures. Even ventilators and other medical oxygen-related equipment have been the subject of bribes and kickbacks, sometimes leading to the tragic deaths of patients. These examples demonstrate the worst case of what can happen without resilient anti-corruption policies.

In the first federal action against fraud involving the coronavirus outbreak, the DOJ obtained a temporary restraining order against a website selling a bogus vaccine.

The DOJ said Sunday, March 21st, that operators of the website “coronavirusmedicalkit.com” were engaging in an alleged wire fraud scheme to profit from the confusion and fear surrounding COVID-19.

The website claimed to offer customers access to the World Health Organization (WHO) vaccine kits in exchange for a shipping charge of $4.95. There are currently no legitimate COVID-19 vaccines, and the WHO is not distributing any such vaccine.

Besides compliance issues with third party business practices with goods and services, companies are experiencing enormous business pressure. Many companies have salespeople who cannot travel due to precautions taken, canceled flights, or, worse, quarantines. They cannot visit customers or partners, leading to slower sales. Global supply chains are disrupted, with shortages of parts and products. Company events and conferences are being canceled, resulting in fewer opportunities to build relationships with customers and market products. Customer demand for company products may be falling, and companies may be declining to make revenue projections during this time of uncertainty about the spread and effects of the coronavirus.

These disruptions can increase the pressure on salespeople to meet their sales targets. Salespeople may feel additional pressure now, when sales may be sluggish, and again when business gets back to normal, and they want to make up for the time lost. That pressure can lead some people to make the wrong choices—to engage in bribery or other misconduct—to generate business. Besides, the heightened emphasis on business priorities due to the losses from the coronavirus can push anti-corruption compliance further down on the priority list.

If/when the DOJ and SEC discover bribery or Corruption, they assuredly will not be accepting a “coronavirus defense” from companies. Compliance officers should be aware of situations like the coronavirus that could raise corruption risks and try to guard against them. Compliance officers should refer explicitly to the disruption caused by the coronavirus and emphasize that the company is committed to complying with anti-corruption laws. The communications must be to the employees who need to see them, such as salespeople who interact with customers, or “gatekeeper” functions like finance who review financial transactions.

Most importantly, senior executives and the board, if appropriate, need to make sure that the business pressures resulting from the coronavirus do not overshadow the company’s commitment to compliance and that values and ethics are maintained.

_______________________________________________________________

For more information or questions, please contact Frank Orlowski at frank@ationadvisory.com or +1917-821-2147 and please visit our website at www.ationadvisory.com

compliance

U.S. Regulators Focus on Compliance Efforts in Enforcement Decisions Involving International Companies

Over the past few years, U.S. regulators have made it clear that having comprehensive and effective compliance policies covering trade is a must, regardless of the company size, location or industry. The government’s move to formalize the importance of compliance programs is a clear signal of what it expects and a harbinger of what is to come.

Why Is Trade Compliance Important Regardless of the Company’s Location?

Trade compliance should be the goal of every global company, in particular as a risk mitigation measure and a positive value proposition. A compliance program serves as a security blanket for large financial institutions accustomed to dealing with regulations, small startups with a cloud-based platform, and even companies with no physical presence in the United States. A trade compliance program lays the groundwork for international companies on how to conduct business in or with the United States.

With changing industry regulations, it is critical to keep up to date and have a compliance program that is effective. Failure to have a strong compliance program could result in increased legal exposure, potentially leading to fines and penalties as well as negative publicity associated with an enforcement action. Maintaining an effective trade compliance program could help companies mitigate penalties for potential violations, and is ultimately cost-effective. For example, last year, the U.S. government imposed $1.3 billion in penalties on cargo firms, penalties that could have been mitigated with robust compliance programs.

 Avoiding U.S. Sanctions

Engaging in the complex global supply chain may be a financial win, but it requires formalized diligence procedures to ensure your company does not run afoul of the law. The Department of Treasury’s Office of Foreign Assets Control (OFAC) has released guidance encouraging organizations to employ a risk-based approach to sanctions compliance and focus on five essential components: senior management commitment, risk assessments, internal controls, testing and auditing, and training. To incentivize companies to engage in international transactions, OFAC also provides that in the case of a violation, it will give favorable consideration to companies with effective sanctions compliance programs and that the existence of such a program may mitigate a civil monetary penalty.

OFAC is not just issuing guidance, it is increasing its enforcement efforts involving both U.S. and foreign entities. It continues to designate more non-U.S. entities that have helped evade U.S. sanctions. For example, several Chinese shipping companies were found to have violated North Korean sanctions, and as a result, were blocked from doing business in the U.S. or with U.S. parties. In January 2020, Eagle Shipping, a Marshall Islands ship management company with headquarters in Stamford, Connecticut, agreed to pay $1,125,000 to settle its potential civil liability for 36 apparent violations of the Burmese Sanctions Regulations. The violations involved Eagle Shipping’s affiliate in Singapore entering into a chartering agreement with Myawaddy—an entity identified on OFAC’s List of Specially Designated Nationals and Blocked Persons. Eagle filed an application with OFAC requesting a license authorizing it to carry sand cargoes purchased from Myawaddy but continued its dealings while the OFAC application was pending. OFAC ultimately denied the license, but Eagle resumed its dealings with Myawaddy, carrying cargo from Burma to Singapore.

Among the aggravating factors, OFAC considered Eagle’s status as a sophisticated shipping company, which should have had expertise in international trade and global shipping transactions. Among the mitigating factors, OFAC considered Eagle’s efforts to develop and implement a formal sanctions compliance program with specific policies and procedures for compliance screening, transaction checklists, and red-flag identification tools.

Compliance Under Commercial Export Laws

The U.S. Department of Commerce’s Bureau of Industry and Security (BIS), which administers U.S. commercial export control regulations, also has published comprehensive guidance for companies working to develop or shore up compliance materials. In its guidance, BIS identified the following elements as foundational in creating an effective Export Compliance Program (ECP): management commitment, completing regular risk assessments, obtaining proper export authorization, record-keeping, training, compliance audits, addressing export violations and taking corrective actions, and maintaining your ECP. Like OFAC, BIS emphasizes the importance of tailoring your ECP to your organization and business based on size, volume of exports, geographic location, and other relevant factors. Companies that fail to comply with regulations that govern export controls have experienced significant penalties.

The U.S. export control laws govern not only U.S. companies, but also certain export activities of foreign companies dealing with the export of certain products, technology, or services from the United States to a foreign country. For example, most recently, BIS imposed substantial export and reexport restrictions on Huawei, a Chinese company, and its 68 non-U.S. affiliates in connection with Huawei’s violations of U.S. export laws specific to the Iranian Transactions and Sanctions Regulations. As part of that action, BIS restricted any export, re-export, or transfer of U.S.-origin technology, commodity, or software to Huawei and its entities without an export license.

This enforcement action ultimately impacted both the U.S. and non-U.S. businesses, including big and small tech companies, suppliers, importers, shippers, and financial institutions. Separately, in 2017, the U.S. government imposed a $1.2 billion criminal fine against ZTE, a Chinese telecom equipment company, for shipping U.S.-origin telecommunications equipment to Iran and North Korea. These two cases have affected how U.S. and foreign companies view their compliance programs; they also have incentivized the development and implementation of more robust compliance programs, including vetting procedures and sanctions checks that ensure adherence to the U.S. export control regulations.

Recommended Steps for Ensuring Compliance and Mitigating Risk

-The benefits of having a compliance program in place when a mistake happens are significant. When creating your tailored trade compliance policies and procedures, remember the following:

-Compliance programs should include a comprehensive, independent, and objective testing or audit function to ensure that your business is aware of how its programs are performing.

-Programs should be updated regularly in light of constantly changing regulatory and business environments.

-Ensure that your compliance program has comprehensive coverage to track all parties involved in import and export transactions.

-Even products that seem harmless can be used in ways that companies do not intend. As an organization, you are responsible for knowing how your products will be used and for avoiding government-prohibited end uses.

-Watch for red flags on BIS’s published list.

-Watch for “deemed” exports, which are released in the United States of technology or source code to a foreign person. Such a release is deemed to be an export to the foreign person’s most recent country of citizenship or permanent residency, which may require a license or even be prohibited.

Now more than ever, government offices and agencies are providing the industry with guidance on how best to comply with trade regulations. However, this also means that companies can no longer claim ignorance of trade regulations. Today, companies participating in the global marketplace must take proactive preventive measures to ensure compliance, mitigate risk, and minimize potential penalties.

_______________________________________________________________

 Doreen Edelman and Zarema Jaramillo are attorneys at Lowenstein Sandler.

maintaining

Maintaining Business-as-Usual When Nothing is Usual

As we watch the evolving global response to the COVID-19 pandemic, it is abundantly clear that organizations are facing a business continuity challenge for which most had not precisely prepared. With little to no strategic planning for it, organizations are being forced to shift from an on-premises employee base to a remote distributed workforce. The choice is clear, shift or shut down, and those trying to shift have significant hurdles to overcome. Enterprises need to protect their employees and ensure business operation continuity by making this immediate pivot to a remote workforce.

The aforementioned hurdles are numerous, indeed. A few key ones fall around maintaining compliance, ensuring security with developmental practices and keys, and maintaining visibility into risk when monitoring tools are overwhelmed with signals.

Uncompromised Compliance

Meeting compliance rules in a diverse IT ecosystem is arduous on the best of days but can be overwhelming for organizations dealing with the unanticipated tide of remote workers, non-controlled devices, and unmanaged locations. Yet without access to the business-critical and sensitive information required to perform job responsibilities, productivity would grind to a halt.  Organizations meet the competing priorities of employee access and regulatory compliance in spite of an ongoing pandemic. Compliance frameworks such as SOX, HIPAA, HITECH, and PCI, require implementing and monitoring a large number of controls to ensure compliance, even with remote workers. This is a herculean task, especially across multiple clouds, sites, and external work locations.

In order to establish compliance, many compliance frameworks require organizations to begin with a risk-based assessment of the ecosystem. The information gathered from this assessment determines what controls are necessary and how they can best be configured to integrate with the environment. For organizations needing to move swiftly, it is absolutely essential to utilize automated tools to manage this process and ensure that no controls are left out or partially implemented. Even after implementation, the ecosystem should be reviewed and monitored in order to maintain continual compliance.

Remote Development

Developers working from home come with the challenge of ensuring the codebase that they are working on is secure and that it can safely be moved through the development lifecycle. Fortunately, developers have already been moving down this path with the development lifecycle in the cloud using a CI/CD pipeline to streamline and automate the process from development to production. However, this requires the issuance of high-privileged keys to developers to move code between environments and execute the code. Protecting these privileged keys is challenging and can leave individuals with excessive rights that violate the principle of least privilege. In the worst scenario, a bad actor could insert malicious code, self-promote the code all the way into production, and have the code execute with a permanently issued privileged key, all without any checks along the way.

The best way to ensure that the CI/CD pipeline remains secure is to ensure there are zero standing privileges when they are not directly needed to perform functions in the environment. To aid in this effort, storing privileged keys and using a system to programmatically check them out at the time of code execution allows them to be available when needed but otherwise keeps them inaccessible. This can further be improved upon by using scoped keys that have an expiration built into them so that even if a high-privilege key was compromised, its ability to be utilized by bad actors is limited.

In order to maintain compliance, it’s also important for a solution to see and control when a developer may have a risky or toxic combination of access, such as the capability of both writing code and performing QA on that code. Keeping these duties separate is key to preventing poor code hygiene, and it also reduces the risk of a backdoor being written in and pushed into production.

Pinpointing Anomalous Behavior

When dealing with multiple external workers and the sudden change in traffic, the vast amount of real-time activity and behavior data coming in from different areas can complicate visibility into anomalous behavior. An IT ecosystem that ranges from on-premises assets to multiple clouds generates a huge volume of log data, and SIEM tools and vulnerability scans only add to the total. Each of these is generally contained in its own environment and has separate interfaces for reviewing and monitoring, and there is limited correlation to find anomalies that might not be readily apparent from any given individual interface.

While managing a strong remote work environment, an organization is going to need to double down on monitoring. In order to understand holistic risk and keep from missing trends only visible when broader data is analyzed, organizations should seek ways to integrate the data from these disparate systems to attain visibility not possible from looking at each as a silo. A quick response can make the difference between a bad actor being stopped cold and walking off with the keys to the kingdom.

When Business IS Usual

Whether adapting to a pandemic or evolving to follow the trend of offering remote work to attract top talent, ensuring your organization’s data is secure is top priority. Even when the IT landscape of your organization changes, you need to maintain business continuity with solutions that include automated response to risk while documenting continual compliance. Whether securing file access or enabling software development, ensuring only the right people have the right access to the right digital resources at the right time should be more than a clever catchphrase. It should be business as usual.

___________________________________________________________

Diana Volere is a strategist, architect, and communicator on digital identity, governance and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world and has an emphasis on healthcare and financial verticals.  In her role as Saviynt’s Chief Evangelist, she delivers Saviynt’s vision to the community, partners, and customers, addressing how to solve present and future business challenges around identity.  Her past twenty years have been spent in product and services organizations in the IAM space. Outside of work, she enjoys travel, gastronomy, sci-fi, and most other activities associated with being a geek.

manufacturers

3 Privacy Compliance Priorities for Manufacturers in Ecommerce

Manufacturing leaders aren’t exactly diving into the world of ecommerce headfirst. Instead, they’re cautiously dipping one toe at a time into the waters. Several things keep them from going “all in,” so to speak, but one of the most serious is compliance with privacy regulations.

In June 2018, California’s governor signed the California Consumer Privacy Act into law. This year, the law officially went into effect. Under the CCPA, companies must notify users if they intend to monetize their data and give them the option to opt-out.

Its reach will be significant. The law is expected to affect more than 500,000 businesses in the United States alone — and many more around the world.

Those that fail to comply will face hefty fines. So if manufacturers are going to survive in the age of ecommerce, they won’t be able to wade in little by little and take on privacy compliance halfway. Privacy regulations are complicated, and compliance can literally make or break a business.

Ignorance of the Law Is Not a Defense

Most companies that do business online have researched state and national laws to some extent, but data privacy laws aren’t easy to understand. To truly comply with all of their nuances and demands, businesses have to hire additional people, integrate complex processes into internal operations, and put forth massive amounts of effort.

Most got into ecommerce with the hopes that having an online presence would help them avoid headaches and reach customers more easily. But when the market matures, regulations do, too. And while most companies know not to send email newsletters to people who didn’t subscribe or sell customer information without permission, they don’t know the finer details of regulations, much less how they differ by state.

For instance, a prospective client reached out to us after it had ended up in court for violating a state privacy law it didn’t know existed. The company’s website was using an assumptive privacy policy, which assumes that users agree to their data being collected and used by merely using the site. Because the company was using the site to do business in a state that banned these privacy policies, it faced a potential fine of $1,000 per site visit. The company ended up settling the case out of court, but it was still a shocking and scary discovery.

Even for well-meaning manufacturers, ignorance doesn’t hold up in court as a legal defense. Intentional violations can cost up to $7,500 per violation. And unintentional violations can be $2,500 per violation, making even accidents a significant cost. Manufacturers are timid about ecommerce because data privacy and compliance are intimidating. Some never pursue ecommerce for this very reason.

Imagine a small manufacturer that’s decided to sell online. It goes through the entire process of building a site, implementing new operations, and calculating shipping as transactions occur. Then suddenly, it has to be responsible and ready for multiple data checks and data wiping. It’s a lot to take on, both from the operations and the financial perspective. In total, meeting compliance standards could initially cost companies up to $55 billion.

Make Ecommerce Security a Priority

As you implement ecommerce in your manufacturing business or work to strengthen compliance with your current ecommerce system, here are three things to focus on:

1. Ensure that your systems are secured and encrypted. Wherever your ecommerce data lives, you need to be 100% sure it’s secured and encrypted. This is especially important if you’re handling, storing, or passing along credit card information.

Doing this is a combination of several elements. First, have an audit done that considers your specific industry so you can be entirely sure you know what regulations to comply with and to what degree. After that, you’ll have to put additional processes into place, and those processes will likely need additional software and hardware systems to serve their purpose.

We’ve worked with manufacturers where credit card information was being stored on-site and transferred between systems in a way that wasn’t secure. Often, older ERP systems don’t have the necessary security fields. It’s key, then, to move to a modern ERP and integrated ecommerce system to avoid and rectify situations like these.

2. Monitor employee access. Be aware of which employees have access to your development, staging, and production systems. While digital hacking is a security concern, physical access to information is, too. The best way to control who has access to private information is to grant permission to only specific roles and for only certain pieces of the system. A developer shouldn’t be making coding changes and publishing unchecked. A combination of role-based technical security and tight control on physical access is the best way to address this concern.

A manufacturing company often has a small technical team. We’ve seen teams of one that have access to all levels of data in these smaller organizations. Hiring multiple people just for data privacy management and security purposes is a serious financial burden, but you need to make having multiple people designated to multiple parts of the privacy process a priority.

3. Keep up with CCPA and GDPR. Being aware of and keeping up with CCPA and the European Union’s General Data Protection Regulation will be essential to staying compliant. If you meet the criteria for CCPA, be sure that you can wipe customers’ information from existence completely upon request.

If your annual gross is more than $25 million or you derive more than half of your annual revenue from selling California residents’ information, you have to comply with the law. This means being transparent about your data-usage policies, giving consumers access to the information you’ve collected about them, offering the choice to sell their information, and being capable of deleting all of their personal information upon request.

Knowing the processes and resources you need to handle compliance obligations is the hard part. You need people who can handle customer requests for data review and deletion and who can remove and keep the right data. Being supported by business and accounting teams will make this process smoother and stronger.

A few years ago, the internet was like the Wild West. Like most wild things, it gets bigger and needs to be tamed and managed. That management is a process. Some laws sound good on paper but will do more harm than good if fully enforced. They can even force honest manufacturers away from ecommerce. Ultimately, we will find a balance with responsible security and data if everyone works together. In the meantime, be aware of laws and make an honest effort to comply with them. There’s plenty of opportunity in ecommerce; you just have to pursue that opportunity with the right systems, team, and security in place.

_____________________________________________________________

Michael Bird is the CEO of Spindustry, a digital agency focused on eCommerce, SharePoint portals, and enterprise websites. He has almost 30 years of experience in interactive development, user behavior, and business solutions.

export control

New DOJ Sanctions and Export Control Enforcement Policy Incentivizes Self-Disclosure

On December 13, the U.S. Department of Justice (“DOJ”) released a revised policy that expands and clarifies certain incentives for voluntary self-disclosure of potential criminal sanctions and export control violations.

The new policy (the “VSD Policy”), which is effective immediately, has important ramifications for companies and their interactions with DOJ regarding potentially willful violations of US sanctions and export control laws.

Notably, the DOJ’s policy now extends to financial institutions and establishes disclosure benefits in mergers and acquisitions for acquiring companies who discover misconduct through “thorough and timely due diligence.” The policy also establishes a presumption of a non-prosecution agreement for companies that meet certain criteria in the absence of aggravating circumstances, as well as substantial mitigation credit where a penalty is warranted.

Components of the VSD Policy

Most notably, the VSD Policy specifies that, subject to certain conditions and absent aggravating factors, there will be a presumption that a company will receive a non-prosecution agreement and will not pay a fine for self-disclosed sanctions and export control violations. In order to be subject to such a presumption, the company must (1) voluntarily self-disclose violations, (2) fully cooperate with DOJ and (3) timely and appropriately remediate any violations.1

The VSD Policy also sets out specific definitions for these criteria. For instance, in order to “voluntarily self-disclose” pursuant to the VSD policy, a disclosure must be:

-Prior to an imminent threat of disclosure or government investigation;

-Within a reasonably prompt time after a company becomes aware of the offense; and

-Include all relevant facts known to the company at the time of disclosure, including with respect to individuals substantially involved or responsible for the disclosed violations.2

Importantly, voluntary self-disclosures must be made to DOJ in order for the VSD Policy to apply. In other words, companies that make self-disclosures to regulatory agencies but not to DOJ will not be able to receive the benefits of the VSD Policy. Equally of note is that any company receiving the benefits of the VSD Policy, including one that receives a non-prosecution agreement, will not be permitted to retain any gains from the unlawful conduct and will be required to pay all disgorgement, forfeiture, and/or restitution stemming from the disclosed violations.

The VSD Policy sets forth a number of specific requirements that companies must meet in order to “fully cooperate.” In order to “fully cooperate” under the VSD Policy, a company must:

-Disclose all facts relevant to the wrongdoing on a timely basis. This includes, inter alia, relevant facts from an internal investigation and updates to those facts (as well as updates on an internal investigation), attributed to specific sources. Such facts must include those related to involvement in criminal activity by officers, employees, or agents and facts about potential criminal conduct by third parties.

-Proactively, rather than reactively, cooperate. This proactive cooperation must include the timely disclosure of relevant facts, even if the company is not asked to do so.

-Preserve, collect, and disclose relevant documents and information in a timely manner. These actions include the disclosure of overseas documents (as well as where they are located and who found them), the facilitation of third-party production of documents, and document translations where appropriate.

-De-conflict witness interviews in order to align a company’s internal investigation with an investigation by DOJ when requested and appropriate (although, the VSD Policy notes, DOJ will not affirmatively direct a company’s internal investigation); and

-Make company officers and employees possessing relevant information available for interviews by DOJ when requested, including former employees and those located overseas, and facilitate interviews of third-party witnesses when possible.3

Finally, in order to “timely and appropriately remediate” pursuant to the VSD Policy, there are several actions that a company must undertake:

-A “root cause” analysis that analyzes underlying conduct and remediates those root causes where appropriate;

-The implementation of a compliance program, which would be updated periodically. The VSD Policy acknowledges that such a program will vary depending on the organization’s size and resources, but notes that it may include information on:

-A company’s culture of compliance, including that criminal conduct will not be tolerated by the company;

-Company resources dedicated to compliance, as well as the compensation and promotion of compliance personnel and their quality and experience;

-The independence of a company’s compliance function, the auditing of the compliance program, the access of the board of directors to compliance expertise, and the reporting structure of compliance personnel; and

-Details about a company’s risk assessment, its effectiveness, and how a compliance program has been tailored based on that risk assessment;

-Discipline of employees, including those responsible for misconduct and those with oversight and supervisory authority;

-Retention of business records and the prohibition on the improper destruction of such records, including guidance and controls on personal communications; and

-Any additional steps necessary to demonstrate recognition of misconduct, the acceptance of responsibility, and measures to reduce the risk of future misconduct.4

Aggravating Factors

As noted, the presumption of a non-prosecution agreement and the absence of a fine will only be available under the VSD Policy in cases of voluntary self-disclosures where there are no aggravating factors. The VSD Policy includes a non-exhaustive list of such aggravating factors, and specifies that if such factors are substantially present, a “more stringent” resolution may result:

-Exports of items controlled for nuclear nonproliferation or missile technology reasons to a proliferator country;

-Exports of items known to be used in the construction of weapons of mass destruction;

-Exports to a Foreign Terrorist Organization or Specially Designated Global Terrorist;

-Exports of military items to a hostile foreign power;

-Repeated violations, including similar administrative or criminal violations in the past; and

-Knowing involvement of upper management in the criminal conduct.5

Even if such aggravating factors are present, the VSD Policy provides incentives for companies to voluntarily self-disclose violations, cooperate with DOJ, and timely and appropriately remediate, consistent with the definitions in the VSD Policy. In such instances, DOJ will recommend a fine that is capped at 50 percent of the amount otherwise available. In addition, if the company has implemented an effective compliance program, DOJ will not require the appointment of a monitor for the company.

Takeaways for Companies

DOJ’s new VSD Policy is a clear effort by the agency to encourage and reward timely voluntary self-disclosure by companies that identify potential willful violations of export control and sanctions laws. The VSD Policy brings DOJ’s practices closer in line with those of the Office of Foreign Assets Control and the Bureau of Industry and Security, both of which also incentivize self-disclosure by limiting penalties. DOJ’s incentives aim to encourage the private sector to implement effective compliance programs to prevent and detect violations in the first place and report them to DOJ in a timely manner if they occur. A clear goal of the VSD Policy is also to provide DOJ with the information and resources to prosecute individuals responsible for wrongdoing.

Notably, unlike previous guidance issued by DOJ, the VSD Policy does not include a carve-out for financial institutions. As a result, these entities will be able to take advantage of the VSD Policy going forward. Additionally, the VSD Policy provides incentives for self-disclosure in mergers and acquisitions. Specifically, the VSD Policy specifies that a successor entity that makes a timely voluntary self-disclosure (even as a result of post-acquisition due diligence) will be able to take advantage of the incentives set forth in the VSD Policy. Companies wishing to review or strengthen their compliance programs should consult sanctions and export control counsel in order to ensure that such programs are tailored to the criteria set forth by DOJ and reflective of the risk involved in the company’s activities.

Also worth noting is that while the VSD Policy aims to incentivize self-disclosure to the DOJ by providing certain defined benefits, those benefits are not without cost or risk. Companies with a potential sanctions or export control violation should consult experienced sanctions and export control counsel to provide guidance on the decision of whether to self-disclose, which involves a complicated balance of numerous factors.

_______________________________________________________________

1 U.S. Department of Justice, Export Control and Sanctions Enforcement Policy for Business Organizations, 2, Dec. 13, 2019 (hereafter “VSD Policy”).

2 VSD Policy at 2.

3 VSD Policy at 3-4.

4 VSD Policy at 5-6.

5 VSD Policy at 6.

______________________________________________________________

Greg Deis is a partner in Mayer Brown’s Chicago office and co-chair of the firm’s White Collar Defense & Compliance practice.

Ori Lev is a partner in Mayer Brown’s Washington DC office and a member of the Financial Services Regulatory & Enforcement practice and the Consumer Financial Services group.

Tamer Soliman is a partner in Mayer Brown’s Washington DC and Dubai offices, global head of the firm’s Export Control & Sanctions practice and a member of the International Trade practice.

Margaret-Rose Sales is counsel in Mayer Brown’s Washington DC office and a member of the International Trade practice.

Mickey Leibner is an associate in the Public Policy, Regulatory & Political Law, International Trade and Cybersecurity & Data Privacy practices in Mayer Brown’s Washington DC office.