Although companies find tracking their own regulatory compliance a tough enough challenge, they should be aware they can also find themselves liable for the breaches of others, including business partners, vendors and even customers. From money laundering and bribery to data security and privacy, regulators are increasingly focusing on corporate activities that cross boundaries. When the operations of two businesses intersect, they are both often liable for compliance: if one company slips, the other can now become entangled in something executives may not have even realised was happening.
Fairfield County Bank is a financial institution in a heavily regulated industry where data privacy is mandatory by law. Vice president and compliance officer John Bonora rates all the companies the bank does business with for potential risk of disclosing sensitive information, including contractors and cleaning companies – yes, contractors and cleaning companies. If a vendor has access to a facility, that inherently increases a risk of disclosure of information because [its workers] might see something, Bonora says.
Equally disturbing is the fact that a third partys actions can, in effect, break the law on behalf of the primary company. Regulators and prosecutors may take managements knowledge of an issue into account, but they often don’t have to. In such cases, a third party can drag a company into the fray. Many of these laws are strict liability laws, explains Ed Rubinoff, a partner with law firm Akin Gump. If you break one, you’re liable.
Damage in more ways than one
Even without a formal finding against a company, publicity can be damaging, as Apple learned when workers at a Foxconn contract plant in China committed suicide. Or a company could find itself the defendant of a shareholder lawsuit – according to partners at Reed Smith, the law firm has defended more than 60 class actions that arose from data security breaches.
When you outsource and rely on operations overseas, the downside is increasing the risk of compliance or quality issues, and decreasing your visibility into what third parties are doing, says Frank Murray, senior counsel at Foley & Lardner.
The danger doesnot only come from vendors or joint venture business partners, either. Customers, clients and counterparties offer additional potential risk contagion, according to Kelvin Dickenson, senior product director of global risk management solutions at Dun & Bradstreet. There is a whole range of money laundering and terrorism financing laws that can come into play.
Although money laundering primarily affects financial services companies, terrorism financing regulations can apply to any organisation, Dickenson points out. Business partners have no shortage of ways to deliver trouble to companies: data privacy laws, money-laundering statutes, anti-corruption and anti-bribery, and import and export controls are just a few.
Anti-corruption legislation, such as the US Foreign Corrupt Practices Act or the UK’s Anti-Bribery Act, can leave a company vulnerable when business partners or agents make illegal payments. You may not even have a controlling interest [in a joint venture], but you can have liability and exposure and risk, says Glenn Pomerantz, a partner with BDO Consulting and co-leader of the firms anti-corruption practice. We’ve run across that several times where US companies have ventures abroad. The BRIC nations – Brazil, Russia, India and China – are particularly fertile ground because those countries are booming and they have a historical culture that is a little bit blind to – or acceptable of – corruption, he adds.
Changing regulations can also put unprepared partners under the onus of compliance with laws they never had to consider before. A bank that previously had no direct responsibility under the Health Insurance Portability and Accountability Act (HIPAA) might now if processing payment information for hospitals that puts them in direct contact with patient information, explains Mark Melodia, head of the global data security and privacy practice at Reed Smith, adding that even if said bank is familiar with Gramm-Leach-Bliley privacy requirements, it likely does not understand HIPAA compliance.
Alternatively, a company could make a sale to the US government and suddenly find itself – and, as a result, its subcontractors _ the subject of regulations. Logan Robinson, a distinguished visiting professor at the University of Detroit Mercy School of Law and former Delphi general counsel, offers this example: You could, with the smallest modifications, sell a tailpipe to a defence contractor for use in government vehicles. Suddenly, the product is no longer considered off-the-shelf, but something specially modified for the government. And that means you have suddenly signed up for the Federal Acquisition Regulation System regulations, Robinson adds.