The chalenges of implementing compliance programs for global business: implementation of a know-your-business-partner program
By Neyde Correia *
The purpose of this article is to share an empirical experience related to the implementation of compliance programs with global business partners, highlighting some of the biggest challenges an in-house legal counsel will encounter during this process. 
Compliance is one of the hottest topics for public traded companies, especially for those with shares traded in both the London and the New York Stock Exchange. Having being acting as legal counsel for the Global Travel business of a large multinational exposed me to some practical challenges that are worth sharing.
As part of my experience implementing compliance programs and policies, in 2014 I was part of the group responsible for the implementation of a new compliance program called know-your-business-partner. The objective of the program was to manage various potential risks posed by the company’s business partner, in particular, anti-corruption risks. As every new compliance program, the implementation of the know-your-business-partner within the Global Travel channel raised some challenges. Due to the nature of the business partners, we were dealing with some very specific issues e raised during this process.
One of the first challenges with this kind of compliance program was related to Data Privacy. The know-your-business-partner is a compliance program that, like the well-known know-your-customer program, requires companies to collect different kind of information from third parties. However, when those third parties are based or act in different jurisdictions, it is highly important that the personnel involved in the process are deeply aware of the Data Privacy regulations.
The collection, usage and storage of information shall follow all the applicable regulations. But which kind of measures a company should take in a scenario where the business partner is based in Europe and the team who is collecting the information is based in the United States?
The recent changes on the general data protection regulation in Europe brought additional challenges. Before the new data protection regulation was adopted in April, 2016 the companies could easily comply with the basic requirements related to Data Privacy by having an intercompany agreement reaffirming the 2000 safe harbor decision. Notwithstanding, with the adoption of the new general data protection earlier this year companies shall not rely on the safe harbor decision and should make sure they have the European Commission’s Standard Contractual Clauses (SCCs) in place .
A simple solution to this is to engage with the sales team and account managers, normally based in the same jurisdiction of the business partner, to make sure they collect, review and store the information. In order to make this happen, extensive trainings are required so the team can understand which information they need to capture, which kind of documents they will receive and how better to store them. Some might have the impression that engaging with external resources would be a better solution when considering all the time and effort invested in this process. Nevertheless, this shall prove as a much more affordable solution than engaging with external resources as, once the team is trained and prepared, the process will be smoothly implemented without any relevant additional costs.
Once the sales team or account managers receive the information, they will be able to transfer only the relevant data into an internal form, which can be then used internally to assess the anticorruption risk presented by that particular business partner. The form used by the company shall refrain from capturing any personal data – like personal identification documents, copies of passports, credit card, etc. – and the consent of the business partner with regard to the having this form used internally is mandatory.
A second challenge related to the implementation of this kind of program regards cultural differences. Acting with global business partners is always a challenge for an in-house legal counsel, especially in topics related to compliance. A certified lawyer in Brazil or in the United States will most likely not have a deep understanding on the regulations in Greece or Russia, and when a company tries to implement the same standard globally local challenges will certainly rise.
Among those local challenges is the one related to which kind of information is mandatorily publicly available as per the regulations applicable in each jurisdiction. Some countries demand companies to register their by-laws, which facilitates the confirmation on the ownership of a business partners. On the other hand, if the local regulations treat by-laws as sensitive information, the company will have to find alternatives to obtain confirmation of ownership.
If public information is not available, a suitable alternative would be to request to the local chambers of commerce (or equivalent) to issue a declaration confirming who are the owners of a determined company and its percentage of ownership. This would have to be requested directly by the business partner or someone acting on its behalf. Another alternative would be to request the business partner legal counsel to provide a statement confirming its ownership. A mere letter or declaration issued by the company or its authorized representatives shall not be considered sufficient in this case, as best practices demand that, the information provided by the business partner, be confirmed through an external reliable source or document.
Finally, a third challenge frequently raised in these processes relates to business partners which are publicly traded. The majority of the companies which are publicly traded in renowned stock exchanges have their annual reports publicly available, which facilitates the process of confirming some basic data. Nonetheless, one of the most critical information that compliance programs such as the know your business partner require is a confirmation on bank details, and this information will not be included in any kind of publicly available document.
Companies publicly traded tend to not provide any additional information other than what is publicly available, therefore, requesting them to present a copy of a bank statement will most likely not be fruitful. A good commercial relationship with the business partner will always be helpful, but the business partner’s commercial team might not be familiar to the reason why this kind of information is required. In cases like this, a proactive approach by the in-house legal counsel might make the difference. Contacting the business partner’s legal counsel directly to expose the reasons why the information is needed shall be of great benefit to the completion of the program.
As mentioned before, best practice demands that the company confirms, through a reliable external source or official document, all information provided directly by the customer. Specifically in regards to bank details, and provided the business partner does not agree with providing a copy of a bank statement, a suitable alternative would be to send a letter to the business partner asking for them to obtain from their bank a written confirmation on the accuracy of the information provided. It is important to mention that, when dealing with global customers, all bank accounts used by the business partner to make or receive payments shall be verified.
Those are some of the most relevant challenges I faced over the past 2 years during the implementation of the know-your-business-partner program within a global travel channel. The alternatives proposed here are non-exhaustive and, depending on the location and nature of each business, will have to be adapted to better attend the purposes of the company.
 This article is not an academic paper and does not reflect the opinion of any third party.
 More information on this topic at http://mobile.reuters.com/article/idUSKCN0YS23H
* Neyde Correia is the Regulatory and Compliance Counsel at Globenet Cabos Submarinos America Inc., a wholesale telecommunication provider and a portfolio company of BTG Pactual Infrastructure Fund II. Previously, Neyde served as Legal Counsel at Diageo, the global leader in beverage alcohol, based in the United States. Neyde has also worked for Diageo in Brazil and, prior to that for Banco Alfa S.A. and TV Globo Ltda, all Brazilian companies from different segments, where she held various roles overseeing the companies businesses in Brazil and other countries in Latin America.