The word “compliance” covers a multitude of sins, from anti-monopoly filing and countering corruption to employment, the environment, trade, taxation and industry-specific regulation. But what are the key factors in designing a successful compliance regime, and making it stick? By Jennifer Howitt

Imagine this: you are a sales manager in the Beijing office of a large company. You hear through the grapevine that a lucrative contract opportunity is coming up. By coincidence, you are a friend of the government official charged with the tender process. If you win this contract, it will more than meet your sales targets for this year. Your friend is known to be partial to a few well-timed “red packet” payments. It is rumoured that companies who have handed him red packets have landed major contracts. What would you do?

Whether you resist the temptation to act improperly may depend on the effectiveness of your company’s compliance programme. But how can a company design and implement an effective compliance regime in China?

Matters of definition

As everyone who operates in China knows, bribery and corruption are commonplace. Building personal connections through the giving of gifts and customer entertainment is part of the way business is done. Zu Ming, a partner at Pinsent Masons in Shanghai, describes a “culture or cognition in Chinese society that deals should bring personal gains; thus bribery, kickbacks and so-called ‘red envelopes’ are regarded by some as normal business practices”.

But while bribery and corruption may be core issues that corporate compliance programmes are designed to counter, the scope of such programmes can be much broader. Take advertising law as an example: advertising compliance may not have attained buzzword status, but it is vital to the business of many companies. “Advertising law in China is very strict, to the extent that one cannot use words like ‘the best’, ‘number one’ and other words that may be deemed as ‘extreme’,” says Eric Liu, a partner at Han Kun Law Offices. “Advertisers have to obtain various licences, not only for their products and services but also for advertising, before they are allowed to advertise.” A company that fails to follow the rules, says Liu, may be fined or banned from advertising for a certain period.

Employment and social security law is another area that affects every business. For instance, the recently promulgated Participation in Social Insurance by Foreigners Employed in China Interim Measures, which were to become effective on 15 October, oblige both PRC employers and their foreign employees to participate in the Chinese social insurance system. Contributions must be made by both, and there are serious financial consequences for a failure to do so.

David Yu

In the medical and pharmaceutical industries, and in real estate and construction, “long-standing market practices and unwritten rules of the trade are contrary to anti-unfair competition and anti-corruption laws,” says David Yu, a partner at Llinks Law Offices.

Add “uncertainty or ambiguity of laws and regulations, a conflict between national and local rules, inconsistent implementation in different regions or cities, and differences in market dynamics from province to province”, and it isn’t surprising that, in Zu’s words, it is “difficult to develop a comprehensive compliance programme which applies to all cities and business sectors of the same organization”. In the area of anti-bribery alone, the rules are split between the criminal and company law regimes, and various directives by government departments. George Fu, managing partner of Watson & Band in Shanghai, says that when designing and implementing compliance policies in China, companies should take into account “various scattered laws and regulations”.

Localize, universalize

Despite the risks associated with non-compliance, many companies in China do not have explicit compliance policies. Barbara Tsai, an associate at Paul Hastings in Shanghai, notes that “there is a sliding scale from companies in which there is no true compliance department, to other companies where you have a full programme in place with various levels of compliance officers, staffing and resources. In some other companies there isn’t the same emphasis on compliance, but they want to get a programme in place.”

David Simon

Lawyers say a good compliance programme will combine universal principles with concessions to local conditions. “An important part of a good programme is to universalize the concept,” says David Simon, a partner at Foley & Lardner. “Really good programmes are global in concept and not tied to particular countries’ laws. It makes them more powerful and understandable in China.”

Kyle Wombolt, a partner at Herbert Smith, notes that good practice often involves tailoring a global programme to each jurisdiction to minimize the risks that might be unique to that jurisdiction. “So in China, you may want a very clear gift and entertainment policy, because it is not uncommon to have government officials and others give gifts to one another and for travel to be provided,” he says.

Nonetheless, any programme may run into cultural barriers. Simon continues: “I think there is less willingness to admit to mistakes being made, and to talk about mistakes [in China]”. Zu believes there is a common notion in China “that compliance involves restrictions and is likely to hinder business rather than benefit it, hence there is passive resistance to the formulation and implementation of a compliance programme”.

So how can a company create an effective compliance policy that applies universal principles to local conditions?

Eugene Chen

A good first step is to assess the specific risks a company faces in its industry, local and national market; how the company operates; what resources it has available; and what has been done to date. Eugene Chen, a partner at Hogan Lovells, observes that not all companies in China face the same kind of risks. “If you deal with a lot of state-owned enterprises, you will have a much higher risk level than if you deal with individuals or small private companies,” he says. “If you work in a highly regulated industry, you will have much more risk than an industry that doesn’t have much regulation.”

After the initial assessment, a programme can be drawn up. Eric Carlson, an associate at Covington & Burling, summarizes it well: “a solid compliance programme will include policies (what is permissible and what is not), procedures (steps an employee must follow for certain transactions and activities), and guidance (practical, real-world advice for dealing with difficult situations),” he says. “The compliance infrastructure will include training materials and schedules, a robust reporting system, disciplinary procedures for violations of laws and policies, and audit plans to test compliance.”

Bernd-Uwe Stucken

Bernd-Uwe Stucken, Greater China managing partner at Salans, advocates starting out at the local level. Instead of the head office imposing an international policy, he believes that local employees should design a programme that works for them. “We ask the local employees to develop ideas to bridge the gap between international requirements and Chinese reality,” he says. “In other words, we try to tap into the intelligence of the local people to develop programmes which are realistic and therefore sustainable in China … This process is much more open and flexible, and less formalistic and bureaucratic”.

According to Amy Sommers, a partner at K&L Gates in Shanghai, workshops can be used to define action points and recommend policies. “An example would be setting a reasonable limit for business entertainment (both monetarily and in terms of frequency) and determining how to devise a method for the finance department to check on this when processing reimbursement requests,” she says.

Flexible, adaptable

Multinationals in China, and Chinese companies overseas, need to be aware of the laws of all the jurisdictions in which they operate. Sommers offers the example of hospitality guidance drafted for an EU-based company that had securities traded on a US exchange, an operation in China and significant operations in the United Kingdom: “the guidelines had to take into account the anti-bribery requirements of the US, UK and PRC”. In cases such as this, Gary Seib, a partner at Baker & McKenzie, observes that the policy will have to satisfy the “highest common denominator”, that is, the highest standard among all of the relevant jurisdictions.

Whatever the company or jurisdiction, the policy must be practical and consistent with the company’s other policies and targets. According to Sommers, a company should identify which stakeholders need to be involved “to make the policies live and function. For example, if a hospitality policy sets limits for total spend on a specific guest or a limit per calendar quarter, how is the company going to verify that the restriction is being observed? Does the accounting function need to be involved? Is a review process needed to confirm whether a sales person is meeting too frequently with someone in a state-owned enterprise?”

Common sense should prevail at all times. Ben Wootliff, director of corporate investigations for greater China at Control Risks, points to “situations where companies tell their staff to implement a new ‘clean hands’ regime but then set sales targets which are impossible to meet while playing by those rules. Sales staff then continue to make the illicit payments rather than lose their jobs”.

A successful programme should also be flexible and adaptable. Liu notes that in view of constantly changing regulation and inconsistent implementation, “a programme needs to be dynamic, the company has to keep an eye on the policy environment”, to ensure that the policy remains alive, relevant and enforceable.

Finally, a good compliance programme must include a robust vetting procedure that applies to third parties who deal with the company: suppliers, distributors and agents, as well as potential employees and its joint venture partners. Under the US Foreign Corrupt Practices Act, a US company is as liable for the actions of a middleman as it is for its own employees. The UK’s Bribery Act, which came into force on 1 July, has a similar provision. “The compliance programme should apply not only to the company but also third parties that interact with government or government-controlled entities on behalf of the company,” says Carlson.

Checking out a potential employee can be fairly straightforward, using academic records and references from previous employers. Other third parties can present more of a challenge. Tsai suggests various methods: Google searches to throw up any negative media coverage; asking questions in the local community about the reputation of the entity; or even hiring a private research firm to conduct more thorough investigations. Paying a visit to the entity’s place of business will also help – if it does not look as if it can do the job it claims, alarm bells should ring. Contractually, Tsai also recommends “appropriate contractual representations and warranties to protect you, along the lines that the third party certifies that it has not and will not violate corruption laws”.

Who needs a team?

Does a company need a dedicated compliance team? Some companies in China simply use what Fritz Weiss, corporate services manager at Faegre & Benson, describes as a “chop management and custody service” where an external service provider keeps the company’s various chops – seals which are to be affixed to certain documents before they become effective. The service provider’s role is simply to confirm that all is in order and affix the chop.

At the other end of the scale, larger companies or those in highly regulated industries may have dedicated compliance functions with various levels of staff.

A compliance team is often made up of people with a legal background, who understand both the law and the risks of the industry. Often the in-house legal department doubles up to do compliance. However, it is increasingly common to see compliance officers who are dedicated to and trained in compliance. Chen suggests that useful qualities in compliance officers, besides a legal background, are a finance background (to be conscious of patterns of payments, for example) and a human resources background (to deal with employment-related issues).

Lack of resources can be one factor that determines a company’s approach. Scott Lane of Red Flag Group observes that for multinationals, at least, the right local talent that “speak the local language and have foreign company experience are sought after, hard to find and expensive”.

A programme should clearly set out the responsibilities of each level of management, and specify what should be delegated to the compliance officer. Clare Lu, a partner at Llinks Law Offices, believes it is necessary to clarify the various responsibilities of the board of directors, the independent directors, supervisors and external auditing entities.

Implementation

According to lawyers and in-house counsel both, the key to successful implementation of a compliance programme may be buy-in at all levels of the company. Sami Farhad, general counsel of eLong, observes that commitment must be “reflected in the behaviour, not just the words, of the company’s senior management, and in particular the CEO and CFO. Employees will look to them, both for explicit guidance and for subtle cues on what is appropriate and acceptable”. For this reason, Simon suggests that senior management should receive even more intensive training in compliance than the rest of the company.

Management on the ground is equally important. Carlson notes that key figures in any local office or operation must be fully engaged and buy into the compliance idea. “A compliance programme that is not strongly supported by local management will have difficulty succeeding almost anywhere, and this is particularly true in China, where line employees give strong deference to local management,” he says.

To encourage staff buy-in, some programmes use a “carrot-and-stick” approach: penalties for non-compliance and incentives for compliance. Wombolt has seen incentives in many forms, such as staff recognition, extra vacation time, bonuses and as a factor to be considered in employee evaluation.

Scott Lane

For rank-and-file staff, training should be regular and designed to deal with local issues and practices. Online training can be offered, where appropriate. Interactive training appears to be effective – Andrew Halper, a partner at CMS China, observes a huge interest in China in simulation exercises and games, perhaps due to their relative novelty. Lane believes that “too little time is spent on behavioural changes and too much on training on the law”. Simulation exercises may help equip staff with the knowledge and skills to deal with real-life situations.

Making things practical and simple is also helpful. Sommers suggests giving staff “a booklet or wallet card that distils down dos and don’ts into an easily readable and portable format” (see box).

Employee wallet card

There is debate about whether a hotline should be established, says Chen. A hotline can allow employees more easily to “blow the whistle” on their superiors. Simon has observed “a greater reluctance by Chinese employees to be a whistleblower” as compared to Western companies.

Finally, a good document retention policy is crucial. This is a particularly important issue where both offices and staff move frequently. Document retention is vital in the face of investigations by government authorities, as proof of what has happened and what the company has done to minimize breach.

The bottom line

The bottom line appears to be that a corporate compliance programme will not succeed if it is seen as a hindrance to business. “Compliance is not popular among local companies as they care more about costs and loss of business opportunities,” says Liu. Leo Wang, counsel at Llinks Law Offices, says that “internal compliance departments often face pressure from their operational counterparts. How to strike a balance between commercial efficiency and corporate compliance is an important consideration for corporate compliance programmes”. Wang’s colleague Yu agrees: “If a company adopts policies that are more stringent than its competitors’, its business interests may be prejudiced.”

One way to solve this problem is to present compliance as a cost-reduction exercise. Yu suggests companies should recognize the dangers of illegal practices and grey areas to their long-term development. This way, “companies can redefine what ‘compliance cost’ and ‘business interests’ mean to the business, to determine where they stand between the two,” he says.

Yu believes that “in the short term, there may be a conflict between compliance and economic interests. But in the long term, compliance programmes can reduce or eliminate losses arising from breaches of the law, thus directly contributing to a company’s competitiveness and profitability”.

To look at it another way, the cost of not complying with the laws can be huge. In 2008, Siemens pleaded guilty to charges of violations of the US Foreign Corrupt Practices Act committed in China and other countries. It was subject to fines running to hundreds of millions of US dollars. In 2009, UTStarcom, a telecom equipment manufacturer, agreed to pay US$3 million in fines and penalties – its Chinese unit had spent a huge sum on trips for Chinese government officials. Meanwhile, China is also stepping up its enforcement efforts: in 2010, a Chinese court handed down prison sentences for some Rio Tinto employees for taking bribes from Chinese buyers.

Compliance does, after all, go to the bottom line.

State-owned enterprises and OECD principles

China’s many state-owned enterprises (SOEs) present a particular problem – how can the government be an owner of a business, while being sure not to use too much political influence to further that business? In the words of a joint report of the China Securities Regulatory Commission and the Organisation for Economic Co-operation and Development (OECD) published earlier this year, “given China’s concentrated ownership structure, potential conflicts of interest between majority and minority shareholders remain a core corporate governance issue”.

It may be a balancing act, but it may not be impossible. The China-OECD corporate governance policy dialogue encourages policymakers to use the OECD Principles of Corporate Governance and OECD Guidelines on Corporate Governance of State-Owned Enterprise, but to adapt them to national priorities.

Since they were first issued in 1999 and revised in 2004, the Principles have become an international standard for corporate governance. One of the areas dealt with is the responsibility of the board of directors. In this area, it says “companies are well advised to set up internal programmes and procedures to promote compliance with applicable laws, regulations and standards, including statutes to criminalise bribery of foreign officials … Compliance must also relate to other laws and regulations such as those covering securities, competition and work and safety conditions” (annotations to principle VI).

Published in May 2005, the Guidelines take this further by concentrating on the application of the Principles to SOEs. In the words of the OECD, the Guidelines “are the first international benchmark to help governments in improving corporate governance of state-owned enterprises”. In relation to compliance, the Guidelines advise that SOEs “should not be exempt from the application of general laws and regulations” (annotations to chapter I of the Guidelines), and that “the board of SOEs should be required to develop, implement and communicate compliance programmes for internal codes of ethics. These codes of ethics should be based on country norms, in conformity with international commitments and apply to the company and its subsidiaries” (annotations to chapter IV).

China’s state-owned enterprises are gearing up to this. Take as an example China Datang Corporation, a state-owned power generation company. During the sixth meeting of the OECD Network on Corporate Governance of State-Owned Enterprises in Asia, held in May this year, the company’s board secretary Zheng Wenyuan described in detail its corporate governance structure. Its directorate, supervisory committee, management and various other committees have defined roles and responsibilities, which make up a system of “co-ordination, check and balance”. For example, while the directorate concentrates on development strategy, and selection and assessment of the general manager, the supervisory committee monitors the company’s business and accounting. At the same meeting, Li Bing, director general of the Bureau of Enterprise Restructuring of the State-Owned Assets Supervision and Administration Committee of the State Council, indicated that China Datang is only one of 30 SOEs chosen since 2005 to establish standard boards of directors.