With countries beginning to open their borders completely, and corporates revitalising expansion efforts or diversifying their supply chains into growth markets across Southeast Asia, such as Indonesia, Malaysia and Vietnam, corruption and other compliance risks are constantly increasing. Lawyers say that companies need to step up their vigilance by conducting meaningful assessments of risks, and implementing appropriate controls that address the risks unique to the specific jurisdiction.
Southeast Asia has long been recognised as a region that poses significant risks and challenges for businesses regarding anti-bribery compliance.
Companies that operate in Southeast Asia are required to navigate a complex legal landscape and adhere to strict regulations to prevent violations and protect their reputation.
The regulatory landscape for anti-bribery compliance in Southeast Asia can be complex, with each country having its own unique set of laws and regulations. However, several key international anti-bribery standards are widely recognised in the region, including the United States Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act.
"If the region can be characterised broadly, it is that it is incredibly diverse in terms of economic development, legal systems, and bribery risk, and there is a lack of uniformity with respect to laws and regulations targeting bribery and corruption," says Daniel Levison, partner and head ethics and compliance practice in Asia for Morrison Foerster.
His view is echoed by Nathan Bush, partner at DLA Piper. "Every jurisdiction in Southeast Asia has its own distinct anti-bribery and anti-corruption law regime. There is no shortage of recommended best practices for effective anti-bribery compliance programs from enforcement agencies, NGOs, and multilateral bodies. The challenge for companies operating in Southeast Asia is effectively localising these global best practices," he notes.
Singapore has had a reputation for being a clean and corruption-free country, and its Prevention of Corruption Act 1960 (PCA) has been instrumental in maintaining that status. The PCA criminalises bribery, corruption, and related offences and provides for severe penalties, including imprisonment and fines. The law also establishes a corruption investigation and prosecution agency and empowers it to investigate and prosecute corruption cases.
Vietnam has been cracking down on corruption in recent years, and its legal framework is designed to prevent and punish corruption at all levels. The Penal Code imposes severe penalties for corruption, including imprisonment of up to 20 years or even life imprisonment in some cases.
Malaysia has also tried to combat corruption with the Malaysian Anti-corruption Commission (Amendment) Act 2018. This law strengthens the powers of the Malaysian Anti-corruption Commission, including the ability to investigate and prosecute corruption cases. It also introduces new offences, such as giving and receiving bribes in the private sector, and imposes stricter penalties for corruption offences.
Indonesia has taken a multi-faceted approach to addressing corruption. The Supreme Court Regulation outlines the procedures for handling corporate crime cases. The Indonesian Anti-Bribery Law and Anti-corruption Law also criminalise various forms of corruption and set out punishments for offenders, including imprisonment and fines.
Thailand has also implemented anti-corruption measures, including the Penal Code, which criminalises various forms of corruption.
The Philippines has had a long-standing problem with corruption, and the Penal Code and Republic Act No. 3019 (The Anti-Graft and Corrupt Practices Act) are designed to combat it. The Anti-Graft and Corrupt Practices Act criminalises various forms of corruption, including bribery, and provides for severe penalties, including imprisonment and fines. The law also empowers the Ombudsman to investigate and prosecute corruption cases involving public officials.
Jeremy Tan, managing director, risk and investigations at FTI Consulting, says that in a recent OECD Foreign Bribery Report, companies that reported cases of foreign bribery highlighted that the two primary sources of detection were internal audits and due diligence in the context of mergers and acquisitions. "The Foreign Bribery Report also suggests the need for clear reporting mechanisms that enable the company to elicit early information of suspected bribery," he notes.
"In addition to the above, companies should also consider the U.S. Foreign Corrupt Practices Act 1977 (FCPA) and UK Bribery Act 2010 due to the extraterritorial scope of these acts. A robust anti-bribery compliance policy and procedures will assist companies in meeting compliance requirements. However, consideration must be given towards tailoring these procedures to meet the requirements for both specific countries and extraterritorial jurisdictions. An assessment of robust anti-bribery compliance procedures will be covered below," says Tan.
Levison notes that it is still difficult to name any country that does not prohibit bribery of public officials, and most companies with cross-border business will likely need to comply with the FCPA or UK Bribery Act at some point. "That is because, even if not subject to the broad jurisdiction of the FCPA or UKBA, most companies with cross-border business operations will be expected to comply with those laws by some portion of their customers and other partners. While there is no one-size-fits-all compliance approach to the region and regulator expectations are not static, companies that adopt best practices that have developed over recent years to comply with these expectations will be best prepared to minimise anti-corruption risk no matter where in the region they do business," he says.
The region faces several challenges and risks associated with anti-bribery compliance, and experts say there are some distinctive risk factors in Southeast Asia.
The first is the scope and flavour of the state sector, says Bush. "Doing business with the government or state-owned companies entails heightened anti-bribery risks. Official corruption generally carries higher penalties that commercial bribery or civil fraud, and government personnel are often subject to strict standards of conduct for the acceptance of gifts and hospitality by government personnel into play. These local laws and standards vary across Southeast Asia, particularly in the coverage of indirect benefits channelled through friends and relatives, the allowance for minimal or customary gifts and courtesies, and the universe of potentially prohibited tangible and intangible benefits," he says.
"Doing business with the government or with state-owned companies entails heightened anti-bribery risks. Official corruption generally carries higher penalties that commercial bribery or civil fraud, and government personnel are often subject to strict standards of conduct for the acceptance of gifts and hospitality by government personnel into play."
Nathan Bush, DLA Piper
One of the main challenges companies face in Southeast Asia is the prevalence of bribery and corruption in the region. This can make it challenging to find trustworthy business partners and agents, and there is a risk that employees may engage in corrupt practices, knowingly or unknowingly.
"Companies may not provide sufficient attention to the documentation of internal procedures, controls, risk assessments, communications and training. This leads to inefficient compliance assessments performed by regulatory bodies or internal audit functions. This is connected to another challenge companies may face, that of resource allocation. The creation and maintenance of an Anti-Bribery and Compliance (ABAC) framework will require both manpower and hours to be allocated, especially if the company is operating across multiple geographical locations. Furthermore, the growing complexity of company departments and their operations creates obstacles for the ABAC function to ensure compliance," says Tan.
Another major challenge associated with anti-bribery compliance in the region has to do with culture – both in terms of perception of bribery and corruption risks and the likelihood that employees will raise concerns about actual or potential misconduct.
"Cultural perceptions towards bribery and corruption are extremely varied across the region. In some countries, despite being illegal, bribery and corruption are viewed as a cost of doing business, and employees and business partners may not be as attuned to corruption risks. Companies operating in such an environment should keep in mind that a belief that bribery is commonplace is no defence under most anti-bribery laws. On the opposite end of the spectrum, just because a jurisdiction is perceived to be relatively free from bribery and corruption, does not mean it is risk-free. Because these countries are often viewed as business-friendly due to a relative lack of domestic public bribery, they are used as jumping off points for business activities in some very high-risk neighbouring jurisdictions. Companies should, therefore, not let their guard down, even when basing their operations in these business centres perceived to be low risk," says Levison.
"To address this, we advise companies to engage in strong compliance education efforts, not just through training, but also by communicating a strong tone at the top and "mood at the middle". Strong compliance messaging should come not just from global leaders based in headquarters outside the region but also from senior regional and local management so that local employees know these issues are taken seriously by their direct managers and those in-region. Of course, the "buzz at the bottom" should also be monitored to gauge how well the cultural messaging is reaching all levels of employees. This is consistent with regulator expectations that companies make sure that their compliance program goes beyond just the paper on which it is written, and is reflected in the corporate culture broadly," adds Levison.
Companies will also have to commit to ongoing monitoring. Third-party due diligence reviews are usually only conducted once, when the third party is onboarded. This presents a risk of complacency and does not factor in potential changes in the relationship or business of the third party, experts say.
"Another factor to consider is the reach of the ABAC function within the company. Anti-bribery compliance may extend to multiple functions of the company, and there may be obstacles in the ABAC function's path to ensuring compliance across multiple departments and the collection of relevant information for reporting purposes. Obstacles may include a lack of technical knowledge or conflicts of interest," says Tan.
Companies may benefit from keeping a comprehensive record of all their third-party relationships, complete with detailed documentation regarding the nature and history of each partnership. To ensure that all these relationships remain compliant with anti-bribery regulations, companies can conduct regular third-party due diligence checks, after the relationship has been established.
"The implementation of technology such as automated controls and end-to-end procurement tools with in-built ABAC due diligence as part of the company's ABAC and due diligence framework can assist the company in maintaining compliance. A balance needs to be struck between risk segregation where appropriate and ensuring the ABAC function is not treated as a silo. Companies should ensure the ABAC approach is communicated clearly across all relevant departments," says Tan.
Experts point out that in Southeast Southeast Asia, there may be a reluctance to report misconduct due to cultural factors such as concerns about betraying teammates or managers. However, companies can overcome this challenge by building trust in their compliance program and its reporting mechanism. This can be achieved by allowing for anonymity, clarifying non-retaliation policies, and sharing anonymised cases and investigation trends with employees through compliance training or newsletters. By demonstrating that the reporting program is working and accountability is being upheld, employees can develop greater trust in the company's compliance program as a whole.
"To address this cultural challenge, we advise companies to focus efforts on building employees' trust in the compliance program and specifically its reporting mechanism to promote a "speak up culture." For example, beyond bolstering reporting mechanisms by allowing for anonymity and making non-retaliation policies clear, companies can demonstrate that the reporting program is working by, for example, sharing particularly important anonymised cases or updating employees with high-level trends from investigations (e.g., through compliance training or compliance "newsletters"). These steps strengthen employees' belief and trust in not just the company's reporting system, but also its overall compliance program as they can see accountability in practice," says Levison.
Add to that the obstacles to effective anti-corruption compliance programmes in the region, explains Bush.
"The legal and compliance teams at corporate headquarters outside Southeast Asia often struggle to establish effective channels for detecting, preventing, and remedying compliance risks emerging within their Southeast Asia operations. Difficulties often stem from internal organisational limitations and resource constraints. Where country-level finance and compliance personnel report to country-level commercial management, they may lack sufficient clout or incentives to challenge their bosses by flagging compliance risks," he says.
"A "dotted line" from local compliance and finance to headquarters is often insufficient to ensure effective guidance or oversight for the local business teams. In many MNCs, regional legal and compliance resources are stretched thin, with a single headcount in Singapore or Hong Kong covering markets from Mumbai to Melbourne," adds Bush.
THE WAY AHEAD
Given the challenges there are ways in which companies operating in Southeast Asia can implement procedures in a more effective way, experts point out.
"No international legal frameworks and conventions similar to the United Nations Convention against Corruption (UNCAC) or OECD Anti-Bribery Convention have existed on a regional level in Southeast Asia. However, ongoing collective effort can be observed through ASEAN Parties Against Corruption (ASEAN-PAC) which was established to front the Community's commitment to combat bribery and corruption collaboratively. In the wake of the most recent agreement towards the group's Action Plan 2023 - 2025 in September 2022 during the 18th ASEAN-PAC Secretariat Meeting, in which one of the proposed main action pillars to be executed is the successful implementation of UNCAC , companies operating in the region, therefore, may want to be on the lookout for even more progressive reformations of local ABAC legal standards, or the birth of a regional framework that may take an international approach," says Tan.
"Each company will have its own unique risk profile, which will depend on the company's industry segment and business model, as well as its geographic footprint. Will the business depend on crucial licenses and permissions? Will it require frequent interaction with public officials? Will there be regular corporate hospitality? What is the anti-bribery landscape in the jurisdiction? Regulators will expect that the company's compliance program be tailored to the company's risk profile. This highlights the need for conducting a robust risk assessment and is why there is no one-size-fits-all compliance program. Off-the-shelf policies may be a helpful starting point, but must be customised for a company's unique risks. These risks evolve as the business evolves, which is why it is important to periodically test the compliance program and make adjustments and enhancements, as necessary," says Levison.
The second area is the growing risk that arises from the use of messaging applications, point out experts.
"Many businesspeople across the world rely on these apps (e.g., WhatsApp, LINE, WeChat, etc.) for daily communications. Southeast Asia is no exception, and we have seen a tendency in the region for employees to use these applications on personal devices for business communications. We also observe that discussions regarding improper conduct often take place on employees' personal devices, as opposed to their company-issued devices or emails. The DOJ has recently laid out detailed expectations for companies to implement effective measures to preserve all business-related communications, regardless of their medium, and that corporate compliance programs (including relevant policies and procedures) should provide a means to retain and access such business communication if needed. The DOJ has highlighted that it will take stricter enforcement positions against companies that fail to implement such measures surrounding ephemeral messaging applications. This is an area that companies operating in the region should consider when designing or enhancing their overall compliance policies and procedures," adds Levison.
Due to the way the region operates due diligence becomes really important. One of the globally-referenced due diligence resource guides, the OECD's Due Diligence Guidance for Responsible Business Conduct, specifically outlines the relevancy of companies scoping for and identifying risk touch points (e.g. bribery risk) in operations, supply chains and business relationships to allow for tailoring of due diligence methodologies.
"This is even more pertinent in the case of companies in Southeast Asia facing unique business risks due to the peculiarities of their operational location. This would require due diligence which can account for both operational and cultural contexts. The guide also sets out that the practice should also involve ongoing communication with stakeholders (e.g. third parties) so that measures continue to be dynamic and responsive towards the changing expectations in the relationships," says Tan.
"More importantly, notwithstanding the extensiveness of one's due diligence methodology, instilling responsible business conduct into the community plays an integral systemic role in cementing good due diligence standards. Otherwise, businesses may face difficulty in realising their measures due to challenges such as unavailable data, or unreliable and unclear data, often arising from the lack of transparency or proper documentation in place. The constant changing of international benchmarks on due diligence objectives such as business sustainability, corporate governance or susceptibility to bribery and corruption may also be overwhelming and give rise to the perception of due diligence practice being too labour-intensive," he adds.
Experts say that Southeast Asian companies must be prepared to take swift and decisive action if they suspect or detect any instance of bribery or corruption within their organisation. Regulators expect companies to investigate such incidents thoroughly and implement appropriate remediation measures, including enhancements to internal control systems and disciplinary action against employees, wherever necessary.
"Companies operating in the region should understand their potential regulatory exposure in all relevant jurisdictions, especially if the alleged conduct is cross-border in nature. This approach allows companies to understand reporting obligations under local law, and to the extent available, protect the privileged nature of work product (e.g., interview notes, reports, legal advice), under the attorney-client privilege, litigation privilege/attorney work product doctrine, or similar theories. Some jurisdictions may require self-reporting, and others may not, but reporting in one jurisdiction may trigger reporting in another jurisdiction. It is, therefore, important to work with counsel who understand these complex issues regarding overlapping or conflicting reporting requirements, and who can assist in evaluating the risks and benefits of reporting," says Levison.
Some jurisdictions may require self-reporting, while others may not. However, reporting in one jurisdiction may trigger reporting obligations in another jurisdiction. Therefore, it is essential to work with counsel who can navigate the complex issues related to overlapping or conflicting reporting requirements and assist in evaluating the risks and benefits of reporting, say experts.
"Many countries in the region are civil law jurisdictions that do not recognise legal privilege, even if they require lawyers to maintain the confidentiality of client communications. Even the common law jurisdictions in the region may give law enforcement authorities wide-ranging powers, and may limit the application of legal privilege relative to that in common law jurisdictions elsewhere."
Daniel Levison, Morrison Foerster
"Many countries in the region are civil law jurisdictions that do not recognise legal privilege, even if they require lawyers to maintain the confidentiality of client communications. Even the common law jurisdictions in the region may give law enforcement authorities wide-ranging powers, and may limit the application of legal privilege relative to that in common law jurisdictions elsewhere. Appreciating these nuances will inform communications protocols during investigations and how documents are produced to law enforcement," says Levison.