Wednesday, January 26, 2011

The Role of Human Resources and Today’s Anti-Corruption and Counter Terrorism Regulations

By Terry Corley

A key role for Human Resources and Security in any company is the background screening of not only US based employees, but also of overseas employees, customers, suppliers, vendors, agents and other business associates. HR and or Security are usually on the front lines of such activities, although it may be in conjunction with the Legal or Compliance Department.

I am frequently asked by clients what is considered best practice when it comes to international employee screening. The short answer is that it depends. When asked I try to understand specifically what the organization is trying to accomplish, what sort of compliance requirements are they looking to meet that is relative to their business, and finally what are the countries involved?

A client recently asked what I consider best practice for International Employee Screening as it related to complying with the Foreign Corrupt Practices Act (“FCPA”), United States and International Counter Terrorism and Export Regulations. The client had recently been the subject of enforcement action after it was discovered that the company’s drilling equipment was found in a sanctioned country. It was also discovered that the company had engaged local independent agents from the sanctioned countries without performing proper background checks. Talk about getting caught with your hand in the proverbial cookie jar!

In order to drawl, a set of best practice guidelines about this subject its important to have an understanding of what each regulation is and how it applies to human resources. Then it’s a matter of developing a method and a set of processes that will enable an organization to meet the required outcome there by meeting compliance requirements. I’ll review a few of these regulations and discuss their impact on the overseas background check process.

Foreign Corrupt Practices Act
The FCPA is a federal law that prohibits offering, promising, or giving anything of value, as well as authorizing such an offer, promise, or gift, to a foreign official for the purpose of obtaining, retaining, or directing business to a person or entity. This prohibition is contained in the FCPA’s anti-bribery provisions, which are enforced by the DOJ. The FCPA’s anti-bribery provisions have a much broader reach than many other U.S. laws. U.S. corporations can be liable for conduct that occurs entirely outside the United States and multinational corporations can be liable for conduct that bears only a tenuous connection to the United States. This includes employees of overseas subsidiaries, customers, suppliers, vendors, agents and other business associates.

With the number and size of penalties increasing, the Foreign Corrupt Practices Act (FCPA) is causing many U.S. institutions to look into how they evaluate all of their relationships overseas. The lack of a due diligence of a company's agents, vendors, and suppliers, as well as merger and acquisition partners in foreign countries could lead to doing business with an organization linked to a foreign official or state owned enterprises and their executives. This link could be perceived as leading to the bribing of the foreign officials and as a result lead to noncompliance with the FCPA. Due diligence in regards to FCPA compliance is required in two aspects:

  1. Initial due diligence - this step is necessary in evaluating what risk is involved in doing business with an entity prior to establishing a relationship and assesses risk at that point in time.
  2. Ongoing due diligence - this is the process of periodically evaluating each relationship overseas to find links between current business relationships overseas and ties to a foreign official or illicit activities linked to corruption. This process needs to be performed indefinitely as long as a relationship exists, and usually involves comparing the companies, executives, and other business associates to a database of foreign officials that may be classified as “Politically Exposed”.
While financial institutions are among the most aggressive in defining FCPA best practices, manufacturing, retailing and energy industries are highly active in managing FCPA compliance programs.

U.S. and International Counter Terrorism and Export Regulations

Due to the current political climate the last several years, governments around the world have introduced more stringent regulations to combat terrorism and enforce export controls. The United States passed the U.S. Patriot Act along with increased enforcement action related to Export Administration Regulations (EAR). The United Kingdom enacted the Prevention of Terrorism Act 2005, the European Union passed a comprehensive Anti-terrorism Policy, and many other countries around the world continue to introduce similar anti-terrorism and anti-corruption regulations.

Know your customer (KYC) is the due diligence and bank regulation that financial institutions and other regulated companies must perform to identify their clients and ascertain relevant information pertinent to doing financial business with them. In the USA, KYC is typically a policy implemented to conform to a customer identification program mandated under the Bank Secrecy Act and USA PATRIOT Act. Know your customer policies have become increasingly important globally to prevent identity theft fraud, money laundering and terrorist financing.

One aspect of KYC checking is to verify that a customer is not on any list of known fraudsters, terrorists or money launderers, such as the Office of Foreign Assets Control's Specially Designated Nationals list. This list contains thousands of entries and is updated at least monthly. As well as sanctions lists there are lists of third party vendors that track links between persons regarded as high-risk owing to derogatory foreign media reports about them or in public records.

Know Your Customer processes are employed by more and more regular companies of all sizes, for the purpose of ensuring their proposed agents', consultants' or distributors' anti-bribery compliance. Banks, insurers and export credit agencies are increasingly demanding that customers provide detailed anti-corruption due diligence information, to verify their probity and integrity.

Restricted Party Screening
U.S. and other regional, unilateral, and multilateral regulations restrict individuals and entities from conducting transactions with specific foreign entities (individuals, companies, countries). These entities are referred to as Denied, Debarred, and/or Restricted Parties. Examples of these entities include but are not limited to known terrorists, organizations that fund terrorists, and/or parties guilty of trade violations. Typically, these restricted parties are countries subject to embargoes, and persons, businesses, and organizations subject to financial sanctions.

Suppose a multinational company has a compliance and ethics policy and tells its employees not to pay bribes - is that enough, or should the company go further?

A clear corporate policy against paying bribes is important, as well as including explicit language in every employment and agent agreement that prohibits bribery, but it is also critical for companies to conduct thorough employment and pre-engagement background checks on their agents and other third parties.

FSGO §8B2.1. (b)(3) states: “The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”

Certainly, U.S. government regulators expect nothing less. In a February 2009 FCPA settlement (for $579 million) by KBR and Halliburton with the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ), the SEC criticized Halliburton' s due diligence policy and practice and its failure to conduct any due diligence on one particular agent in Japan. If the government shows up at your door asking to see the files on your overseas employees and trading partners, you want to be able to produce sufficient documentation to demonstrate you’ve looked thoroughly at the background and reputation of these individuals before engaging them to work on your behalf. This requirement is discussed in the Federal Sentencing Guidelines for Organizations (FSGO), §8B2.1. (b)(3) Effective Compliance and Ethics Program.

On the other hand, if you open your background check file to the government and it is empty or thin, the organization is going to be in a challenging situation. In the event a FCPA violation is uncovered, it is increasingly apparent from past cases that the government is far more likely to be lenient on a company that has a commitment to an anti-bribery compliance and ethics program, including being able to demonstrate the organization has exercised a responsible level of due diligence on their overseas employees and related business associates.

In my next blog post I will discuss what sort of checks should be done to meet due diligence requirements on overseas employees and business associates and the role of Human Resources.

After years of conducting thousands of overseas background checks, extensive research and hands-on knowledge has led to an invaluable ‘best practices’ road map for conducting global background screening.

Should you have any specific questions please feel free to email me directly at terrance.corley@comcast.net.

Tuesday, September 29, 2009

Canadian Provincial Court Checks versus CPIC Criminal Check

A client recently asked why I don't offer Canadian Provincial Criminal Court Check versus only offering what is known as the Canadian CPIC Check. We’re also occasionally asked why many of our international criminal research require so many different forms required by overseas government authorities when their previous provider didn’t require them to provide such documents in order to perform their checks in past. We of course invariably ask, so what do you get in return for the criminal searches you sent them? Have you ever received an actual record back? Do you receive any sort of government document that attests to the actual results they provided? Of course in 99% of the cases and after thousands of checks they have never received such results. Surprised? This clearly poses some interesting questions we will be covering in future discussions. In the meantime;

Canadian Provincial Court Checks versus CPIC Criminal CheckTo answer the question of Canadian Provincial Court Checks versus CPIC Criminal Check we shared with our client that although performing court checks throughout the US (i.e. county, state, and federal levels) is the best practice it should not be considered best practice in Canada. The best practice type of Canadian criminal check is best performed through the Canadian CPIC system which is a national criminal history database system maintained by the Canadian Royal Mounted Police.

There are many reasons for this such as the fact that court data is not as efficiently maintained at the local and provincial court level in Canada as they are here in the US. Unlike the US there is no local court retriever network in place to actually perform a live search of records without having to travel great distances which causes increased cost. Additionally, the fact is that throughout Canada there may be multiple courts that service either a local city or territory in Canada. Not all cases that are heard at the local court ever make it to the “provincial court level” and vice versus. As such, unless all courts at the Provincial and local level are searched there may be many criminal cases, many of which may be serious that could go unreported (missed records).

Recent Case History, Celebrity HomicideA recent high profile celebrity homicide exemplifies this very issue that involved a retail screening firm who relied on a well known, prominent wholesale international criminal provider who sells “Canadian Provincial Court Checks”. If you remember the homicide case involving TV contestant Ryan Alexander Jenkins allegedly killing his former swimsuit model ex-wife Jasmine Fiore last month. It was later determined that the retail screening firm was hired by the production company to screen its contestants had relied on an international wholesale criminal provider to perform a “provincial court check”. At the time the check was done it was reported back as a “No Record Found”. One court was allegedgly checked when in fact five other courts were also responsible for servicing this particular area of Canada. It is now clear as things have unfolded in recent media; Jenkins in fact had a substantial criminal history throughout Canada (Alberta and other Provinces) to include convictions involving domestic violence. The actual records were later found in other courts not searched by the international provider.

This is a hot issue in the screening industry today. Surprisingly enough there are many firms that offer criminal record service from every country on the planet. Doing business with such firms can be a risky proposition at best.

In closing if you have specific questions regarding what may be considered best practice in screening candidates from various countries please feel free to post your questions.

Sunday, April 27, 2008

Introduction to Privacy and Employment Issues related to Background Checking throughout Europe

Disclaimer: The material and information presented in this blog is intended for informational and educational purposes only. None of the material or information contained in this blog is offered as legal advice. No one should take any action based solely on the material contained in herein. Rather, the reader should seek appropriate legal or other professional counsel from attorneys or other professionals that specialize in the field. Nothing contained in the author's blog is intended to create an attorney-client relationship between the reader and the author of this blog. Receipt by or transmission to the reader of any material in herein does not constitute an attorney-client relationship between the reader and the author.

When an employer wants to implement an international background check program and transfer data of a personal nature to another country, it should pause before clicking "send". What are the legal implications in moving such personal information to another country?

Background
Employers involved in the recruitment and selection of applicants to and from EU Countries should be aware of their responsibilities under relevant Data Protection Directives, the legal transfer of personal information across international boarders as well as local Employment legislation in these countries. An understanding of the structure and function of the European Union ("EU") and the “The European Directive on Data Protection 95/46/EC” is essential to any analysis of data protection laws of EU Member States as well as many other countries that have adopted EU modeled Data Protection Laws when implementing international applicant screening programs.

Privacy and Data ProtectionEuropean Directive on Data Protection
The 1998 Data Protection Act (Data Protection Act 1998 (the Act)) replaces and builds on an earlier 1984 Act which derived from concerns that the power of computers to manipulate information was threatening the privacy of individuals in Europe. The Act applies to all personal data held in a structured way in any medium (paper, computer, microfiche, tape etc). The Council of Europe adopted "The European Directive on Data Protection 95/46/EC" in 1995. The Directives have extended the scope of data protection in recent years to include all personal data held about individuals, however it is stored. It also places guidelines on the actual transfer of data outside the EU. See section Transfer of Personal Data to and from European Countries for additional information.

Guidelines for Managing Human Resource Data from European Countries
In the United Kingdom, the Employment Practices Data Protection Code Part 1: Recruitment and Selection (March 2002) as published by the Information Commissioner provides a starting point. The Code is intended to assist employers in complying with the Act and to establish good practice for handling personal data in the workplace. The Code also states that employers should only carry out pre-employment vetting/screening on applicants (e.g. references, criminal record checks etc) at an appropriate point in the recruitment process and comprehensive vetting/screening should only be conducted on successful applicants. The benchmarks outlined in the Code develop and apply the Act in the context of recruitment practices and are the Information Commissioner’s recommendations as to how the legal requirements of the Act can be met.

Transfer of Personal Data to and from European Countries
If your business receives and processes personally identifiable data about persons living in a European Union (E.U.) member nation using Applicant Tracking Systems or HRS Applicant Tracking systems, it is subject to data transfer restrictions set forth by the E.U. Data Directive. Unfortunately, many companies are not aware of the various data flows from Europe to their company in the U.S. and beyond. Consequently, they are at risk for stiff penalties, fines and possible transfer restrictions or interruptions. U.S. companies have three options for transferring data to the U.S. including human resources, research and, in general, any personal data:
  1. Transfer data under one of the exemptions allowed for in the Data Directive/national laws.
  2. Transfer data as part of a contractual agreement either through model contracts approved by the E.U. Commission or through ad-hoc contracts to be approved by the relevant national data protection authorities.
  3. Transfer data under the Safe Harbor Agreement.
Each option applies only in special circumstances or imposes particular burdens on the data transfer option. Therefore, before selecting the option that is best for your company, it is important to understand your data flows. You will then have to adjust your current data handling practices to meet the requirements of each transfer option.

Employment Legislation
Much like the United States, European countries have also enacted comprehensive employment legislation related to Discrimination, Racial Relations, and a multitude of others creating yet another unique situation.Employers such as those in the financial sector or with employees coming into contact with vulnerable individuals such as children and healthcare processions specifically in EU countries, background screening is a legal requirement. The Financial Services and Market Act 2000, for example in the UK, requires individuals working in controlled functions such as senior customer-facing roles to be "fit and proper", meeting honesty, competence and financial soundness criteria. Furthermore, individuals coming into contact with vulnerable individuals are required to undergo extensive criminal background checks through host country’s government authorities. Many European countries have also enacted what is called Rehabilitation of Offenders legislation that relates to concerns the employment of people with a criminal record. If a person has been convicted of an offense, provided they have not been re-convicted for a further offence during a specified period, his/her conviction becomes spent (should be treated as though it had never existed) for the purpose of employment.

Acquisition of Criminal Conviction Data in Europe
Europe does not provide the same level of accessibility to court records as the United States. Criminal conviction information is generally available only to government officials and the individual themselves. It is important to note that a complete register of criminal convictions can only be kept by a public authority. Data relating to offences, criminal convictions or security measures may only be processed under the control of a public authority except as may be authorized by regulations of a given country and are subject to additional suitable safeguards.

Each country has its own laws, procedures and customs. Issues with forced subject access and unauthorized access to personal records may be a significant risk for employers obtaining this type of information improperly by third-party vendor. Third-party direct access to police and many court records are strictly prohibited by most European Union countries as criminal conviction information is not considered a matter of public information.

Companies must now accept one essential truth: they must now become aware of how they use personal information, where they get it, how it is and may be used, and where it goes.

Source Links

[1] European Union Data Protection Directive (95/46/EEC) (the “Directive”) of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regards to the processing of personal data and on the free movement of such data, 1995 O. J. (L 281) 0031-0050. The Directive took effect in October 1998.[2] Data Protection Act 1998, 1998 Chapter 29 [3] Employment Practices Data Protection Code Part 1: Recruitment and SelectionFor more information about International Screening Solutions please visit our website.