Insights

JD Talks  Compliance Asia SOCIAL

JONES DAY TALKS®- Corporate Compliance in Asia: Managing Rapid Regulatory Change and Ambiguity

As business and investment activity in Asia surge, multinational corporations operating in the region face continually evolving and challenging compliance obligations and risks. Jones Day lawyers Lillian He, Hiromitsu Miyakawa, Zac Sharpe, and Simon M. Yu, all with broad experience advising corporate clients in Asia, discuss the current compliance and regulatory landscape, key enforcement agencies, and the attention in the region to ESG, data privacy and cybersecurity, anti-corruption, and sanctions.

Podcast: Play in new window | Download

SUBSCRIBE TO JONES DAY TALKS

Subscribe on Apple Podcasts

Subscribe on Android

Subscribe on Google Play

Subscribe on Spotify

Subscribe on Stitcher

LISTEN TO PREVIOUS PODCASTS

 

Read the full transcript below.

Dave Dalton:

Companies across Asia, including multinationals, face an increasingly complex and rapidly changing regulatory landscape, which introduces a number of corporate compliance challenges that constantly evolve and must be taken seriously. We have a Jones Day panel here to provide some insights on corporate compliance in the region. I'm Dave Dalton. You're listening to JONES DAY TALKS®.

Jones Day partner, Simon Yu, based in Taipei, advises clients on litigation issues and business resolutions. Simon has counseled clients on numerous high-tech patent litigations and complex multinational litigations involving white collar crime, trade secret protection, and construction disputes. Partner, Hiromitsu Miyakawa, has more than 20 years experience in antitrust competition matters and has served as defense counsel in major cartel prosecutions by the Japan Fair Trade Commission. His practice covers government investigations, mergers and acquisitions, litigation and other counseling and compliance advice.

Hiro is partner in charge of the firm's Tokyo office. Based in Singapore, but involved in matters throughout the region, partner Zachary Sharpe has extensive experience in complex international commercial disputes. His practice covers corporate, technology, joint ventures, energy resources, engineering and construction, licensing and technology matters. And based in Shanghai, Lillian He's practice focuses on dispute resolution, investigation and compliance matters, cross-border litigation, anti-corruption investigations, data privacy and data protection, and anti-money laundering and trade compliance. Let's start with Lillian. Lillian, thanks so much for being here today. We all know companies across Asia face an increasingly complex and rapidly changing regulatory landscape there, which introduces numerous compliance challenges. Give us an overview, if you will, a high level take of what's going on in the compliance sector in China and in other parts of Asia.

Lillian He:

Yeah, thank you, Dave. So, corporate compliance in mainland China is extremely challenging right now. The Chinese government has been upgrading its legal toolkit, we say starting from the traditional compliance areas, such as anti-corruption, anti-trust, to some new developed areas such as data protection, privacy, and anti-espionage. The laws are sometimes very vague and with certain ambiguities, so that's why it's very difficult. Interpretations from the Chinese authorities are also very involving in lots of the compliance areas, and oftentimes you get different answers from different local authorities. And a big challenge that lots of multinational companies face are conflict of laws. In those situations it's sometimes hard to find a way to mitigate risks for operations in China.

Dave Dalton:

Let's go over to Zac quickly. Zac, thank you again for being here today. Zac, talk about the region as a whole–South and Southeast Asia–and the escalation of new laws creating the challenges for clients there. How do you deal with that?

Zachary Sharpe:

It's a very difficult region for people involved in compliance to begin with. And against that backdrop, over the last few years we've seen a lot of new laws similar to the situation with PRC. There's been a lot of legislation focused on data privacy and cybersecurity in particular. In most of the jurisdictions across Southeast Asia–very recently also in India–we've seen countries passing new laws or amending their laws and bringing in changes with respect to data protection and cybersecurity. And these are really challenging issues for the region because each country has its own rules and some of them are overlapping, some of them apply extra-territorially. So, there's really a lot to keep track of in the wider region. In addition to that, and just adding another layer, and we'll probably come onto this a little bit more, ESG, and the passing of new laws to regulate ESG in the region, is something that we're seeing happening all across and in very different ways, and that's really something that's of concern to a lot of people.

Dave Dalton:

Let's go to Hiro for a second and talk about Japan. Talk about the current state of corporate compliance in Japan, Hiro.

Hiromitsu Miyakawa:

Okay. Yeah, thank you very much for your question. Actually, in the last maybe 10 years, many Japanese companies really improved their compliance programs because of some severe aggressive enforcement in the area of competition law, cartel issues and regarding corruption, FCPA-type enforcement. In general, and maybe traditionally, law enforcement has been less aggressive in Japan compared with other regions' jurisdictions. And for people at companies working in Japan, it was difficult for them to expect that their conduct could be subject to laws and regulations in other jurisdictions. For example, in autoparts' cartel investigations and in FCPA enforcements, many companies were severely fined. Now Japanese companies realize how corporate compliance is very, very important. But still for Japanese companies, one of the challenges is how to establish an effective compliance program against extra-territorial application of laws and regulations in other countries' jurisdictions. But Japanese companies are really–compared with 10 years ago–now they have much better compliance programs, I think.

Dave Dalton:

Okay, let's wrap up this section. We're going to go to Simon Yu, who we've not spoken with yet. Simon, again, thanks for being here today. Tell us what's going on in Taiwan in terms of the current structure and landscape with corporate compliance?

Simon Yu:

Yeah, thank you, Dave, for the question. Taiwan has been working on corporate governance issues since 10 or 15 years ago. So the government has put a lot of efforts to enforce compliance issues. And actually recently, Taiwan has adopted a lot of regulations related to ESG requirements because it is a really hot topic for Taiwanese companies. So it is a robust environment for the ESG issues in Taiwan, but there are many layers of different regulations.

There are some from the central government, and there are some requirements from the local government. So the Taiwanese companies or the international companies doing business in Taiwan are facing a lot of issues, such as ambiguity or uncertainty, or they don't know how to monitor the status or the changes in law and legal systems–that would be a very big challenge. And in addition to the ESG issues, I think we are now focusing on cyber security and also the data protection issues. So, there's quite a lot of regulations and many Taiwanese companies, they know they have to do that, but actually they don't know who can help them to do that. So I think that would be a main issue here in Taiwan.

Dave Dalton:

Thank you very much, Simon. Let's go back to Lillian for a second and talk about China in terms of some of the regulatory and legislative movement there. Lillian, what's going on in China in terms of the compliance terrain or landscape?

Lillian He:

Yeah, so Zac and Simon has already mentioned data privacy and cyber security that's also similar in China. And then the other focus of legislation in China is national security and anti-espionage. And one thing unique about China is that lots of the companies in mainland China are owned by the Chinese government. For example, you may have customers who are owned by the Chinese government, or you may have joint venture partners who are owned by the Chinese government. So when you have data from Chinese state-owned enterprises, you need to be very careful about how you process, how you collect, how you transfer those data.

Dave Dalton:

So that segues nicely into the next part of our discussion about risk mitigation, how to minimize risk, Lillian. And talk about that in terms of where China is. You touched on third-party risks and so forth. Expand on that point if you can for us.

Lillian He:

Yeah, so there are a couple of risks in China, for example, like you said, third-party risks. In lots of the industries, there are multi-layers of third-parties involved in the sales or marketing activities in China. And it's extremely important to understand why it is rational to use multi-layers of third-parties and also the justifications for their margins. And then another risk area is the frequent use of mobile devices and social media in business operations in China such as WeChat. It is almost inevitable to use WeChat in business operations in China because your suppliers, your customers, your colleagues are probably all using WeChat, and it's very frequently used in China. And then one of the challenges from the US law perspective, there is this new DOJ compliance guidance on messaging apps.

And then from the Chinese law perspective, there's also stress and protections on data privacy. So therefore employees are generally aware of their privacy rights, and then when you go ahead and collect their devices, they understand they have the right to refuse the collection. So this is a very big challenge that lots of our clients are facing, but there's ways to handle these kinds of issues, like we have handled a couple of WeChat collections recently. In those kinds of situations, we have detailed plans–for example, when we communicate with the relevant employees, we need to consider who to deliver the message, whether someone from the senior management internally or externally handled by an independent external counsel.

Before the collection, we also need to explore options for selective collections from a technology perspective, because in lots of the cases, the custodians are willing to provide a partial of their WeChat data, but not all of their WeChat data. So in those circumstances, we need to figure out a way to efficiently do a selective collection. And then the longer the collection takes, the more likely they will regret and change their opinions and under the law, they actually have the right to revoke their consent. So that's why we need to explore a way to efficiently collect the mobile phone data.

Dave Dalton:

Let's go back to Zac for a second. Zac, you mentioned anti-bribery, corruption and sanctions in terms of a risk to be handled or mitigated or controlled. Talk about that in the region if you could?

Zachary Sharpe:

Yeah, that's right. So bribery and corruption across Southeast Asia, in particular, is a huge issue and it's a really challenging issue for companies to navigate. There's a number of jurisdictions in Southeast Asia that are extremely high risk for anti-bribery and corruption issues. When it comes to corruption and fraud, Malaysia, Thailand, Indonesia and Philippines are all considered very high risk countries. Vietnam interestingly has seen some improvement in recent years, but it still remains a challenging jurisdiction for certain businesses. Myanmar is near the bottom of the Transparency International Corruption Index, and in each of these jurisdictions, certain issues arise in particular contexts that are quite different because it's just been endemic. These types of issues have arisen over a long period of time, and they're just really challenging issues for companies that have invested in the region. In terms of the mitigations for these types of issues, in Southeast Asia, one of the most important things is to have a top-level commitment from the company to combating these types of issues.

To really set the tone, you need to have procedures in place for people to follow–detailed procedures and regular training for employees as well as management so that everybody knows what the rules are. Without having those types of basic procedures in place and that commitment to having a clean business, it'll be really challenging in the region because the norms just aren't there. Codes of conduct, guidelines, again, very helpful–we see a lot of companies that have these. Ongoing communication, monitoring and review by compliance officials are kind of essential across the region. The last one is really compliance due diligence, and we see a lot of this for transactions. So companies wanting to come into the region and buying a local business with the established customer base or established vendors, there may be issues relating to payments that have happened in the past. And really the only way to wrap your head around that before the transaction is to do a great deal of due diligence upfront in order to know what issues might arise post the transaction.

Dave Dalton:

Absolutely, absolutely. Let's go back to Simon for a second. Simon, as we were preparing for this talk, you talked about the rapid change in all this, that being a risk in and of itself in terms of how fast things are moving and evolving. Talk about that in terms of Taiwan and how fast the train's changing and how clients deal with that?

Simon Yu:

Yes, thank you. Because there are many changes from the government, they usually have new regulations about compliance. We can see that in ESG issues and all the corporate governance. Labor is another issue. But apart from that, except for the government agencies, because in Taiwan for all the publically listed companies, the Taiwan stock exchange has played a very important role to pursue all the goals for those kind of companies, because it is not government agency and it is just some stock exchange, so they can just pass their laws very quickly, they don't have to go through all the procedures in the legislative process. So in every month, the Taiwan Stock Exchange will announce the new regulations for those public listed companies to follow. And we can see that especially for some, like we are going to the net-zero policy, there are a lot of regulations requiring the companies to follow.

So they need to produce the report. And for some, like the chemical industry, they have a lot of burden to monthly report about the status of their factories and how much they're going to produce. So I think it is a lot of burden for the companies to follow. And given these circumstances, they have to monitor closely about the changes in law. And sometimes because Taiwan is a society that many people can express their opinions, so sometimes the government will just to hear about all the opinions in the society, so sometimes they focus on this thing and maybe next year they will change to another subject.

So for the companies, I think they have to spend a lot of time monitoring all the changes, very rapid changes in law. I talked to my clients, they are compliance officers, they always complain about that they need to monitor closely about the changes in law, and sometimes they just have some internal education about some specific topic, and then maybe after three months everything changes. So that surprises them a lot. But for lawyers, I think that is also the same thing. We need to watch closely all the changes in law.

Dave Dalton:

Well, sure. We do a lot of JONES DAY TALKS® podcasts, and I always ask the same question, how do you guys keep up? Okay, we've covered a lot of ground here. We're going to wrap it up with two quick sections. We're going to talk about enforcement bodies in the jurisdictions and then a quick take on best practices and remaining compliant. So let's stay with Simon. Simon, talk about the primary enforcement agencies in Taiwan who are clients liable to engage with if something goes a little wrong?

Simon Yu:

For the public listed company, it is the Taiwan Stock Exchange and the Financial Supervising Committee. They are the major enforcement bodies to supervise all the activities for the company's compliance issues. And recently, Taiwan has a new government agency. It is the Ministry of Data Affairs that will be handling all the cybersecurity and data protection issues. And it is a very new organization and that could have the power to audit the companies if they are doing well in the cybersecurity and also the data, personal data protection. Also, the prosecutor also has the right to... if someone complains about potential criminal liabilities, then the prosecutor will get involved to investigate. So just like I have talked about the potential liabilities, especially the criminal liabilities, related to fraud arising from the sustainability report has been a big challenge for companies, because the government is watching you and sometimes they will pose a very strict criminal liability on you. So we need to be very careful about that.

Dave Dalton:

Absolutely, absolutely. Let's switch over to Lillian. Talk about China. What's happening there in terms of enforcement agencies or bodies?

Lillian He:

Yeah, the major enforcement agency is Market Supervision and Administration. We call it SAMR, and it handles anti-corruption, anti-unfair competition and anti-trust investigations. And then another agency that has been recently very active is the Cyberspace Administration. We call it CAC. And CAC is focusing on the enforcement actions on data security, privacy. Another government agency is the Public Security Bureau. They conduct criminal investigations. And all the government authorities in China, they actually have very broad investigative powers, such as conducting dawn rates or getting access to personal data.

Dave Dalton:

Good stuff. Lillian, great information. Zac, what might you add at this point?

Zachary Sharpe:

Yeah, thanks so much. Speaking about Southeast Asia and South Asia, obviously there's an enormous number of jurisdictions each of which has their own regulators. Some of them have multiple regulators just addressing regulators in respect of anti-bribery and corruption matters. If we look at Indonesia, there's the Corruption Eradication Commission, also known as the KPK, which is investigating high level corruption and sometimes investigating corruption involving the national police, which has given rise to a number of turf wars over the years. The national police is also charged with investigating corruption, and the two don't sit easily with one another. In Thailand, there's the National Anti-Corruption Commission, which is charged with combating corruption of high ranking government officials.

There's also an Office of Public sector Anti-Corruption, that's part of the Ministry of Justice that sits separately from the NACC. In Singapore, the most significant and enforcer for purposes of anti-bribery and corruption is the Corrupt Practices Investigation Bureau. But for other types of financial issues and regulatory issues, the most significant regulator is the Monetary authority of Singapore, the MAS, which has a separate division that investigates financial crimes. We can go on, but this is the challenge throughout the region, is that each jurisdiction has multiple regulators involved, potentially involved in compliance issues, which makes it really quite challenging to monitor trends and for people to keep abreast of what the enforcement trends are in each jurisdiction.

Dave Dalton:

Thank you, Zach. And that's a beautiful segue to our next section as we start to wrap up this program. Let's talk about remaining compliant, staying out of trouble, best practices. Let's go to Hiro first. Talk about Japan in terms of compliance programs, best practices–how do you stay on the right side of these issues?

Hiromitsu Miyakawa:

Okay, thank you. Yeah, I think one of the most important things is first the company engages in full and very detailed risk assessments. Sometimes, whenever we receive questions–"We'd like to establish a compliance program for this area, do you have good sample or do you know if other companies are doing what and so on?" But then we always reply, "Okay, but compliance programs should really focus on their risk area, which is different for each company depending on actual business activities." So, for example, if you don't handle personal information, basically you don't need to really establish very detailed compliance program for privacy and personal information issues.

And further, in the area of competition law, if you don't participate in public bid maybe you don't need to really emphasize the risk of bid-rigging, but if you need to distribute products to consumers through wholesalers, retailers, and so on, you really need to understand resale price maintenance issue. For example, sometimes a company tries to make a good appearance, "Hey, we have a really good compliance program for this, this, this, this." But the same question is, "Is your compliance program really effective to avoid a problem?" So the first thing they should do is a really precise, thorough, detailed risk assessment, and they need to establish an effective program for unidentified risk. I think that's really important to have an effective compliance program.

Dave Dalton:

Terrific. All right, we're wrapping this up. Let's go around the horn real quick. Conclusions, final thoughts. We've talked for quite some time, covered a lot of ground. If you had one key takeaway, tell us what that is. Let's start with Simon, then we'll go to Hiro, then Lillian and Zac will wrap us up. So Simon, what's your one key takeaway for today's discussion?

Simon Yu:

Yeah, I think from my experience, I would say that the compliance team is very important, and you need to keep a close eye on the changes in the legal systems. And actually, especially for the multinational companies, I think there's one thing that is very important, because I think recently we got a lot of inquiries about Jones Day's team–whether or not they can establish a team for them around the world to monitor some certain topics. The reason why we were doing this is about marketing compliance issues because they want to have business around the world and they are aware of the differences between different jurisdictions on the marketing compliance issues. So they have a very strong team already, but they think they need to have an expert team to help them around the world to monitor all the status or the changes. So I would say, you can have a very good team internally, but you would need to have an outside counsel to help you to monitor the things around the world–that is the best practice for the compliance issues.

Dave Dalton:

Great advice. Lillian, what's your one key takeaway from today's discussion? What do listeners need to know most?

Lillian He:

So in terms of the key takeaways, I would say understanding the local business and enforcement environment, identify the real risks, and then when there is a conflict of law situation, making efforts to find the middle ground where you can mitigate the risks in multiple jurisdictions. Actually, oftentimes you actually can find it when you're making efforts, even if the middle ground may not be a perfect way, but documenting such efforts are also helpful, especially when you face government investigations, inquiries–then you have an answer.

Dave Dalton:

Well, good. Hiro, wrap us up. Give us one more thought, then we'll go to Zac.

Hiromitsu Miyakawa:

Basically, I'd like to echo what people have said today, it's very, very important to monitor what is going on in all relevant jurisdictions, not only in Japan. What's going on in China, in Taiwan, in Australia and any other countries because now laws, regulations are rapidly changing, we discussed. And also very complicated, very complex. So we really need to understand what's going on in our own jurisdiction and also in other jurisdictions so that we can know what we should do to mitigate risks and so on. Of course, in certain areas of law–again, an example is competition law–maybe five years ago or 10 years ago, people never talked about HR in the context of competition law. But now, for example, in the US, the government actively enforces against wage-fixing cartels, no poach agreements. For example, and also in Europe, ESG-related competiton law issue is very important, even for the purpose of ESG, environment and so on. If collaboration, cooperation among companies exceeded that purpose, that becomes a violation of competition law, for example. So now not only price-fixing, bid-rigging, but many, many issues–labor, ESG, privacy–those are also relevant for competition law, and maybe a similar thing is happening in other legal areas. So, again, it's very important to monitor what is going on in the world.

Dave Dalton:

Keep a whole regional and global perspective, that's for sure. Zac, wrap us up, final thought?

Zachary Sharpe:

Yeah, I have to agree with everything that's just been said. I think that's exactly right. It's really hearing Hiro and Simon and Lillian talk about what's happening in their jurisdictions–I'm really struck by the fact that the clients and the issues that we're dealing with in each of these locations are so interconnected that businesses are really having the same issues in multiple different places, and they really do need a large team in place to monitor the changes in law. In the last few years, we've had one of the most significant examples has been, with respect to sanctions. There's been a lot of sanctions arising out of the Ukraine conflict and really hitting all of the economies and all the economic actors in this part of the world, impacting prices, causing all kinds of supply chain issues. On the back of that, then we had the pandemic, which made it really difficult for people to travel and had a lot of compliance issues trying to navigate this really complex, evolving situation in the region while also hamstrung by the fact that they can't really travel and go see people. Sometimes it's difficult to get information about what intermediaries are doing.

And these really are the challenges in the region because all of these jurisdictions are so interconnected in terms of their businesses and in terms of their economic activity that no matter where you are in the region, you have to learn to grapple with all of these issues, whether it's at the front end, whether it's dealing with them after they've arisen, and that just gives rise to a host of issues. Just as a capstone, talking about all these data regulations, when you're doing an investigation into something completely different, one of the key issues, and Lily and I know and can speak to this at length, is how do we get through all this data? How do we look at it? Can we take it out of the jurisdiction? Do we need to review it in the jurisdiction? And so you get all these issues that arise just on the back of that, that are really difficult for companies to deal with and really challenging. And frankly, if you're practicing in this area, very interesting as well.

Dave Dalton:

I can imagine. This is so complicated, but the four of you have done such a good job, so I want to thank you for your time. I do a lot of these, this one is one of the most informative podcasts we've done in a long time. So Zachary, Simon, Lillian, Hiro, thank you so much and I hope we talk again soon.

Zachary Sharpe:

Thank you.

Hiromitsu Miyakawa:

Thank you very much.

Dave Dalton:

Thank you for your time today and thanks for a great overview of what's going on in the region.

Lillian He:

Thank you.

Dave Dalton:

For complete bios and contact information for Simon, Hiro, Zac and Lillian, visit jonesday.com. Also, check out our insights page. You'll find more podcasts, publications, blogs, videos, and other content I know you'll find interesting. Subscribe to JONES DAY TALKS® wherever you find your podcast programming. JONES DAY TALKS® is produced by Tom Kondilas. As always, we thank you for listening. I'm Dave Dalton. We'll talk to you next time.

Thank you for listening to JONES DAY TALKS®. Comments heard on JONES DAY TALKS® should not be construed as legal advice regarding any specific facts or circumstances. The opinions expressed on JONES DAY TALKS® are those of lawyers appearing on the program and do not necessarily reflect those of the firm. For more information, please visit jonesday.com.

 


Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.