1. Overview

A Compliance Program (CP) generally refers to the techniques and mechanisms that ensure a company complies with the regulations to which it is subject and to which it voluntarily submits. It is the organization (governance, procedures, and processes) set up by a compliance expert for the company to disseminate and enforce the law and ethics by its employees and managers. It is, therefore, a tool for enforcing regulations in the company and managing legal risks.

The main areas in which CPs are usually set up are:

• Fraud and corruption.

• AML and CFT.

• Ethics.

• Taxation.

• Public health and safety of employees.

• Product/service compliance and safety.

• Protection of personal data.

• International transactions.

Some companies, due to their size or business sector (banks, insurance companies, pharmaceutical companies, etc.) are subject to special regulations that require them to implement CPs. Other companies are doing so voluntarily or in the context of commitments made to authorities or as part of their CSR initiatives.

Lawyers wishing to offer a CP to their clients as part of their legal services, may start by answering “why?” businesses have needs in this area, and “how?” lawyers can respond to such needs.

All companies are concerned, to varying degrees. Companies operating internationally are particularly concerned because they are exposed to extraterritorial foreign legislation requiring them to set up CPs. Companies with local operations are also concerned, especially when they act as subcontractors: their contractors are demanding that they apply and implement the same standards.

It is worth noting that a CP does not only encompass the obligations of complying with AML/CFT regulations. As noted previously, a CP is a tool that deals with various areas of the Law. However, according to law 44 dated 24/11/2015 related to Fighting Money Laundering and Terrorist Financing, some categories of businesses have numerous obligations under the terms of this Law and its implementing regulations, including adopting a CP for the concerned entity. These categories of businesses may be sorted as follow:

Category 1:
Banks; Financial institutions; Leasing companies; Institutions that issue payment cards; Institutions that perform money transfers electronically; Exchange institutions, Financial intermediation institutions, Collective investments schemes, Institutions requiring a license by BDL; etc.

Category 2:
Insurance companies; Casinos; Real estate agents; Merchants of valuables (jewelry, precious stones, gold, works of art, antiques); etc.

Category 3:
Accountants; Notaries; Lawyers; etc.

2. Preparation

There are many reasons for the growth of compliance and it is important to understand them in order for a lawyer to better meet the needs of companies in this area. The following are the main ones.

1) Globalization

Globalization has many legal consequences, in particular:

1. The tendency of states to adopt laws of extraterritorial application, so that the rules they enact bind not only the companies which have their headquarters within their jurisdictions but also foreign companies so that they all apply the same rules of the game and therefore eliminating possible distortions of competition.

2. Multinational companies express the need for harmonized rules: they aspire to be able to apply the same (or very similar) rules wherever they operate, in the interests of simplification, efficiency and legal certainty.

2) The rise of ethics and sustainable development

Stakeholders (consumers, employees, shareholders, etc.) demand that companies, wherever they operate, respect a set of common rules and values.

Six major areas are concerned:

• Human rights.

• Employee rights.

• Respect for the environment.

• Fair competition.

• Fight against corruption.

• Protection of personal data

This requirement is reflected in numerous legislative initiatives in the field of Corporate Social Responsibility (CSR). For the most part, these regulations require companies of a certain size to put in place risk prevention standards and to regularly publish information on their initiatives in the abovementioned areas.

New laws were enacted in this regard to respond to the public outrage caused by some sadly famous scandals (ex. the working conditions of IT subcontractors in China and the Rana Plaza accident in Bangladesh in 2013, in which 1135 people who worked as subcontractors in clothing factories were killed). These laws were preceded by the Global Compact, a UN initiative launched in 1999 at the World Economic Forum in Davos, Switzerland, which aims to:

• Act against corruption in all its forms, including extortion and bribery.

• Strengthen corporate social responsibility and initiate reflections on CSR themes.

• Promote good practices by mobilizing companies through voluntary and collective action.

• Disseminate good practices so that stakeholders can benefit from the annual progress made.

• Bring together voluntary companies, UN agencies, workforce stakeholders and civil society around the following actions:
  1) To promote and respect the protection of international human rights law.
  2) To take care not to be complicit in human rights violations.
  3) To respect freedom of association and recognize the right to bargain collectively.
  4) To contribute to the elimination of all forms of forced or compulsory labor.
  5) To contribute to the effective abolition of child labor.
  6) To contribute to the elimination of all discrimination in employment and occupation.
  7) To apply the precautionary approach to environmental issues.
  8) To take initiatives to promote greater responsibility for the environment.
  9) To promote the development and diffusion of environmentally friendly technologies.

Public opinion, NGO action, and new regulations are forcing companies to strengthen their supply chain controls and advertise their efforts in this area. Whether under mandatory regulations or not, this stream of transparency has to be followed because it contributes to the perception and reputation of a company with its customers as well as its current or future employees.

3) Legislative inflation

The complexification of the law, linked particularly to legislative inflation, makes it difficult for companies to understand the rules: the legal text is, in fact, not ready for use or not immediately understandable and needs to be translated into concrete applications for employees and managers. In addition, a synthesis of rules is almost always required by those employees and managers, especially when different branches of law enact rules that are applicable to a given situation and that should be made compatible. Legislative inflation imposes a continuous updating of the legal knowledge of employees and managers on the rules to which the company is subject.

In this context, the need for legal certainty requires that all employees and managers likely to engage the company be alerted to the rules to be applied and their evolution, to what they can do or not do, which means that they must have a level of knowledge that allows them to analyze and qualify common legal situations and, finally, to identify risk situations, requiring them to seek advice.

A CP meets this need through its training and awareness component.

4) Increased cases of prosecution

Companies are less likely to escape the control of the law, because lawsuits against them, in case of failures on their part, are more often not only triggered by the authorities but also by their employees (whistleblowing), their competitors, consumers and their associations (private enforcement, class actions, group actions) and non-governmental organizations (NGOs).

5) Prevention obligations

New legislation is marked by a risk management approach and, as a result, is increasingly putting companies under preventive obligations. These obligations of prevention result in the company’s full liability unless it shows that it has taken all the measures necessary to prevent the risk from occurring or the offense being committed. In the field of fighting corruption, for example, a large number of foreign legislations have adopted this approach:

• The UK Bribery Act requires companies to put in place adequate procedures to prevent corruption.

• Swiss regulations provide that the liability of a company may be incurred because of a lack of organization and measures to prevent the offense of corruption.

• In Spain, the legislator has recently introduced an obligation to prevent corruption at the expense of companies.

• In Germany, managers are subject to administrative sanctions if they have failed to set up an organization in the company they manage to prevent the risk of non-compliance

Therefore, companies must demonstrate that they have put in place an organization (procedures and processes) that will prevent risks and ensure compliance with the rules to which they are subject in their activity. In other words, they must demonstrate that they have implemented CPs.

6) Market requirement

Beyond the expectations of stakeholders, consumers, and employees, companies are forced to implement CPs, under the pressure of their lenders and institutional shareholders. In fact, most major public or private sponsors have set up CPs because they are subject to a regulatory obligation to prevent or to meet the expectations of their customers. These major actors pass on to their subcontractors the obligations stemming from their programs, demanding that they apply the same standards, otherwise they will not be referenced or delisted. In addition, major investors and banks also condition their equity investments or loans to the implementation of CPs, particularly in the areas of corruption and export control. This is particularly true for companies that want to enter the stock market or are financed by investment funds, especially in the United States.

This market requirement is a reaction to several financial scandals (from the 2001 Enron bankruptcy to Volkswagen’s Dieselgate in 2015), as well as to the high penalties imposed in recent years in competition, bribery and export control (BNP Paribas case). This requirement is obviously corroborated by the legislative evolution but has its own dynamic, which is probably more persuasive for companies than the only fear of the sanctions provided by the regulation.

7) The need to mitigate legal risks

Legal risks, which are inherent to any company’s business, are increasing, with technological change and legislative inflation.

For the most part, legal risks stem from litigations, contracts, statutory liabilities (civil, criminal or administrative) and changes in legal obligations.

The need to anticipate and manage legal risks to which the company is exposed is obvious, especially since the risks, when they come true, have exorbitant costs materialized by a paralysis of operations during the management of the crisis generated by the occurrence of the risk, the cost of prosecution and penalties, the impact on business reputation and stakeholder confidence as well as the impact on the market valuation of the company.

The way to prevent, minimize and treat legal risks is to set up a CP with a legal/regulatory compliance component.

3. Implementation

1) Steps to setting up a CP

The stages of preparation, implementation, monitoring, evaluation, and improvement of a CP determine the skills that lawyers must have to assist their clients in this area. The following are the main regularly accepted steps in setting up a CP:

• Identification of the rules to which the company is subject and the penalties it incurs, in case of non-compliance.

• Mapping of risks and exposed business units and/or employees/managers.

• Determining the scope of the program, according to the activity of the company, the particular risks to which it is exposed and the rules applicable to it and to which it wishes to submit.

• Analysis of the current business process and governance.

• Design of the compliance policy in line with the identified risks.

• Identification of people likely to be in charge of compliance within the company
  drafting and implementation of the content of codes of conduct, policies, and procedures.

• Training and awareness of employees and managers on the rules and policies applicable by the company.

• Communication and deployment of the various measures and compliance mechanisms.

• Establishing of control and warning mechanisms, monitoring arrangements (including traceability of actions carried out as part of the CP), crisis management process, sanctions policy, in the event of deviations by employees/managers.

• Monitoring, evaluation, and improvement of the CP.

2) Competence and qualifications

Compliance is transversal in many respects and the implementation of a CP is a complex exercise that requires, among other things, to:

• Implement and combine the rules of different branches of law and the laws of various countries. In fact, a lawyer who offers the establishment of a CP must have, not only a thorough knowledge in the subject matter of the CP but also very good general and international legal knowledge. The lawyer must, where appropriate, acquire the skills of other specialists, possibly from other countries, and transform himself into a conductor of all the skills and knowledge required.

• Have a global and transversal vision of the company: understand the activity, organization, and operations, and be able to anticipate constraints and risks.

• Map the risks facing the company and its operations.

• Have knowledge and experience in management, to be able to design processes and procedures in practice to enforce the rules in the company.

• Have a sense of business practice, in order to translate the rule of law into applications and workable solutions. The lawyer must indeed be concerned that the solutions he proposes are actually practical and applied.

• Train and explain the rules to the employees and managers.

• Be able to conduct audits on the quality of the CP and its efficiency.

• Conduct internal investigations when required by the management of the company of the official authorities.

• Manage crises, for example, when the company is listed on a sanctions list, and steer the company out of it with the least damages.

• Work in a team and interact with various functions and managers of the company.

• Have knowledge of other compliance actors (business intelligence, investigation, third-party providers, management consulting, whistleblowing function, crisis management, communication, training organizations, etc.) and dedicated IT tools and solutions, such as third-party control data, e-learning training, whistleblowing IT solutions, etc.

• Work in one or more foreign languages according to the activity and the markets of the advised companies.

Accompanying companies in setting up CPs cannot be improvised and requires not only a thorough knowledge of the applicable regulations and their changes but also real know-how, techniques, and specific tools.

3) Ethical issues

In providing compliance advisory, a lawyer must constantly keep his ethics in mind. In fact, the implementation of a CP is an exercise that entails high ethical risks, for more than one reason. At least, three of the deontological obligations of the lawyer must be given particular attention.

1) Sufficient competence

The lawyer must generally refrain from advising a client on a subject in which he does not have the necessary skills. As we have seen above, setting up a CP requires extensive and cross-cutting legal knowledge. The lawyer must therefore systematically, during the implementation of a CP, ask legal questions that go beyond his sphere of competence, and seek the advice of his fellow specialists or foreigners. In any case, even if he is well versed in the compliance mechanisms, the lawyer should not set up a CP in a legal field that he does not practice regularly.
In view of the abovementioned legislative inflation in the area of prevention, the lawyer who assists companies in setting up a CP must be required to keep a legal watch not only for case law in its country of practice but also in countries in which its customers operate, to the extent that the concerned legislations are applied extraterritorially.

2) Risk of conflict of interests

As part of the implementation of a CP, the lawyer may be in contact with many parties: the company, its directors, its employees, its shareholders, and others. These situations may lead the lawyer to be aware of sensitive situations regarding conflicts of interest and confidentiality. The rule of thumb for dealing with such situations is that the lawyer must not lose sight of who his client is. When his client is a corporation, it must not become the board of directors of that corporation, and in case of conflict, the interests of the corporation must be put ahead of the interests of its board of directors. When the company is part of a group, the lawyer must determine whether he/she is acting for the parent company or the subsidiary.

3) Internal investigations

Conducting internal investigations requires a certain amount of caution. Thus, when conducting internal investigations, the lawyer must, in particular, inform his counterparts of his status as a practicing attorney at law. If he/she collects the confidences of an employee, he/she may find himself/herself in a situation of conflict of interest, in the event of a subsequent dispute between the company and the concerned employee, and in which case he must not accept to represent any of the conflicting parties.

4. Is a CP necessary for Lebanese businesses?

In the context described above, many elements contribute to encouraging Lebanese companies to adopt a CP that will allow each company to:

• Prevent illegal or unethical behavior.

• Demonstrate that its operations result from reasoned choices.

• Anticipate and manage the risks to which it is exposed, in particular, the risks of sanctions and reputational risks.

• Disseminate and ensure compliance with the standards applicable to it by all of its employees and managers.

• Harmonize its rules and practices.

• Disseminate and enforce the values it relies on.

• Comply with market requirements, customers, suppliers, investors, and other stakeholders and maintain their trust in the company.

That is why the implementation of a CP in Lebanese companies has become a must, both as a tool for legal certainty and as a tool for performance and competitiveness.