Compliance in times of COVID-19

The coronavirus pandemic has severely affected business activity and brought public life to a virtual standstill.

What is clear is that companies are currently focusing on developing strategies to emerge from this crisis as unscathed as possible. However, they are also facing immense compliance risks.

It is therefore essential that companies maintain a robust and functioning compliance framework.

General compliance risks

A shortage of staff in compliance departments makes it more difficult to maintain core compliance functions. In addition, home working often means many essential tasks and functions of the corporate compliance department cannot be performed as usual, such as visiting subsidiaries or branch offices for regular or ad-hoc audits. Both these make it difficult to detect non-compliance by staff and create opportunities to cover up ongoing and past misconduct.

There will, of course, be new challenges in conducting internal investigations at this time – both in terms of interviews and data collection. But it is vital that compliance teams adapt, and continue to monitor and follow-up on any complaints or allegations that arise.

Finally, as the World Economic Forum recently noted, the shift of more business interactions online also creates opportunities for cyber crime. To prevent further business interruption, companies need to ensure they keep IT systems up to date and remind employees of firm-wide security policies, particularly during prolonged periods of home working.

Supply chain-related risks

With existing supply chains being interrupted, companies might have to urgently find new – and untested – business partners, which may mean accelerating standard checks. But carrying out proper third-party due diligence is more vital than ever given its importance for compliance with economic sanctions, anti-corruption and anti-money-laundering laws, which still apply despite COVID-19.

Bribery and corruption risks are in fact heightened due to increased state involvement in business dealings to help soften the pandemic’s detrimental effects on the economy, while the risk of money laundering increases with the pace of events and the acquisition of new business partners.

What can be done?

First and foremost, management should communicate that it remains strongly committed to compliance and expects proper behaviour at all times. It should also remind employees of heightened compliance risks, and the organisation's whistleblower policies and procedures.

Businesses should also try to intensify the monitoring of and interaction/communication with employees that work in particularly vulnerable corporate departments, like procurement or sales. Moreover, compliance officers should try to use more digitally available information regarding their (potentially new) business partners and carry out third-party checks more frequently.

As mentioned, legal obligations such as having anti-money laundering measures generally remain in place. That said, the German Federal Financial Supervisory Authority (BaFin) recently declared that, for a certain period of time, it will tolerate simplified business partner identification processes (as set out in section 14 of Germany's Money Laundering Act) for granting state promotional loans. This would include the identification via an ID copy for example.

The declaration by BaFin is aligned with a statement from the president of the Financial Action Task Force (FATF), who referred to the FATF's March 2020 guidance on digital identity (PDF) and recommended the use of technology whenever possible.

In general, as with other business departments, the compliance function may wish to use the corona situation to establish specific crises plans. Such plans could include:

• rotating the responsibilities of employees working in the compliance department in order to ensure a larger pool of replacements during a crisis;
• setting out a procedure for maintaining the essentials of third-party checks;
• mapping and prioritising key compliance risks; and 
• shortening reporting lines to management to flag urgent compliance violations.