Grant Thornton Forensics Manager Keith Mellott explained that, “as regulators are playing catch-up in the tech sector, they’ve increased levels of regulation across the sector.” This new scrutiny has taken the form of proposed anti-trust legislation and data privacy laws, along with mandated scrutiny of deep fakes and other actions.
This upward trajectory in regulatory enforcement is likely to continue, both in the U.S. and abroad.
An international risk
International mergers and acquisitions can spark scrutiny that triggers action based on the Foreign Corrupt Practices Act (FCPA) and other anti-bribery and anti-corruption (ABAC) regulations. Grant Thornton UK Forensics Director Chris Boddy said, “Some of the largest FCPA and ABAC cases involve tech clients, and are multijurisdictional actions prompted by M&A activity.”
Telecom M&A is especially open to corruption because it is a high-growth, high-opportunity sector that requires approvals, licensing, regulatory clearances and even the purchase of the local state operator. This M&A often takes place within a joint venture structure, sometimes with a minority stakeholder or a local partner, and parties might have limited awareness of each other’s practices. In 2019, the Russian telecom company Mobile TeleSystems PJSC (MTS) paid $100M to resolve SEC charges of violating the FCPA by bribing an official to win business in Uzbekistan. Grant Thornton Forensics Senior Associate Mary Bohrer said, “The bribes were funneled to front companies controlled by the official and were disguised in MTS books as acquisition costs, option payments, purchases of regulatory assets, and charitable donations.”
Five ways to prepare for higher scrutiny
Savvy tech and telecom leaders already know that their organizations need to have key structures and practices in place, with clear definitions about how regulatory terms and responsibilities apply to the organization. Many firms in the industry are accustomed to answering tough questions from private equity investors.
However, with new scrutiny from a growing range of U.S. and international regulations, tech and telecom firms should also consider the following five specific actions:
- Monitor your third parties.
Your monitoring begins with contracts that have robust right-to-audit clauses, followed up with periodic audits. Your organization can be subject to violations by a range of third parties, as demonstrated this year in the Office of Foreign Assets Control settlement with Airbnb Payments.
- Protect and monitor your anonymous whistleblower hotline.
Ensure that your hotline infrastructure is truly anonymous; follow up on all reports diligently and bring in a third party to perform a full investigation when needed. Use technology to perform your investigations and leverage data analytics where you are able.
- Perform risk assessments on activities and relationships.
Use regular risk assessments to identify activities and third-party relationships that present the most compliance risk. Keep updating the scope of these assessments to include new business units and new busines practices. Use data analytics to perform your assessments.
- Take demonstrable action on the results of these assessments.
As a result of your assessments, you might need to update your policies, introduce new internal controls or governance measures, or even mean terminate your relationship with a third party.
- Cooperate with regulators and, whenever possible, self-report violations.
Enforcement agencies are more likely to be lenient if a company committed significant time and resources toward remediation. The key to this formal leniency (or declination to prosecute) is self-reporting, cooperation and appropriate remediation.
Grant Thornton Tech and Telecom industries leader Steve Perkins said, “I applaud the technology industry’s efforts to work with regulators and legislators across a range of issues. We need to generate industry solutions and sensible policies to promote growth and use of technology.” Perkins added that some ongoing needs include innovative technologies like AI, along with cybersecurity, data and privacy, cross-border data flows, energy and sustainability, internet governance, and IoT.
As regulations evolve, tech and telecom firms need to evaluate and update their compliance-related business structures and practices.
Boddy recalled one client that was purchasing a foreign subsidiary and wanted to shield itself from successor liability. “They had a robust compliance program, but they also needed to get an independent forensics audit, document their whistleblower and compliance programs, test and benchmark their alert system, reperform know-your-customer and know-your-vendor processes, and review high-risk payments.” Once this work was done, the company could negotiate the purchase in a way that instilled trust.
Tech and telecom firms might struggle to comprehensively update what’s needed while still ensuring efficiency. As these firms undertake mergers, acquisitions, product expansions or other forms of growth, it’s essential to update their understanding of the current and future regulatory obligations.