By Fombo Lega Nuyebga, Esq., CFIP, BL, LLB

Legal & Compliance

In today’s ever fast paced and dynamic business environment, how companies operate depends on the management of regulatory risks. Globalization has increased trade and cultural exchange thereby creating the need for increased governance and compliance. Compliance is a continuous process, and in a challenging regulatory environment, there is a never-ending rise in compliance issues.

A robust corporate compliance program is required to guide businesses to do the right thing the right way. The corporate compliance program is set to guide employees from corporate misdeeds, communicate with stakeholders and protect senior executives from the risk of potential personal liability whilst driving an ethical culture for the success of business operations.

While the CEO is engaged in oversight activities, driving a successful corporate compliance program is the responsibility of the Chief Compliance Officer (CCO) who is in charge of the creation and maintenance of the compliance program. The CCO reports to the Board in real time on identified risks and with open discussions as to an action plan to address compliance issues.

Many areas of compliance exist, however, the major areas of compliance in today’s business environment include; GDPR (EU General Data Protection Regulation), AML (Anti-Money Laundering), ERM (Enterprise Risk Management), Trade Compliance, DEI (Diversity – Equity – Inclusion), Non-compliance and The Compliance Function.

  1. GDPR – General Data Protection Regulation:

Digitalization has changed the operational reality of the business environment. The use of digital technology and digitized data to impact how work is done, create new revenue streams and transform interaction between a company and stakeholders is constantly advancing. This technological advancement allows the transfer of data between multiple devices at a breath. However, it has also increased the chances for security breaches and the enhancement of illegal activities. Though GDPR is applicable in the EU, it is a leading regulation relating to standards for data protection. Due to the fact that data is of a sensitive nature, companies seeking to be optimally compliant need the required strategy in place to stay protected, both internally and externally. Security needs to be implemented by design and default.

The rapid changing IT industry offers solutions to help in this related field. Other disciplines are breaking boundaries like cloud compliance and Artificial Intelligence (AI). Though these solutions can be costly, they also come with risks of their own. Cloud compliance is good though you need to consider other laws which may enable governments or other stakeholders to access personal documents in the cloud. AI applications have been presented to provide data privacy and data security measures to cover storage and processing. This sector is evolving and companies must watch out at the level of decisions made by AI applications. Methods of overruling algorithmic decisions also have to be created. The sum of it all is that preventive measures are a key to avoiding sanctions.

Regarding the human factor, companies sometimes turn to focus more on the data of their customers and not employees’ data. This is because misuse of employees’ personal data is understood to constitute lower risk. Companies seeking to stay compliant have to work on a privacy policy and privacy notice. While the former is an inward-looking, internal document which describes the internal privacy practices of the employer regarding its employees or independent contractors. The latter on the other hand is outward facing and avails to the benefits of customers. It is best practice for companies seeking to be optimally compliant to have both frameworks in place and operational.

What should not escape the regulatory oversight of the company is the assessment of its data protection, assessing its vulnerabilities to internal and external threats to its operations. Under the GDPR, companies can no longer plead ignorance, they must have a complete understanding of data collection and processing, understand which data is needed, how much of it, why it is needed, what will be done with such data and the appropriate legal basis for having and dealing with such data.

  1. AML (Anti-Money Laundering):

Banks are spending billions on AML compliance. Procedures on Customer Due Diligence or KYC-Due diligence are raking millions to ensure the necessary barriers to risks. SARSs (Suspicious Activity Reports) levels are very low and as such many financial institutions’ reports are made to avoid further blame later on. This disrupts the work of the authorities in stopping this criminal activity. AML is a major issue because every organization can be a channel amongst many in the myriads of transactions for money laundering. This could also be identified through predicate offenses like bribery and corruption of public officials, tax evasion, forgery and fraud, organized evasion of customs provisions and drug-related activities.

Again, we turn to technology to solve another risk which it has helped to make complex. In the face of meticulously organized criminal transactions and with the help of digitalization, companies also need a blend of humans and machines to detect and prevent money laundering. Technology would rapidly identify illegal patterns and flag such for reporting. The new phenomenon of crypto currency is making waves and banking institutions are reluctant to embrace it because it is seen to present more financial risks. However, regulators are guidance to help ease bank’s concerns about the new financial technology. The compliance team with complete resources and computer systems would be able to save the organization from being used as part of a fraudulent network.

IFFs (Illicit Financial Flows) are important issues to flag when assessing the reports in any organization alongside the falsification of records. Collaboration is needed between the authorities and financial institutions, a joint effort would go a long way to support the prevention and detection of money laundering and financial crimes. There has been some remarkable improvement in efforts of banks coming together for information sharing purposes. Financial institutions are also turning to automation of the AML compliance process for the efficiency of onboarding and due diligence procedures, adherence to multiple regimes and different regulations, quick reaction to fraud detection and access to data from disparate systems.

The regulatory oversight mandatory in AML compliance, despite the automation and information sharing, is for the compliance officer to know the regimes applicable (depending on the jurisdiction), to have an AML framework and ensure that it is operational and efficient. It is not about only creating framework but ensuring that it is adequately resourced to operate effectively. This gets directors involved in providing these resources for compliance to operate effectively.

  1. ERM (Enterprise Risk Management):

Formerly, risk management was given consideration mainly from a financial perspective. Today’s reality identifies risks to business operations from a myriad of other considerations; legal and regulatory risks, market-related risks, strategic risks, reputational risks, governance risks, operational risks and performance risks. The probability of the occurrence of these risks and more, alongside their real consequences are the focus of ERM.  Certain aspects of ERM may be same for all companies; however, differences may exist regarding particularities of each business sector.

ERM is a new and evolving management discipline which is moving alongside the changes in the corporate and regulatory landscape. It is a plan-based business strategy aiming to identify, assess and prepare against any potential barrier which may interfere with a company’s operations and objectives. This plan is made available in a risk management report, communicated to shareholders and potential investors as part of the annual reports. An effective ERM process places enhanced focus on key risks and can be the basis for an efficient internal audit plan.

IT tools can also serve as a boost in organizational risk management processes. These would assist senior management in robust risk oversight. They provide an additional incentive for companies to consider further enhancement of existing risk oversight infrastructure. Boards delegate the risk oversight to a committee and expect reports from such assignments. Use of IT to enhance this function responds to the expectations for improvements in how senior management and the board oversee risks.

Major barriers to ERM implementation are existence of competing priorities and insufficient resources. Particularly, ERM emphasizes a top-down approach to the classification of risks, affecting the enterprise’s ability to achieve its objectives. There exist no defined ‘best practices’ for ERM. ERM also emphasizes the importance of ethics in enterprise governance, risk, and compliance (GRC) systems. Through the compliance function, other risks can be mitigated. Alongside other risks experts in other units of the company, the compliance function brings its support to complement the management of entity-wide risks.


The dynamism in business trading practices due to globalization has also led to controls of export and import practices since many companies exchange products (goods, services and technology) across the globe. These controls are also affected by political considerations and the compliance officer must be aware of political decisions and consequences regarding trading. In the sea of economic warfare and geo-politicization affecting trading partners, trade compliance guides you to a safe harbor. Trade compliance refers to the observance of laws and regulations determining the exchange of products between trading partners.

Trade compliance is broad and key points which companies have to observe are the issues regarding export controls which concern country screening, type of goods being exported and the intended end-use of the product. Also the OFAC (Office of Foreign Assets Control) 50% rule concerning block entities and blocked persons, usually on lists of entities and persons who have been sanctioned by the US. Screening up to KYCC (Knowing Your Customer’s Customer) is a good effort in avoiding fines for non-compliance. Another issue of particular importance is the classification of goods; though it is demanding to have knowledge about the classifications, such information is available on demand from the authorities (generally it is same classification around the world with a few differences).

Trading practices can be effectively handled with knowledge of the above key points through four major screenings; Denied party screening, risk country screening, restricted party screening and end-use screening. Adequate information on export licenses and extra authorization when needed, subject to the type of product is very valuable especially when dealing with sanctioned entities. Records are to be maintained accurately and in accordance with all applicable regulatory requirements, they must also be easily retrievable.

Due to multi-jurisdictional trade control regimes, it is challenging for companies to have to comply with laws and trade control regimes of multiple countries. It is important that every member of the compliance unit knows when to flag a risk, elevate or reach out for assistance relating to any given situation. This can save a company from damaging media reports, civil penalties and criminal charges, denial of export licenses and government audits. The compliance unit supporting the supply-chain and logistics units in a company must be adequately equipped to deliver efficient services, demanding in trade compliance.

  1. DEI (Diversity, Equity & Inclusion)

The question would be; why does this feature as a trend in compliance? The answer is very simple. This is at the heart of driving a compliance culture in a company. There has been a paradigm shift due to globalization, creating workplaces of all gender with people from different races and religions and backgrounds. Diversity is the construction of a workforce of different backgrounds; this being done in an ethical working environment; inclusion referring to the acceptance and respect of the difference in backgrounds, building on this multiplicity and converting it to a business advantage. Studies have proven that a diverse workforce enhances performance and drives creativity and innovation.

This workplace culture is not without challenges. Others consider it as a drag on company finances, while some lack the perspective to appreciate its unique value addition to every setting. There exist certain prejudices which have led to the undermining of initiatives regarding diversity as some consider it to be the erosion of a cultural identity or the granting of unmerited privileges. Challenges also come from the appropriate accommodation of this multiplicity of backgrounds in a corporate setting. There is also the aspect of communication (interaction on the job) which sometimes may pose a problem among a diversified workforce.

Solutions are present to which ever challenges we face and development through globalization created this situation; but not without solutions. Diversity and inclusion are not to be seen only as a concept, slogan or complying to some law or regulation. All organizations thrive on discipline and professionalism should be the language of work. Ethical values of integrity and cohesion are championed every day. Finding the right mix of individuals on a workforce creates an avenue where breakthrough results to risks are achieved through divergence of perspectives and team spirit. This leads to better decision-making, thereby improving client satisfaction in the company’s product and improving employee experience on the workforce. All of these create financial success for the company

Where the compliance function plays an important role is in the development and implementation of policies to support an inclusive and equitable work environment for all employees. The compliance role also develops programs to support this culture with a quick response to issues concerning DEI which may cast reputational damage to the company. This yields a positive outcome for the company.


Many companies do not commit offences by design; however a plea of ignorance would not be accepted by the authorities. Lack of intent or inadequate resources would not stand as a defense to legal and regulatory action against an organization or senior management for compliance breaches. They all must be guarded against unintentional non-compliance. This requires a team of individuals (compliance specialists and generalists) invested in this function with expert knowledge of regulations, enforcement and the regulators. One of the major challenges of globalization is the understanding of and adhering to regulations in different regulatory environments. This regulatory compliance issue is heightened in multinational organizations who must adopt an industry-specific entity-wide approach to compliance.

The GRC (Governance, Risk and Control) compliance function is a strategic response to this issue. This sometimes creates fragmentation in company functions. A proper approach would be the application of GRC convergence through complimentary functions which also aids in risk consolidation. Companies must be aware of risks which develop with the opportunity of expansion; cultural differences, talent acquisition and employment issues, diligence in contract law especially PPPs with foreign public officials, taxation issues and custom duties, data protection and cyber risks, knowledge of the market and competition in jurisdictions of interest. The company must take calculated risks, weighing the benefits of operations from a legal, operational (type, form and category of institution to create) and financial perspective.

The risks are many and the Board together with the compliance function has the responsibility to ensure the monitoring and management of these risks. The compliance function can effectively manage these issues through robust corporate compliance programs, ensuring the creation of necessary frameworks, the implementation of policies and proper communication (reporting) with raising awareness through trainings. This and all the trends above alongside a myriad of others are the challenges of the compliance function. However, even in ‘BIG’ corporations, the compliance function is sometimes inadequately resourced both in personnel and finances.

What we have to drive in our corporations is the aspect that the compliance function does not thrive on fear of penalties for non-compliance but the optimization of profit for business operations through its guidance on the right way to do business. That the compliance function is the team needed to save the company’s reputation, guard both employees and directors from unintentional non-compliance. Secure the protection of business operations and company data which is intricate to the company’s business. It is finding the grey area to carry out business operations to the extent of calculated beneficial risks while driving a corporate compliance culture built on ethical considerations, integrity and cohesion.


In closing, as aforementioned; globalization has brought with it, challenges to business operations. Opportunities come with some risks. Changes and uncertainties (multiple regulations) in the market are adding further pressure on the compliance efforts of organizations, making it more and more challenging to simply maintain the status quo.  Companies must move with the trends. Market dynamics are creating an increased level of focus on an organization’s compliance functions. The regulatory environment continues to be unpredictable, with swings in compliance and regulatory demands across different areas of the organization that force organizations to keep up. The focus on compliance is growing dramatically and ethical behavior is receiving more attention than ever before. The compliance function within an organization supported by a proactive senior management will create a robust corporate compliance culture encouraging growth and the achievement of company goals.

At Dayspring Law Firm, our legal team constitutes experts who are ready with compliance solutions and employee training highly needed by our clients to fulfill regulatory requirements. We assist our clients at all levels of the compliance process; drafting compliance framework and compliance policies, setting up procedures and controls, compliance outsourcing, compliance training and audit. Our role is to establish strategic compliance solutions for our clients’ interests.

For more from this expert, click here.