Transcript: Managing an Effective Compliance Program

· Transcripts - CBLP

Welcome to the China business law podcast a show about the practice of lawin China from real in-house and Law Firm professionals on the ground. 

Welcome everybody to another episode of the China business law podcast. I'myour host art dhikr and today we have the pleasure of being joined by Boone Kim Fam who is senior legal counsel for compliance asia-pacific at PVH Corporation PVH is the parent company of Calvin Klein and Tommy Hilfiger. Welcome Kim.

Thank you Art. It's a pleasure to be here on your show today. Yeah. We are we are really lucky to have you and so today we're going to talk a little bit about the in-house role and in compliance and how a multinational company handlescompliance and maybe a lot about China but we can talk about Asia Pacific aswell. First off for the audience. Can you give a little bit more about your
story your career? What brought you to China and things like that? 

Sure. Thank you. So I've been in China now for eight years and the reason why I actuallycame to China it was because of a transfer so I had the opportunity. 

Opportunity it was my first in-house role at the time and I was asked by myDen employer. Would I actually like to move to China to Beijing specifically? Idid I'll be honest. I did jump at the opportunity because I thought it was a good time to actually at my point of my career to actually make a move to the Far East so to speak so I spent two years in Beijing and then I don't move to Shanghai in 2014 and I've been in Shanghai. 

The scenes okay and always in a house for all or were you what you whatstops did you make along the way in China specifically I had always been inhouseholds. Yes. Yeah pre China or BC as they call it before it's China before China. I worked for both the government sector as well as in private practice. Okay, so that government sector in experience by also value of her compliance to write this feeling. 

It is because it's my first my first full-time role was actually with theMalaysian government. So in a way when people in complies, we talk about NotGiving bribes not giving favors not asking for favors. In fact as someone who worked in the government sector. I've actually seen it firsthand how things could go really wrong people coming into your office trying to explain that. Actually you really shouldn't have to work too hard on the particular case. 

Because I've already spoken to the judge. It happened to me personally. Iwas just like two or three months into my it's like my job Star Wars Jedi MindTricks. These are not the droids you're looking for kind of zactly. Yes, but you can see right through that obviously. 

Yeah cool. Let's get into it some of the questions I had for you, you know, so obviously your role now you're dealing a lot with its retail business. What kind of specific compliance issues are you? 

To a retail business like any other retailer so the standard issues whichany retailer would encounter for example store security potential transactionfraud that I believe any other retailer would encounter similar issues as we do and it's not that just in China. It's a region-wide perhaps even a global issue now with the added tangent of the existing covid-19 situation where  a lot of offline sales are pretty much being closed online the other daythe other area which we are seeing as an emerging risk really is data privacyand data protection. So I would say as a retailer during these very trying times from a business perspective. It would be important to actually pay extraattention are your people adequately trained to actually deal with you know taking of customer information. Are they taking only what isnecessary? Right? How are they processing it and securing your this is curingit and all of the other disposing of it securely after they're done with it when product has been delivered and all of that. You don't need it anymore. All of that actually comes into play. So that's interesting because it's because the role of a compliance professional in a company is is is not a it's not always apples. 

two apples that you're comparing between different companies rape somegreen past in the past when I had when I was in house, we had compliance withinthe legal team, but that role was very much focused on kind of fcpa UK bribery act kind of stuff and of course commercial bribery in China and other bribery in general but sounds like the role that you cover is broader than that and then and is that is that a typical scope of work to deal with data privacy for example as well or are is the compliancerole broadening at in within the in-house team to cover more and more areas tosee I can only speak on behalf of my role at PVH because in speaking to other peers the role is actually separate so achieve data privacy officer would not typically as you said deal with issues such as fcpa or any trust commercial bribery and all of that. 

That it's very much a specialized. I think one of the reasons why weactually have this approach is simply because in Asia specifically as we lookat the direction that the authorities are taking from a regulatory perspective. The expectation of data governance is very similar to what companies should have in place for compliance program. So in a way, I guess we are taking a step ahead I suppose in a way if you looked at it where someone who's actually been driving or actually influencing the senior leaders of acompany in relation to what would be the expectations of a robust complianceprogram would then hopefully be able to work in the same way the same ideals asthe data privacy program is being rolled out. I do have a counterpart who sits in Amsterdam and she basically leads the global data privacy program, but we see very strong. 

Strong similarities as you know, the compliance program people are quiteaware in terms of the fcpa 1977 what actually constitutes a bribe is prettymuch solid. It's very clear. It's a concept that is easy to understand data privacy is a growing area for compliance professionals specifically cause youcan tell someone not to bribe. Right and that concept is easy enough to understand. It's what constitutes our but that needs more explanation, whereas from a data protection of data privacy perspective don't collect more than what you need on that point itselfrequires just conceptually having a lot of conversations with the business leads because it's all about Mi getting all the data that I need for my analytical purposes. Do I know what my consumer wants and the fine line and the
balance does need to be had in terms of yes. 

We do want to understand what our consumers want. But at the same time wehave to do the right thing by them right in that we're not all the collecting because that is what is expected certainly in the various various regulatory bodies that we see in Asia Korea being one of the strictest where even if you wanted to transfer someone's data overseas, you've got to get the consent. NoExpress consent no bundled up consent Express consent of the customers. Yeah. 

I remember when we looked at that that that was right in my beginning as anin-house professional and sudden that law came out. I think it was like 2012 or something like that or so you mentioned earlier little bit about trainings and you know, how what kind of trainings do you do for the team to educate them on on the risks out there that they may be facing in their job every day and sometimes it's more about they don't know what they don't know and I think how do you how do you help them recognize the risks of that? 

Compliance wants to flag early on I think this is where the in-house thein-house lawyer can really make a huge difference in terms of identifying whatthe issues could be. So what I've actually done is that I've actually segregated the group's up. 

Mmm. So each different department actually gets specific training and what I had done earlier this year and had it not been for covid I would have actually rolled it out a lot more in the wider scale would was actually tohave it as a workshop style training. I encourage people to come in withquestions IE. 

What are you planning to do now? What issues? Have you encountered along the way have there been any pushback from your vendors? What questions are they asking you? 

And then with all the questions that they have or the conundrums as wespeak we then have this smaller group discussions where I'll say Okay, so thepolicy says this in very clear simple language. 

Based on the scenario that you've just given me do you think that we havean issue right and getting them to actually think and discuss during thesesessions actually actually makes a huge difference to like real real heretical. Yes. It's a realhypothetical. It really affects them on a day-to-day basis. So it achieved two things what I have observed number one is that they don't get into the habit ofactually coming to you in advance like Kim. I'm thinking of doing this. I'm not sure. 

I know we had she's like the example you gave me. Yeah, it's almost like the example that you gave me. What do youthink we should do? Yeah, so as lawyers, unfortunately, we are trained to bereactive. No one involves School actually taught you that you should be thinking ahead right and actually thinking how can we actually alleviate certain risk instead of just solving the problem. We are problem solvers. Yeah, but because in any company unless you're working for financial institution you wouldn'thave an army of people at your command. 

Yeah, so it's really important to actually be ahead of the curve right to actually anticipate what's going to happen and then give the advice upfront the business teams also appreciated a lot better as well. If especially if you can customize it to your particular company and Industry and the real well as real as can be cases that you've seen and I'll share quick story when I was in house and part of my role as compliance. We hireda law firm to come in and give a training and the training was not specific toour industry and the training was still very conceptual high-level talking aboutfcpa and and UK bribery lat and I basically then read it a new training in internally myself just using real cases like that and just having people talk about and the from the team was worth before everyone was checking their phonesthroughout the whole training. Sure people are actually engaged in debatingabout it because they'd seen these real issues before and maybe didn't know
what to do. Right because you have to make it user-friendly. So absolutely I'm a big fan of that. Now what about third parties though? Because especially in a retail business, you know, you might be dealing with distributors or other kinds of agents and those can present a compliance risk as well. So what are the kinds of risks? 

A present and how do you make sure that they are following the complianceprotocol that you set for them? I don't high level. We have a very rigorousonboarding process. So the emphasis really is pretty much on communication and ensuring that at the onboarding stage that they have signed up to our code of conduct compliance policies and all of that. So by the time let's say unfortunately, if something happens we are then in a position tooff-board them. If something which is in violation of our policies were tohappen. If there is zero tolerance for that correct continuous monitoring isalways going to be key. It doesn't mean that at the point of onboarding. They looked fine because they can change as well their organization could change the people who deal with us who manage our accounts could change as well. So ongoing monitoring is also 

Key, how about in a within China now? So since you cover different areas inAsia in Asia pack, do you see any differences in the type of training you do orthe issues that come up between with your team in China and with your team outside of China? 

I think living within China they are specific issues which would strictlyspeaking the China's Pacific because of the laws or because of the cultural connotations, which what might happen in China may not necessarily happen somewhere else, for example, so in terms of combining this into training again coming back to the scenario Based training that would still be relevantbranding of the compliance program is also very important. So China has so much wealth and wisdomin terms of the historical Scholars and what we could draw from them. So thespecific example coming back to my former employer was that we actually use the wise words of powder. Yeah Integrity is the basis of one's life. So that actually resonated very well because we are all working for my multinationals and ethics is just as important ascompliance because compliance without ethics is just following orders. Yeah,and that's not necessarily the corporate culture which we would want to develop or we would necessarily want to achieve. 

It has to come together where an employee at the end of the day actually has the is equipped with the skills and the tools to actually think independently. Is this something which when I wake up tomorrow morning, doI want to see it all over the papers? Right? It's always a good litmus test for someone to think aboutthese things when I do this today, and it appears in the papers tomorrowwould I be comfortable with it if the answer is no don't do it. Yeah, that'sthe and that is that is the I don't say battleground because that's too harsh of a work with that is the front line. I would think of compliance professionals working with people in the field where where 

You know in my experience and again, I don't want to sound like a cultural. 

Snob or something like that, but but I think the culture of multinationalcompanies is they have Global standards, right? They don't have a complianceprogram. That's to Unique for China or to Unique for India or any or any country in the world if Global standards and I think that's actually very attractive to the employees because employees want to be part of a multinational company thathas high standards, right? 

You know, I not get I'm not pooh-poohing Chinese companies that say theyhave lower standards per se but I think I often found in my role that thatemployees do want to do the right thing, you know in the sense and and they so I could totally see how that message of Integrity would resonate be one of the key things which we haven't addressed yet, which is which is I think is kind of the elephant in the room is you can't operate a compliance program in 

A vacuum in other words the people that need to implement the policy andare on the ground that we just talked about somebody needs to set the tone forthem and and often that's the Senior Management of the company. That's doesn't not just the compliance leaders in the company. How do you work with Senior Management to get everyone aligned on the message and the practice of the compliance program at a company? 

I think first and foremost getting ameaningful seat at the table as a compliance lead officer. It doesn't matterwhat your title is. It really matters to what extent are you able to get a seat at the management table? This is key because a lot of decisions are actually made in thesesenior leadership meetings and you want to be part of them providing guidance advice and also giving them enough. 

Enough messages so that they can try and cascaded down to their teams. Sowhat I found to be really helpful is that empowering senior Leaders withcompliance messages. It doesn't have to be anything complicated. It could be two or three sentences like nuggets of compliance messages. Are you doing the right thing today? Are you over collecting customer data? For example, have youask for favors? We should never ask for favors. 

From any of our vendors just because we they are trying to get on our listof vendors or are we ensuring that the records the accounting records areactually accurate. It depends on which which department lead is actually sending out these messages, but from what I have seen a message that comes from a leader a business lead to his team will actually resonate a lot stronger than if it was just a compliance officer beating his or her compliance drum,right and that that it I think is universal. It doesn't matter where you are.Yeah, and it's also valuable to have them be on board because maybe not senior management mid-level management is often the first ones to hear about problems, right? That is good. 

So you need them to be your soldiers out there with you kind of catching problems in the beginning, right? And yeah, we view them as has rather than soldiers so people probably better with people who wouldprobably speak about compliance. Even if they are not even if they are function doesn't necessarily sitwithin compliance because as my former supervisor, very wisely said I have thebiggest team in the whole company. Everybody is team compliance. No one is there is there are no exceptions from the top to the bottom. I live by that rule and I haven't had any situations we have hadstrong pushback from a particular senior leader in all of my roles. So Isuppose I've been quite fortunate in that sense, but it's it's also something which I have worked very hard towards in terms of getting the buy-in and the support very early on mmm in my role in each of the companies that I've actually worked for. I can give one example, which I tried and tested out last year. 

Where we have we have annual trainingsand typically is always being the human resources team partnering with thecorporate compliance team to try and chase after people. Have you done yourcompliance training if you actually completed this, so what I did a bit differently once that I spoke to the country leaders to say, I think it would make a huge difference if you send out a message and if it works we will see the numbers. 

Go up really quickly and it will be atestament to why it is important to have a business leader talk aboutcompliance. So, of course, I think the ending of the story is of course a happy one. We did see numbers go way up more than what we would have seen if it was only on the part of two non-business related departments sounding again beating the compliance drum. Whereas 

Cause if it is a business leader whosaying that I need you to get it done today. Yeah, there's no questions askedthat's it and the story and the story. Yes, the middle managers what you are what youhave actually mentioned earlier art. I think what's really important as well at the middle level management. Not only are they encountering the issues firsthand people are also coming to them asking for guidance firsthand. So in terms of empowering leaders and entering 

that they Cascade the messages down to their teams, who would be the middlemanagement. We are also hoping in a way that this would also cultivate a goodspeaker culture where people are not afraid to actually ask questions. We think something is not quite right here. Yeah. Is it something we should continue to do or should we just put a stop to it to me? Yeah, that's half of the time ifwe are able to resolve the issues through a very robust and effective hotline or where we've actually cultivated a goodspeaker culture. We are then able to implement processes policies andprocedures which can enable us to actually improve where employees do not have confidence in the reporting system. What tends to happen is that end in China?

This is very easy to do because we've got this jealous on Yahoo and everythingthat's out there. 

R for purposes of raising your Grievances and complaints it could veryquickly escalate into something which is difficult to control. Yeah and thecompany for any company with all good intentions. One thing to solve a problem could find themselves spending more effort and time right answering questions of the regulators and we don't know one want any company to be in thatposition. Yeah, sometimes it's not that you're trying to avoid you. 

To hide something it's more about you need to you don't want tounnecessarily open yourself up to a fishing expedition or some kind of ainvestigation that doesn't have any basis but because the situation wasn't understood in the first place. Yeah, I could I would be a big risk. Yeah,absolutely. But now you mentioned the Frontline people and getting through to those middle managers. Now those middle managers all don't sit in the headquarters right or in the region. 

I'll headquarters. They're out in the field. They're probably in your localoffices around China and different offices around Asia pack and you know, thecompliance team is limited and its bandwidth and so forth. How do you try to get them to know who you are get them to remember that you're available to help and get them in, you know, enjoy some of their mind share. 

When issues come up, how do you make your presence felt in the region ifyou're sitting in the headquarters so pre covid when we could travel and thatwould apply I believe for a lot of my peers having Face Time regular meetings quarterly ketchups in the various different locations would be important post covid X where the you know, the old adage saying out of sight out of mind. Yeah,it's really important and I think we are fortunate in this unfortunate situation where VC's videoconferencing facilities are actually available. Mmm. So there's a way toactually connect online even if you can meet people offline. Mmm, so there has to be a certain level of discipline certainly on my part to actually come and sure that there is constant communication ask the questions like for example, when we were going to the peak of the covid-19 in China and of February and then sometime in March itwas it was really important to ensure that you know constant calls were made tothe various teams. 

Hey guys, what are you working on? Do you need my help? What are you thinking? Have you been discussing with vendors? What what are your plans and this conversation has to continue? Yeah. 

Yes, so that that would be how youknow specifically as it relates to the existing situation how as complianceprofessionals? We can continue to ensure that our presence is felt that thethemes understand that okay. The compliance function is still there. Yeah. Yeah, let's make sure that we check in with the compliance officer before we do something because again, prevention is always betterthan cure. We know that absolutely and if you have you know a covid is is obviously these days is is changing the way people work. But also there's it's a challenging economic time as well. And so usually when in challenging Economic Times that you can compliance becomes more important, right so but do you think you'll rely on these kinds of new technologies not new technologies, but using these knowledge is more than you did in the past even after covid subsides. 

I think I think you're right. It can't actually replace actual FaceTime.Yeah, but what it has made me realize that they are some meetings which couldactually be done online. Mmm, and it could be equally effective as the entire social experiment that we've been pushed. Yeah, so actually do during this time period so what it would but it would help it would help unpack what is necessaryand essential travel which would make a difference. 

So training or meetings with key personnel. I think the FaceTime is stillgoing to be important investigations is still going to be important butanything else which where we would normally jump on the plane or a train to get to the location it would make it will make me you know think is it reallynecessary to make that particular trouble I think for businesses for business leads. 

What we have seen and this is again a little bit counterintuitiveinterestingly true to a business person where in China there's always been the by drinking culture lots of dinners and all of that and during this time period you've had to maintain that relationship without actually doing all ofthem. So I haven't heard right now of anyone complaining that they've started losing business because they haven't they haven't actually drank enough by do we write counterparts which 

means that this could be in a way a change a shift in how we are actuallyviewing entertainment. Yeah, I would use it as a catalyst to actually improveperhaps our the existing School higher risk profile and try and weave it into policies. Yeah. Okay. This entire experiment has shown us that it wasn't really necessary and you could still get the work done. So why would you need to havethese expensive? 

Fancy dinners and all of that so it is it is an interesting shift. I thinkfrom this perspective. It will be interesting to see in big companies with thealways had these big T any budgets and kind of ending and I don't yeah, I don't think that's going to go back to the way it was before after covid. Cuz what do you see is changing in the world of compliance, especially out here in Asia Pacific a couple of things. I think first of all, and this is something which I gave a lot of thought as and as I continued to grow and mature in this role, and I actuallyexplained this during a conference last year when I was in London as much aslawyers do not like to hear this essentially as a compliance Council. We dohave one of the hardest sales jobs in the world. Yes. We are selling a concept. We are selling something which people don't think will happen in a crisis people in order to survive. 

They would psychologically try and convince themselves that you know,there's there's this optimism which goes around it's not going to happen to me.It's not going to happen to us. 

So during crisis times it can be difficult to sell this concept becausepeople are desperate and they do want to get their numbers up. Mmm inpeacetime. It is also equally difficult because why fix something if it's not broken yet, so getting it into getting it into our concept as a complianceofficer. I feel that it is a sales job. So you have to think how are you going to get the buy-in how you're going to get your clients customers within your within your organization to actually get thisby in our the other efforts that I'm putting in are they actually generatingthe ROI in business speak don't generating the ROI, which we would like to see our Business Leaders actually speaking the compliance talk. I do feel that when we've reached a stage in an organization where the Business Leaders are talking more about compliance and asking the right questions instead of youcoming to them after an event has happened to say by the way. If we had donethis we could have avoided if we graduate from that passive reactive mode to a proactive business-driven compliance program. I think that would be that would be really the icing on the cake for anyone's career who which is based in compliance. 

Yeah, not to say you'd make yourself. Obsolete if you got tothat point or you because I'm sure you would agree compliances is a continuousprocess, right? It is it is a continuous process and then continuous journey, but with that end goal in mind it really then helps change our mindsets interms of how can I be more effective as well. I think that's a great way to bring in that regard. Talk to a close I think. 

It's been a I said a real treat because to find someone who does this thisrole every day in inside a company. It's it's not so easy to find to findsomeone who talk about their experience. So I appreciate you doing that and I think our audience will as well. So I want to thank you Kim so much for joiningus on China business law podcast, and I'm sure our audience will get a lot of really positive.