LExOpensource: practical solutions for GCs by GCs

It is no secret, this year has been particularly challenging for general counsel the world round. Economic instability coupled with lockdowns and movement restrictions have hampered businesses, slowed trade, impacted production, and disrupted supply chains.

The Legal 500 in partnership with LEx360, is proud to announce “LExOpensource: practical solutions for GCs by GCs”, a series of interactive workshops that will equip general counsel and the teams they manage with the skills to confidently take on challenges within a post-pandemic world.

During times of uncertainty, corporate boards and management teams rely on their legal departments for guidance. GCs are expected to not only be legal advisors but also strategic business partners to the companies they guide. Over six sessions we will focus on the business of law from a thought leadership perspective.

We will evaluate key topics such as:

  • strategic planning
  • financial management
  • vendor management
  • data analysis
  • technology procurement and implementation

No subject is out of bounds as all in attendance will adhere to Chatham House rules. Our first session will cover ‘The right people, doing the right work.’ GCs today bring more to the table than just their legal expertise and knowing how to delegate and manage a team is pivotal to meeting business goals.

If you are a GC or part of a corporate in-house team, you cannot afford not to be part of the discussion. “LExOpensource: practical solutions for GCs by GCs” provides the exclusive opportunity for you to connect with other leading in-house professionals in a safe and interactive environment.

Become part of the discussion, by registering to our workshop here.

Moving the needle on progress

In no uncertain terms, 2020 has truly been a year of reckoning for the US: Donald Trump is vying for a second term in the White House. Tragic killings of black civilians at the hands of white law enforcement provoke widespread outrage and demands to ‘defund the police’. A deadly global pandemic is ruining lives and upending the economy, and the President suggests intravenous disinfectant may be the cure.

As the year’s events exceed even the sharpest satire, and with the country at its most divided in living memory, to the average onlooker it may appear impossible to envision anyone making inroads to promote tolerance, mutual respect, diversity or inclusion. On the contrary, such widespread discontent has compelled individuals and companies alike to double down on their commitment to equality, take pause to examine their attitudes to race, to gender, and to any traditionally ‘othered’ group in society, and ultimately to take bold and meaningful actions to combat injustice.

The legal industry has been no exception to this call for action, as diversity and inclusion has shifted from a mere extra-curricular endeavour to an unquestionable expectation from colleagues, business leaders, and clients alike. As the last few years have seen the juncture of corporate strategy and social justice go mainstream, is corporate America entering a new era of social consciousness that is meaningful beyond profit and loss? And, if so, how are legal departments playing their part and taking action?

In a series of exclusive interviews, the legal thought-leaders spearheading D&I in the US speak to GC about the new initiatives shaking up the industry, the value of a diverse team, and how minority GCs who’ve paved the way are inspiring the diverse talent of today.

“If everyone is moving forward together, then success takes care of itself.” The timeless words of Henry Ford ring as true today as they did a century ago, a timely reminder that progress is a necessarily collective endeavour.
Indeed, collaboration is the modus operandi of Diversity Lab, the undisputed stalwart and main facilitator of D&I initiatives in the US legal field. As its name suggests, Diversity Lab takes a science-based approach to monitoring and enhancing D&I through the use of metrics, behavioural data, and design-thinking. New initiatives are formulated in ‘hackathons’, with the best ideas then piloted in law firms and legal departments across the country. In the US, D&I has not been approached in such an analytic fashion before; it is this cutting-edge strategy, coupled with a culture of teamwork and collective success, that has law firms and in-house departments flocking to work with the group.

Through a roster of joint initiatives and partnerships, Diversity Lab’s programmes cut across conventional competitive boundaries, ensuring that no matter what path aspiring lawyers take, they will be supported, encouraged, and accepted throughout. Drawing on the success of programmes like the Mansfield Rule (now available to in-house departments from last Summer) and the On-Ramp Fellowship, Move The Needle is Diversity Lab’s latest project.

“It’s our pull-all-the levers, let’s-see-if-we-can-really-make-a-change programme,” says Leila Hock, Diversity Lab’s director of legal department partnerships. “The idea for Move The Needle came about when we were all talking about every struggle that a diverse lawyer has, starting from law school up until maybe they’re managing partner – what are all the struggles and feelings they’re going through? We can’t solve this problem by focusing on one part of the career path or pipeline; they really all work together.”
Hoping to drive progress across the career spectrum, five of the country’s top law firms have invested $5 million to fund experimental approaches to D&I over the next five years. MTN’s 28 founding general counsel will also work with these firms, while also piloting these new initiatives within their own legal departments and with external counsel.

“We found five brave, trailblazing firms that were willing to work with us to pull all the levers across different areas, look at their practice groups individually, and see what, from a talent perspective, each group needed to retain and attract diverse lawyers,” explains Hock. “We’re working very closely with them to implement all of our pilots. They’re our ‘lab’ right now to test a lot of our new initiatives, report back and see how they work and make adjustments. Our strong hope is that much of what we implement with them will work and help them achieve their goals, and we’ll then be able to disseminate them more broadly into the legal market.”

Many hands make D&I work

For many of MTN’s founding GCs, the biggest draw is its uniquely experimental nature which fosters innovation in a way that many firms or in-house departments couldn’t – or wouldn’t – do alone, especially when it comes to financing. “One of the things that attracted me to Move The Needle is that it focuses on the relationship between the client – being me, the in-house lawyer – and the law firm. I think that’s a tremendous area of opportunity,” says Laura Quatela, Senior VP and CLO at Lenovo and MTN founding GC. “I’m sure some ideas will work, others will be utter failures, but the law firms, to their everlasting credit, have committed big bucks to fund this experimentation over the next several years. That’s really what was needed, because we have tight budgets, law firms have profitability targets, so I think the funding was necessary and will hopefully help us, in fact, move the needle.”

Hock agrees: “My guess is the talent leads or D&I leads within Move The Needle firms feel like they have a lot more leeway to do their job. Not only do they have the money that they’ve committed, they also have us at Diversity Lab and the entire team helping them achieve their goals, but they also have each other. One of the big pillars of the Move The Needle fund is collaboration in a way that collaboration in the legal industry hasn’t happened before, which is across firms. They’re talking and brainstorming with, technically, their competitors, and I think we’re seeing a lot of growth and learning from that, for sure.”

So, with the knowledgeable support of Diversity Lab, the backing of legal leaders at firms and in-house, and a much-needed cash injection, what has MTN been able to achieve so far? “We’re at the point now where we’re whittling down the ideas to some initiatives that we all want to line up behind,” explains Quatela. “One of the things we’ve talked about doing is a combined law firm/in-house summer programme, where interns or clerks have the opportunity to experience both early in their training. They can start to make the important decisions, like, where do I really want to end up? Which of these backdrops will cater to my own personal objectives?

“Through MTN, I’m personally trying to focus on the ‘off-ramp’. Both law firms and in-house experience this off-ramp of particularly women and underrepresented minorities who, when they get to year five or six, when they could really start to be positioned for leadership, and they leave. Why is that? It happens with such regularity in the legal profession. What are we not doing for these folks? Part of it, I think, is belonging, creating an inclusive culture, but what else is there? How can we incentivise people to stay off the exit ramp? For me, Move The Needle will give us an opportunity to try some things in that regard, that will hopefully make a difference.”

Another way MTN has sought to enhance progression opportunities for diverse attorneys is through piloting a mentoring programme between high-potential associates and GCs. “We’re mentoring them to understand what works well in a pitch, what doesn’t work well, how can we get more engaged on certain matters, inviting them to meet with my direct reports so we can talk about the issues that we face, and whether or not there are opportunities for that person’s firm to get engaged,” explains Rishi Varma, founding GC from HP Enterprise. “It starts creating a connection that results in an engagement, and results in origination credit. That diverse attorney at that law firm is then viewed as somebody who will carry that client forward, and hopefully as they become a partner, a senior partner, a managing partner, they carry that forward. We think about metrics from a diversity perspective, but it’s important to recognise the different obstacles beneath those metrics.”

He who pays the piper calls the tune

As figures from the ACC show that corporate legal departments spent an average of $9.7 million on outside counsel in 2018, the purchasing power that US in-house departments can wield in the name of D&I is significant. Diversity Lab and the Move The Needle GCs have been quick to realise this fact, which is particularly salient when contracting external counsel.

For fellow founding GCs, U.S Bancorp’s Jim Chosy and Hannah Gordon of the San Francisco 49ers, Move The Needle has provided opportunities to open dialogue on D&I with external counsel, ensuring that diversity metrics are front and centre when deciding which firms to contract. “In-house legal departments have big role to play in positively influencing diversity with outside counsel,” says Chosy. “Given our purchasing power, we’re able to drive change and I feel an obligation to do this with our law firms, which we consider an extension of our own in-house function. We do this in several ways, including as I’ve mentioned with the Mansfield Rule, the Move the Needle Fund, and our Spotlight on Talent program. We also request and measure diversity data from our law firms to help drive hiring decisions, and last year presented our first U.S. Bank “Invested in Diversity” award, in recognition of firms’ efforts and success with diversity.”

“Move The Needle is a helpful tool for all of us who would like to ensure that we are acting really responsibly in the way that we seek and select outside counsel,” says Gordon. “We’ve had conversations with existing counsel about the importance of diversity to us, and I think the positive we’re seeing out of that is that outside counsel does listen, and does pay attention to how they staff your cases. I think there’s two things that all of us are looking at when it comes to this issue. One is, what are the overall demographics and statistics of a firm? Then secondly, who is actually the staff on your particular matter? Both of those are important.”

Varma is also acutely aware of GCs’ pivotal role in reading deeper into diversity statistics. “One of the reasons I became a founding member of Move The Needle as a general counsel was, it’s my problem. I’m the one who’s hiring outside counsel, so it’s important to recognise that there are many obstacles to improving that diversity, starting with how people get credit and how people move through the ranks of those law firms. You cannot just look at the numbers at the firm, or the numbers on my matter – you have to look at the quality of the representation you get. If I had a firm working on a matter, and I saw consistently that they had about 10 to 15% of the representation that was diverse, that could be good, or they could have somebody who is diverse at the very top level, but the people doing a significant majority of the work are not as diverse.”

Far from a trite marketing exercise, research from Deloitte confirms that companies who can unlock the collective potential of diverse teams can expect to see innovation increase by around 20%, with risk falling by 30%. Simply hiring a diverse array of people, however, is not enough to achieve these results: while diversity is the bricks that build a team, inclusion is the mortar that bonds teams and ensures members feel a sense of authentic belonging.

Banking on a Brighter Future

On the 30th of November 2017, The Australian Government announced a Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission). Appointed to preside over the public inquiry was High Court Justice, Kenneth Hayne. He was tasked with identifying the underlying causes of financial sector misconduct, and to uncover evidence of systemic issues within corporate practices.

The Commission was precipitated by a series of high profile exposés implicating Australia’s biggest banks in scandals covering fraud, predatory sales practices, FOREX trading impropriety, interest rate rigging and more. The Commission conducted seven rounds of public hearings over 68 days, called more than 130 witnesses, and reviewed over 10,000 public submissions. The findings made front page headlines across the country. Concluding the public inquiry, Commissioner Hayne put forward 76 recommendations directed at government institutions, regulators and industry leaders.

The Commission’s findings heralded sweeping changes within current operational frameworks in the financial advice, life insurance and superannuation sectors. Leading general counsel working across these industries in Australia candidly share their experiences in rebuilding consumer trust, as they work towards transforming regulatory practices across the country.

Cashing in

To understand the damning findings of the Royal Commission it is crucial to reflect back upon the historical development of banks in Australia. Jeff Morris was a financial adviser for Australia’s Commonwealth Bank and more importantly, was a key whistleblower spurring the public enquiry.

‘What I noticed was the mentality of banks; they lost their way, and they lost sight of their history,’ explains Morris.

‘The history of Australian banks is a good and honourable one, and an important contributor to national economic growth. It was in the 90s when things began to change. American sales cultures came in and banks got infected with the remuneration US banks had always paid.’

This shift away from customer-focused services towards bonus schemes led to deceptive conduct. Claims that arose included: charges for services that were not provided; continuing conflicts of interest affecting financial advisors; and an insufficient focus on risk management. In more severe cases, some financial institutions had inadvertently facilitated money laundering, turned a blind eye to terrorism financing, and promoted a culture of greed.

Refusing to stay silent, Morris filed several complaints to ASIC (The Australian Securities Investment Commission) Australia’s financial regulator, outlining acts of misconduct he had witnessed. For years ASIC did little to investigate the claims and in 2013 Morris decided go public. Several media outlets began to report upon allegations of fraud, forgery and management coverups. This ultimately resulted in a parliamentary inquiry and Royal Commission.

Since the Royal Commission was televised, Australians saw the direct impact financial misconduct had on individual’s livelihoods, prosperity, and dignity. The erosion of consumer confidence and trust in the sector was – and to some extent still is – extensive.

‘The thing that was so distinguishing about the Banking Royal Commission, was how it captured the public’s attention because of how it connected through case studies into such deep feelings and experiences within Australian consumers,’ says Grant Jones, General Counsel & Executive Lead, Regulatory Affairs at MLC Life Insurance.

‘It showed how customers felt so vulnerable to large institutions, and it gave voice to this feeling and experience.’

This sentiment was shared by David Cullen, general counsel of AMP, one of Australia’s leading wealth management companies.

‘I think it certainly is a pretty challenged environment after the Royal Commission. There is lots of activity and focus on remediating and rectifying legacy issues, making compliance improvements, and leaning into a much greater regulatory change environment than we have seen in recent years.’

The findings of the Royal Commission and the suggested reform package put forward by Commissionaire Hayne represents the largest and most comprehensive corporate and financial law reform process since the 1900s. The reform package addressed issues of weak regulation, corrupt reward structures and an overall disregard for client interests. From the 76 recommendations made, 54 were directed to Government, 12 to regulators and 10 to industry leaders.

‘Together, these reforms have and will continue to ensure that Australia’s financial systems deliver fairer outcomes for consumers and remains resilient to enormous stresses caused by events like the global financial crisis and now the coronavirus,’ said a spokesman from the Australian Treasury.

Leaning into legal

Since the Royal Commission, the role of in-house counsel has been cast into the spotlight. Professor Michael Adams, head of law at Australia’s University of New England explains the delicate position of corporate counsel.

‘The Royal Commission has really highlighted the role of lawyers within financial services, and in particular the role of various in-house counsel within these entities. I think there has been a lot of soul searching and discussions about whether more could have been done, or if they should have been more vocal in management discussions.’

‘First and foremost, if you are a practicing lawyer, solicitor or barrister – you are an officer of the court and you have duties which are predominately to the court, above and beyond that to your client, even as in-house counsel. So, in theory the delineation is very clear,’ says Professor Adams.

Blowing the whistle

During a time when it would have been easier to turn a blind eye, Jeff Morris chose to do the right thing and blow the whistle. By doing so he would embark on a ten year crusade which would culminate in a Royal Commission.

‘It’s a lot more difficult, to be your own man, chart your own course if you have to stand alone, against everyone else who wants you to do nothing,’ explains Morris.

It all started in 2008 when Morris was working as a financial advisor at Commonwealth Bank – one of Australia’s biggest. He became deeply concerned about the severe losses and emotional distress being experienced by many elderly and vulnerable clients as a result of poor financial advice.

‘What I saw and the thing that actually got to me, was when some elderly people came into my office and physically broke down in distress because they had half a million dollars vaporised from their investments. They couldn’t get a straight answer out of their financial planner or any of the managers in the organisation.

‘There were some other blokes who were having similar experiences to me; we got together and decided this was not going to happen on our watch. This is when I wrote to our corporate regulator ASIC (The Australian Securities Investment Commission). The regulators were absolutely useless.

‘That is why in June 2013, nearly five years later, I went public. I needed to expose not only what the banks were doing, but what the regulator was letting them do while they were sitting there asleep at the wheel.’

Morris’s plight to expose corrupt banking practices resulted in one of the biggest regulatory overhauls for the industry.

‘It is I guess quite fortuitous banks had a tune up and a realignment of attitude. The economic carnage at the moment would be just absolutely appalling. Getting banks back on the path of righteousness probably came in just the nick of time. The way the finance industry and banks respond to coronavirus will be extremely important.’


‘In practice in-house counsel roles are subjected to a range of pressures. The more senior of a lawyer you are, the more likely you are part of the management decision-making process. If you are a general counsel at a financial entity, you are part of the c-suite.

‘You are there to facilitate your organisation to develop new products and get around legal barriers and regulatory hurdles. That is part of your job. However, you do have an obligation to speak out against ethical violations to explain when something is misleading or unreasonable.’

Getting ethical

Navigating commercial obligations, whilst acting as a trusted advisor may sometimes present ethical grey areas for corporate counsel.

‘The Royal Commission constituted a profound point of inflection in the industry where firms were forced to publicly look into a dark mirror and make a decision to fundamentally change,’ says Jones.

‘What the Commission particularly highlighted through its case studies, is how easily unfair decisions which have real adverse impacts on people can become normalised within a large commercial operations.’

‘This was a very confronting realisation for industry because the vast majority of people across financial services get up each morning and go to work, wanting to do help and do some good and to make a contribution to their customers and community. They are horrified at any prospect of hurting customers.’

‘If you are a general counsel at a financial entity, you are part of the c-suite.’

‘So when industry people saw the impact of particular conduct through the lens of impacted customers – it was a very confronting moment – people felt deep shame and were challenged at a level of personal values. It was a real moment.’

Similarly, Elizabeth Weston, former head of investment legal and governance at Cbus Super Fund reflects on the on the Royal Commission and its importance on ethical conduct.

‘For me, it was about primacy of community expectations vs the black letter of the law. As a lawyer, obviously people can sail close to the wind, but just because you can do something does not mean you should do something. So, this was a stark reminder of the importance of community expectations and the obligations to always act in the best interests of members.’

Since the Royal Commission, there has been a renewed focus on ethical conduct within the financial sector.

‘I really think those in the sector occupy a unique position of trust, because they are looking after the financial wellbeing of Australians, which is a responsibility and a pretty heavy one. But it is also a privilege,’ explains Cullen.

Culture corrupted

One of the major criticisms coming out of the Royal Commission was the toxic culture prevalent within financial service industries. In fact, Commissionaire Hayne in his final report outlined harmful cultural practices directly linked with risky, immoral and even illegal activities from financial providers. He wrote:

‘Rewarding misconduct is wrong. Yet incentive bonus and commission schemes through the financial services industry have measured sales and profit, but not compliance with the law and proper standards.’

Therefore, cultural practices play a pivotal role in driving or discouraging misconduct.

‘Quite often, an in-house counsel’s job is going to be telling people unpleasant truths, things they do not want to hear. In a culture where everything is being covered up, in a toxic culture, in-house counsel will frequently be pressured to suppress news and not present senior executives with bad news that they know they do not want to hear,’ says Morris.

Weston agrees: ‘As in-house counsel – especially in financial services – there is always a risk that you will fall captive to business and rubber stamp initiatives. One of the key challenges is the fact that you are sometimes delivering deeply unpopular messages.’

‘As you become more senior, you become resigned to the reality of your function as not merely a trusted counsel but also as an officer of the court. I think at times nobody really wants to hear the squeaky wheel, but it is better they do so, before all the wheels fall off the wagon.’

‘I think for me it is about how to deliver that message in a way that stakeholders are able to identify an alignment of interests. How do we counter that risk and deter it in such a way that they will see where you are coming from and act accordingly?’

Looking to the future post-Royal Commission, the role of in-house counsel is fundamental in influencing healthy cultural practices within the workplace.

‘The role of in-house counsel is more important than ever; certainly in this sector they are busier than ever,’ says Cullen.

‘I am a bit wary of the view that in-house lawyers are the conscience of an organisation because really I think everyone should shoulder that conscience. But we do have a key role in setting and being part of the moral compass of an organisation.

‘I think the other key thing in the Royal Commission was about misconduct. It was asked to look into conduct that may fall below community expectations – even where not strictly contrary to law. Now, that is quite a challenging environment for lawyers to operate in because generally lawyers are most comfortable when dealing with black letter legal obligations. The concept of what is and is not contrary to community expectations will be something lawyers have to consider as part of their advice. It raises the issue of ‘where is the line drawn?’ but increasingly this is another challenge that in-house lawyers will have to grapple with.’

Fairness is another concept that does not necessarily follow the black letter of the law, yet according to Grant Jones, general counsel at MLC Life insurance, it has become a key topic for consideration post-Royal Commission.

‘There are two clear learnings that I took from the Royal Commission that influence how I perform my new role today.

‘Number one is fairness. I believe fairness will be the defining regulatory principle of our time. The second learning is that fairness needs the most protection in every 100 small decisions that are made across a company every day, relative to the fewer and bigger decisions a board will make that have the benefit of lots of perspective and debate.

‘Why is the first important? It is important because it prompts the question, how do you embed fairness in your business processes? Fairness is an idea, it does not have a fixed perimeter and is entirely subjective. With that being the case, how can it be a principle of law that you can design processes and products off the back of? This is the challenge for industry participants and regulators, but it’s a critical issue to solve.’

Governance glow up

As a result of the increased regulatory environment following the royal commission, companies across the financial sector are reassessing their internal corporate governance processes. In particular, one of the most obvious shifts for in-house counsel post-Royal Commission has been the push towards strengthening internal corporate governance framework.

‘In Australia, we have come out of a Royal Commission into Financial Services which has really emphasised the need for robust corporate governance and seen an increased focus by our regulators to take action against white-collar crime. That trend is unlikely to change,’ explains Seshani Bala, group general counsel & corporate assurance at Chartered Accountants ANZ.

‘The approach to interacting with regulators is of fundamental importance.’

‘One of the things I noticed following the Royal Commission was the broadened remit of the General Counsel. I previously led the legal function and my remit was extended to risk and governance. There is definitely a trend towards integrating those functions so you can really drive process synchronisation. Risk can be identified and managed and governance around that risk solidified.’

This shift has also been observed by Cullen: ‘Supporting boards and their increased governance needs has undoubtedly heightened post the Royal Commission. I also think the approach to interacting with regulators is of fundamental importance.’

In-house legal teams across the finance industry are tasked with improving corporate governance frameworks in order to avoid public scrutiny or corporate watchdog fines. Raising the accountability and governance standards across the financial sector is crucial.

‘I was hoping that the Royal Commission would lead to a renaissance for legal function within financial services. Perhaps it did within the retail banking sector, but I am not sure if it did so much in the industry funds sector,’ says Weston.

Focusing on the future

Overall, the Royal Commission and its findings sent shock waves through the financial sector of Australia. Revelations of systemic misconduct and corporate coverups brought to light shameful practices and toxic work cultures.

‘Sometimes it takes a disaster or a near disaster for people to recognise – really truly appreciate – cognitive diversity. As a legal professional you bring a different perspective to bear because of your discipline and because of your training as an officer of the court,’ outlines Weston.

‘I think as lawyers I have always felt that we know about worst case scenarios, we seem to be the people who envision it, we seem to be the people who consider what it would look like on the front page of the paper, rather than waiting until it is on the front page of the paper.’

Although the financial sector in Australia has gone through significant regulatory transformation, acknowledging past mistakes and implementing new frameworks aimed at improving industry practices are the first steps towards rebuilding consumer trust.

Moving the goal posts

Plans to mitigate sources of investigatory risk and respond when an investigation does occur must change according to the risk profile of the business. Between novel technologies, evolving sensibilities and seismic shifts within industry, regulators and investigatory bodies are changing focus regularly. So too are business attitudes toward risk changing.

Generally speaking, when asked how the risk profile of their business has changed over the past five years, 53% of in-house counsel said it had at least somewhat increased. When asked to look ahead at the next five years, 26% felt that the risk profile of their business would significantly increase over the next five years, with 61% feeling that there would be at least a slight increase in their business’ risk profile.

When looking at changing risk profiles, data breaches are a good example: it wasn’t so long ago that the range of companies that rely on the collection and use of data was limited. Now, data has pervaded nearly every aspect of commerce. Retail stores that may historically have collected very little personal data now capture all manner of information at the point of sale for loyalty programmes, not to mention the continued recission of relatively anonymous brick-and-mortar buying in favour of online shopping.

To go back further, increasingly globalised markets and supply chains have largely informed recent interest in modern slavery. Modern slavery regimes set an expectation that companies must not hide behind the strongest link in the compliance chain, instead being held accountable for the weakest link: a company in the United Kingdom may be perfectly above-board in a foreign jurisdiction, but regulators now hold those companies to the standard of UK law for their actions in jurisdictions further up the supply chain, where protections against abuse and exploitation are not as strong.

Reading the room

GC surveyed top in-house counsel from across the world, asking participants to rate their organisation’s current risk levels on a scale of 1 to 5, 1 being the lowest risk, and 5 the highest. The responses were broken up into the following categories:

  • Accounting fraud
  • Antitrust/price-fixing
  • Bribery and corruption
  • Compliance/due diligence
  • Cybersecurity and data privacy
  • Environmental regulatory
  • Money laundering
  • Sanctions evasion
  • Securities/commodities fraud
  • Tax evasion
  • Trade/foreign investment violations

Cybersecurity and data privacy risks were rated as the highest concern by survey respondents, both in terms of the risk they currently pose to businesses and how that risk was expected to change in the next five years. Cybersecurity and data privacy risks were rated at an average of 4.48/5 currently, which ballooned to 4.75 when respondents were asked to look ahead at the next five years.

Compliance and due diligence are also top of GCs’ minds – both when speaking about their organisation’s current level of risk and when looking ahead to how this might change over the next five years – coming in at an average rating of 4.27 with an expected increase of 0.22 to 4.49 in the next five years.


On average, nearly every category is expected to become more risky over the next five years. Bribery and corruption risks polled the biggest jump, increasing by 0.32 points on the survey’s five-point scale.

Risking it online

With cybersecurity and data privacy almost unanimously rated as the most pressing risks for GCs both currently and in the coming years, many of the in-house counsel surveyed and interviewed for this report had much to say on the subject.

‘Cyber threats form one of the biggest security risks of the 21st century,’ said Ritankar Sahu, general counsel and head of compliance for the Maxpower Group, operating throughout Southeast Asia and the Middle East.

‘Most Fortune 500 companies have been victims to some form of cyberattack leading to economic damage ranging from a few thousand to a few billion dollars. Cyber-attacks have increased dramatically in the last few months amidst the pandemic.’

Until relatively recently, it might have made sense to talk about cybersecurity and data privacy in terms of specific sectors, but the adoption of mobile platforms and cloud services – be they for internal operations, customer interactions, or both – has made cybersecurity everybody’s problem. In fact, the sector in which a given survey respondent is working had virtually no impact on their perception of cybersecurity and data privacy as a risk: GCs working for manufacturing companies were just as worried as those working for healthcare providers.

This is something that Seshani Bala, general counsel at Chartered Accountants of Australia and New Zealand, has seen personally.

‘Another big challenge is that we are trying to give customers and members a personalised experience, and to make data-driven decisions as a business,’ says Bala.

‘So, we are collecting more data to focus on that personalised, segmented experience. That increases the potential privacy risks in the event of a data breach. The penalties are very high under GDPR and Australian law. We are now seeing other countries move to a mandatory notification system that is in line with GDPR standards, and this poses greater pressure on organisations to make sure they have robust policies and procedures to quickly comply with those notification requirements.’

‘With the rapid development of online services, the risks associated with data storage and cybersecurity will develop,’ agrees Roman Kuznetsov, legal manager at WILO RUS.

Bala has worked closely with stakeholders in the wider business to make sure data protection policies are both clearly understood and rigorously enforced.

‘Once we have made sense of that, we can then drive processes and controls to reduce risk in that space. We partner very closely with our IT team. I think that has probably been the biggest change I have seen the last 12 to 24 months. I think Legal and IT need to be best of friends in-house, and you really need an integrated approach to effectively manage risk in that space.’

‘Before moving to a digital solution, I think it is really key to understand how each platform stores, secures and moves data. Mapping out that data flow process and understanding the data risks and data journey, as well as how it integrates with other platforms or plug-ins in other locations is important. It’s a given that digital solutions need to comply with applicable privacy laws but legal technology solutions also need to appropriately protect legal privilege, corporate record holding, and in-house destruction and recovery policies.’

Modern working

While the large difference between current risk and expected risk over the next five years is undoubtedly a reflection of an increasingly data-driven world, the effects of the COVID-19 pandemic will certainly also be playing a role. With home working becoming near-ubiquitous over the past few months, the volume of data being transmitted – either from workstation to workstation, colleague to colleague or business to customer (and vice versa) – is at an all-time high. This, too, means that the scope for bad actors to gain access to confidential data is also higher than ever.

‘The effects of the pandemic, and the current situation the world is in, pose several challenges for us in terms of rearranging our fraud agenda,’ says Gustavo Sáchica, chief legal and compliance officer at Allianz in Colombia.

‘In-house legal counsel need to anticipate the possibilities of fraud under pandemic circumstances. At Allianz, we have measured and stressed our risk tests in order to consider as many possibilities as possible.’

‘Due to Covid-19, increased working from home has resulted in a rise of remotely-accessed work platforms and digital ecosystems,’ says Sahu.

‘Enterprises still have lots to do before they can claim that they are breach-proof.’

‘This has made us highly dependent on technology which in turn has exposed us to more sophisticated cyber threats. For MAXpower, this has not been much different. Our fleet of gas engines are spread across remote sites in South Asia, and given applicable travel restrictions, we have had to rely extensively on our cloud based technology platform which lets us track ‘live’ operating performance, profitability and emissions from a centralised asset dashboard. The technology also lets us engage in predictive analytics and gives us valuable fleet-level insights.’

‘From a risk management perspective, I think the industry view is that enterprises still have lots to do before they can claim that they are breach-proof. MAXpower’s exposure is no less than other similarly placed power producers in the market.’

‘We constantly strive to make our systems less vulnerable to digital threats. As general counsel, I recognise that we are not breach-proof and regularly engage in conversations with our operations folks trying to gauge whether we are doing enough.’

For some in-house counsel worried about what the future might hold for their cybersecurity efforts, the risk is already eventuating.

‘We have also seen our mail servers being the victim of ransomware attacks and we have had to strengthen our firewalls,’ explains Sahu. ‘In the months to come, I am certain that companies will allocate more budget and resources to address cybersecurity risks, and I do see a rise in procurement of cybersecurity insurance coverage.’


The interaction between the regulators’ attitudes to risk and the reality on the ground for in-house counsel is complicated. In some instances, regulators are leading the charge by focusing on an area of concern and proactively shoring up the relevant protections, or cracking down on non-compliant entities. On the other hand, regulators may have fallen behind the in-house community in how they approach these areas of concern. In this way, regulators can make a company’s compliance journey both easier and more difficult.

‘Increased oversight by regulators is reshaping the way we approach risk.’

Khaled Shivji, chief legal officer at the UAE’s Moro Hub, highlights this point. ‘In order to reduce the regulatory cost of compliance, we would be grateful to see more proactive guidance from regulators and prosecutors about the kinds of risks they believe are rated by the national and state governments as risks that, if not tackled, will diminish the country’s overall international rankings concerning white-collar crime.’

‘Increased oversight by regulators is reshaping the way we approach risk,’ agrees Armando Cruz, director at KPMG in Mexico.

And as with everything, this dynamic between regulators and the market is being redefined by COVID-19, according to Maria Alvear, general counsel at Chile’s GASVALPO.

‘In my view, the whole landscape will change after COVID-19 crisis lowers its impact. It will probably remain within us for a while and that encourages us to change our old ways of working and doing business, including regulatory risk management.

‘Regulatory risk management has been very challenging during these months, with several regulations being issued due to COVID, so it’s hard to keep up-to-date and perform accordingly. I guess this uncertainty that we are facing will remain; sticking to regulatory compliance will become more important than it is today to avoid a situation where lack of control and uncertainty give space for corruption to enter the business.’

Foreword: Latham & Watkins LLP

For companies and their general counsel – as with the rest of the world, generally – 2020 presented unique challenges. As we move through 2021, organisations of all sizes and across all industries face unprecedented forms of scrutiny, liability, and potential “bet-the-company” penalties for misconduct by US and other international regulators.

In response to the COVID-19 pandemic, governments worldwide have distributed significant amounts of emergency relief funds to help manage the pandemic and mitigate its impact on individuals and businesses. Over the course of the last year, the United States, for example, has passed the largest spending measures ever enacted, providing more than five trillion dollars in aid through multiple stimulus bills and more is being proposed. Those relief funds include oversight mechanisms based upon TARP that seek to combat potential fraud, waste, and abuse on behalf of fund recipients, paving new avenues for regulatory scrutiny.

In June 2020, the US Department of Justice (DOJ) issued updates to its Evaluation of Corporate Compliance Programs as part of its overall framework that prosecutors should consider in conducting corporate investigations. That framework will apply to COVID-related investigations. It also provides insight for GCs of corporations seeking to develop and implement a best-in-class compliance program. Among its recommendations, the guidance encourages companies to leverage technology and engage with compliance data real-time – a clear signal to businesses of the importance of data management and security in building a robust compliance program.

Additionally, although robust white collar enforcement has continued in a number of areas over the past four years, the 2020 US Presidential election will usher in a new administration that will likely adjust its regulatory and enforcement priorities on several fronts. With new leadership, financial regulators – including the DOJ and US Securities and Exchange Commission – are poised to take more aggressive stances to combat alleged corporate wrongdoing.

It is no surprise, therefore, that global general counsel are expressing heightened concern over these new and emerging challenges. To gain more direct insight into these issues, Latham & Watkins is delighted to partner with GC Magazine and The Legal 500 in their inaugural “Under Investigation: A GC Guide to White Collar and Sanctions Trends in 2021” to ask GCs about their top regulatory challenges. The following responses offer a snapshot into the concerns and risks GCs around the world have identified as top-of-mind in this evolving regulatory climate.

Douglas Greenburg
Benjamin Naftalis
Nathan Seltzer

Global Chairs, White Collar Defense & Investigations, Latham & Watkins LLP

Data Analysis Part One: The Ethical Shield

Virtually all respondents to our survey had an opinion on whether ethics and compliance were treated as two different topics within their organisation. There was no overwhelming consensus, however 61% of survey participants said that they are not treated as distinct concepts within their organisations; 35% said that they were.

‘Many companies think that these should be separated, where one should focus on the law and the other on the company culture as a whole,’ explains Armando Cruz, director at KPMG in Mexico.

Regardless of the relationship between the two, some consensus has emerged from the results suggesting that the question of ethics does and should touch all areas of the business – not least of all in avoiding the ire of regulators and investigatory bodies.



90% of in-house counsel consider corporate ethics highly important in avoiding white-collar investigations. Similarly, 87% considered the legal team as ‘highly important’ to the promotion of an ethical business culture within an organisation – 12% consider it ‘moderately important’ – and just 1% of respondents thought that the legal team was less important than that.

The results show a near-universal appreciation for ethics within a business by in-house counsel. This is unsurprising. However, what is surprising is the extent to which that feeling from general counsel does – or doesn’t – manifest within the wider business.

Despite near-universal agreement among in-house counsel that their teams are important to an organisation’s ethical makeup, just 63% felt that they and their teams are appropriately placed to promote an ethical business culture within their organisation.

‘Even though they are managed by same team, they are materially different,’ says Miguel Oyonarte, VP legal and corporate affairs at VTR Comunicaciones SA.



‘Ethics is much bigger in terms of scope and impact on culture. For its successful management, it requires the lead of the CEO and all their direct reports. It is also much more difficult to change – it requires full cultural change.’

Indeed, those who didn’t feel that their team is appropriately placed overwhelmingly pointed to factors external to the legal team as being the biggest reason. 61% cited institutional structure as making legal’s involvement impractical. The next most cited reason was that culture and conduct were the domain of another department (17%).

Digital Laundery

Future finance

Cryptocurrencies and the blockchain technology underpinning them have seen exponential adoption over the past ten years. Perceived failures of the status quo and a desire from innovators for improvement has meant that today, cryptocurrencies are now widely accepted in many corners, from retailers to charities to governments. The underlying technology is finding wide application, being used to reinforce supply chains and preserve evidence.

The explosion of digital assets has been enabled by blockchain technology. A blockchain is a series of mathematical structures, inside which individual transactions are recorded. The record of each transaction – each ‘block’ – is dependent on the block that came before it, and becomes a permanent part of the history of the blockchain. This means that the record cannot be tampered with: once it is added to the blockchain, all subsequent transactions are recorded in relation to that block and all of the blocks that came before it. Following each transaction, the updated blockchain is distributed to each participant. Any attempt to change a record in the blockchain will put it at odds with the version held by every other participant in the blockchain, as well as all of the subsequent transactions that have been recorded.

‘Blockchains are basically networks – a series of computers – that rely on a process system of interconnected computers who validate transactions,’ explains John Roth, chief compliance and ethics officer at Bittrex.com. Bittrex is a US-based cryptocurrency exchange with a large clientele of institutional investors. He is also a former US Department of Homeland Security Inspector General and Department of Justice prosecutor.

‘In plain English, there are computer operators who are ensuring that the networks are healthy and that as you engage in transactions, these are actually valid transactions. Most folks aren’t doing it for free, they’re doing it because they’re incentivised by crypto currency. So, blockchain is more than just value transfer.’

‘Crypto is getting less and less risky because there are more and more providers of services which have been in the business for multiple years which educate the people,’ describes Lars Hodel, Head of Legal and Compliance Bitcoin Suisse AG, which was established in 2013 and is the first Swiss-regulated financial intermediary specialising in crypto-financial services.

‘If you want to buy Bitcoin or get crypto asset exposure today, you don’t need to log into some shady-looking site, you can just Google and find your providers to see that it’s real people. Access to crypto assets is getting easier.’

Dangerous money

Some sceptics of the digital asset revolution point to the difficulty of protecting against criminal misuse: after all, regular currency has financial institutions mediating each transaction and leaves a supposedly identifiable paper trail. The anti-money laundering battle is big enough with traditional forms of currency, so how can digital currencies avoid criminal misuse?

The United Nations Office on Drugs and Crime estimates that US$800bn to $2tn is laundered every year – most of this being in cash. According to the Chainalysis 2019 Crypto Crime Report, US$2.8bn in Bitcoin was laundered by criminal entities in crypto exchanges.

The explosion of digital assets has been enabled by blockchain technology.

‘One of the key benefits from blockchain is user autonomy in that users are able to control how they spend their money without dealing with an intermediary authority like a bank or government,’ says Swadesh Gupta, Director of Legal and Strategy at Wallet Circle, a hyper-local customer engagement platform.

Roth expands: ‘There’s a fallacy out there that somehow these digital currency transactions are secret – actually, nothing could be further from the truth. These are very transparent transactions, you can identify transactions by date, time, amount and blockchain location.’

‘It resolves the trust issues in a transaction, and the transactions on blockchain are totally transparent,’ adds Gilbert Ng, legal counsel at Huobi Group. Huobi Group is a world-leading company in blockchain and digital asset industry with a mission to making breakthroughs in core blockchain technology and the integration of blockchain with other industries. It has over US $1bn trades occurring daily on their cryptocurrency exchange.

Washing dirty cash

Criminals are able to use crypto money laundering to disguise the criminal source of their cash assets employing a combination of different approaches. The most simple method of money laundering banks on the fact that undertakings made with cryptocurrencies are pseudonymous.

‘The reason that criminal activities increasingly involve digital assets is because of the anonymity features of these digital assets,’ says Ng. ‘But, looking at the recent trends, there are actually fewer criminal activities using digital assets for laundering.’

The usual approaches that apply to conventional cash money laundering also apply to crypto-laundering. There are three key phases of (crypto) money laundering: placement, hiding and integration.

Placement is moving the dirty cash from its original source into a legitimate cryptocurrency system.

‘The first crypto placement stage is super important to focus on,’ explains Roth. ‘Any time that there is a bridge between fiat currency and digital currency, you really want to pay attention to it.’

This is done through often loosely regulated crypto exchange platforms and initial coin offerings, right through to the use of cryptocurrency ATMs which have already proliferated throughout bars and grocery stores around the world. The complicity of crypto ATMs in the process highlights one of the reasons these novel digital assets are being used to launder criminal funds. What might initially be thought of as a necessary lowering of the barrier for widespread crypto adoption now represents an easy access point for moving dirty money into the digital financial system.

‘We know that in the placement stage, people transact with crypto ATMs,’ explains Rory Gordon, legal and compliance officer at Coinfloor, the UK’s longest established Bitcoin exchange.

‘We’ve had concerns from the police before because [crypto] ATMs have been particularly popular with drug dealers, seeking to convert large quantities of cash. A popular way to get rid of that cash is through [crypto] ATMs because you can deposit the cash, get the Bitcoin, and from there it’s much easier to make up a backstory as to where you got it all from.’

There are also the more conventional concerns at the placement stage, as Hodel explains:

‘It’s very easy to ask your friends to deposit money for you or ask a stranger if you can use his ID to open an account. These are the things that we see which are the most used cases in money laundering. These are very traditional, non-blockchain, non-crypto attack factors that you’ve had in the traditional banking world for years.’

The ‘layering’ phase

The second stage, hiding or ‘layering,’ conceals the origin of the dirty cash through a sequence of transactions and financial tricks, moving the cash through different accounts, currencies and exchanges to obscure its true origin. Just how effective a would-be launderer can be using digital assets will depend on the asset itself and the infrastructure used to deal with it. Some cryptocurrencies have specific focus on privacy, such as Monero. Others do not.

As Roth describes, all transactions are recorded on the blockchain, which provides a level of transparency which ultimately makes complete privacy difficult. Monero circumvents this. Monero transactions hide the sender by ‘signing’ each transaction with multiple signatures, only one of which is that of the actual sender. The amount being sent and the receiver are similarly private.

‘It depends largely on whether they’re using regulated exchanges. In the EU, US, Canada and Australia, the exchange networks are very heavily regulated and require verification procedures that make customer identification and law enforcement considerably easier. So, if a criminal uses one of those exchanges it’s almost a trivial exercise to be able to expose them. And because digital currency transactions are publicly indelible, all they need to do is cross-exchange once and it can be traced all the way back,’ explains Roth.

Hodel expands further, adding that: ‘Even if you use privacy coins where you can’t trace transactions, you need to explain why you used that coin. Any provider who sees a client using privacy coins on a large scale needs to question their client about why they’re using them. If a provider sees an unusual fund and analyses this on a professional level, then this will be flagged.’

‘When you look at currencies such as Monero, they use ring signature encryption which makes it incredibly difficult for any company to track the source of that asset,’ says Gordon.

‘However, some privacy coins do have keys to reveal the true owner of the assets which must be given over if there’s subpoenas or relevant court orders, but generally privacy coins allow virtual anonymity.’

‘Technically, criminals can stay anonymous under blockchain,’ says Ng.

‘But, practically, no. Most criminals will use crypto exchange platforms or over-the-counter (OTC) agents to convert digital assets into fiat currencies. In such cases, their identities would probably be revealed if proper KYC (know your client) procedures are in place.

‘It’s a fairly easy exercise to see through what’s really happening,’ says Roth.

Some cryptocurrencies have specific focus on privacy, such as Monero.

‘With decentralised exchanges, it depends on what the exchange looks like and how it operates. It may make it more challenging, but no more challenging than tracing traditional money laundering through traditional banks.’

‘But, the risk that exists in cryptocurrency that doesn’t exist in typical currencies, is the idea that you can do a peer to peer transfer of value: I’m a bad person, you’re a bad person and we want to do some sort of financial exchange. We can do so with cryptocurrency without involving a bank or a credit card company because peer-to-peer transfers are with cash. This is a new paradigm for criminals to exchange value without somebody looking over their shoulder.’

The final stage, integration, involves the newly laundered money being returned to the launderer with an apparently legitimate – or at least, unknowable – legacy. If money reaches the integration stage, it becomes much more difficult to trace back to its criminal origins from that point.

Anti-moneylaundering solutions

Considering that blockchain technology administers a public log of each and every transaction – leaving behind a permanent trail – susceptibility to money laundering through cryptocurrencies is somewhat manageable.

‘Even if you are a weak provider or intermediary in the placement phase, who doesn’t take anti-money laundering (AML) seriously, I can still check that in the integration phase at a later stage on the blockchain, which is great because you can’t do that in the traditional banking world,’ says Hodel.

‘It’s wrong to say that cryptocurrencies can facilitate money laundering. Cryptocurrencies can be used for money laundering like any other asset, be that fiat, art or even physical precious metals. In the beginning, technology is usually used by people who want to take advantage of the fact that some technologies are not used very broadly.’

‘It was exactly the same with the internet, people used it to hack things and then today you still have online banking, despite the hacks. With crypto, it’s the same – it was used by people who wanted to try to find a new way across the banking system, to money launder.’

But while cryptocurrency is not the ultimate enabler of laundering that it is sometimes accused of being, stamping out money launderers requires supervision and a commitment to compliance on the part of companies within the ecosystem.

‘What helps is installing an in-house legal and compliance department and then training people – not only on the technicalities, but, also on what AML exactly is. Technical understanding is crucial. You need to know what you’re dealing with. If you take a retail compliance officer, you probably wouldn’t get the compliance challenges that you would expect from a tri finance bank and vice versa,’ adds Hodel.

Gordon echoes this sentiment: ‘Having a compliance and legal department and having the right policies and procedures in place, actually gives you the tools to tackle this. Of course, you need to obtain the necessary documentation on your customers. You need to know who they are but you also need to monitor their activity and have intelligent checkpoints in place.’

Though bad actors will continue endeavours to bypass and manipulate blockchain, money laundering can be prevented with devices that pair consumer data with their respective crypto transaction records. These tools can make it relatively easier for businesses to clamp down on crypto-laundering, stay AML compliant and isolate high-risk clients.

‘With crypto, there’s nothing new under the sun, this is simply a different sort of take on typical value transfer, but the measures for AML are largely the same,’ says Roth.

‘You have to KYC and understand your customer’s business, so you can understand what typical business transactions look like and have alerts generated for transactions or a series of transactions which deviate from the expectation of what that customer is doing. You must have good AML hygiene. It really isn’t all much different than what traditional financial institution programmes look like.’

Clean regulation

Globally, when it comes to cryptocurrency transactions and AML enforcement, the law drastically differs from jurisdiction to jurisdiction: from relatively strict regulations in the likes of UK, the US, and much of Europe to practically non-existent enforcement in many other countries.

‘Money laundering is an international crime and money launderers, just like other criminals, don’t respect international boundaries,’ argues Roth.

‘The ability to coordinate, harmonise and correlate these individuals to laws in a way that levels the playing field, among many different countries, with a uniform set of standards of laws that every country follows is super important. Otherwise, you get a regulatory arbitrage where money launderers will gravitate towards to weakest regulatory scheme.’

‘Like any nascent industry, one needs to be very aware of the risks that surround the crypto industry, especially when dealing with non-regulated entities,’ notes Jonathan Galea, CEO of BCA Solutions and a long-standing crypto-focused lawyer who wrote his 2015 Doctorate of Laws thesis on crypto and AML.

‘In fact, most companies would treat crypto as a high-risk industry. However, one needs to differentiate between the various service providers and stakeholders involved in the industry, versus the actual technology powering crypto as we know it. The latter, namely blockchain technology, has proven to be a far better tool for tracking and tracing movements of money than traditional technologies. This is precisely the reason why one shouldn’t go overboard, or essentially over-regulate, before a sufficient understanding of a new technology and its repercussions is obtained, and then proceed to assess the various stakeholders in a particular industry in order to regulate them properly.’

Arguably, the general lack of consistent global regulation is creating considerable risks in increasing the scope of potential manipulation of cryptocurrencies by criminals – therefore, the effectiveness of such protections against money-laundering is somewhat questionable and perhaps even discourages the broad scale adoption of cryptocurrencies.

‘One of the biggest challenges is that we’re not all speaking a common language across jurisdictions in terms of enforcement,’ adds Liat Shetret, Senior Advisor for Crypto Policy and Regulation at Elliptic, a blockchain analysis provider which specialises in crypto compliance and risk monitoring technology.

‘Without standardisation, the regulatory nuances between nations can be exploited. If there is a loophole, it will be found by bad actors, especially if there’s an assumption they won’t be caught because they assume their activity on the blockchain is anonymous. What many don’t realise is that all cryptocurrency transactions on the blockchain are immutable.’

‘There’s a vast disparity between the EU and the US on the one hand, and what I would call the under regulated countries, on the other hand,’ says Roth.

‘There needs to be more global coordination, and less tolerance for countries that prevent core regulation, so we have the cryptocurrency exchange market which is not completely dominated by these large exchanges who are purportedly registered in the Seychelles, Malta, Hong Kong or Singapore, but are in fact, not regulated at all.’

‘Without standardisation, the regulatory nuances between nations can be exploited.’

However, Gordon argues that the possibility of exploitation by criminals is being eroded:

‘It’s definitely an issue, but it’s being mitigated this year by the 5th EU Anti-Money Laundering Directive – so that’s the reason for the Financial Conduct Authority taking crypto under its wing. We’re seeing a lot more global co-operation with crypto compliance now.’

‘Global regulations are developing and on the right track, but it takes time for regulators to acquire sufficient knowledge of this industry,’ adds Gilbert Ng.

One of the biggest challenges facing in-house legal teams is one of compliance with everchanging AML and crypto regulation through differing jurisdictions.

‘This is one of the risks that we face. We need to vet every country – literally – for what is allowed and what isn’t. It differs even if you’re EU member states. That we do not have a unified approach towards this is something that makes it extremely difficult,’ adds Hodel.

Roth agrees. ‘There’s a variety of legislation that we deal with. One issue we have here in the US, you probably don’t have as an issue in the UK or the EU is here, is that we’re also governed by state law. So, because we’re operating in all 50 States, we are required to be compliant with state law as well as federal law. So the biggest challenge that we have is scanning a variety of different laws that apply to us and ensuring that we are in compliance with that.’

However, Hodel argues that ‘if you’re working in the financial industry, you’re used to having different legal and regulatory frameworks apply to your product. It would be nice to have one law that is applicable to any situation worldwide but this is not how law works. Just because crypto is not part of the financial market regulation yet, we still have the very basic civil and penal codes which, for example, provide punishment for fraud. We have a common understanding of what should be okay and what is not okay, and this doesn’t change when we’re dealing with crypto.’

Crypto disruption

Despite the fact that cryptocurrencies can indeed be used to conduct illicit criminal activity, the principle impact of such currencies on illicit crimes, such as money laundering, when juxtaposed to cash transactions, is little to none. According to The Foundation for Defense of Democracies and Elliptic’s 2019 report, US$829m Bitcoin was spent on the dark web. To put these figures into context, that’s only 0.5% of all Bitcoin transactions, with 2 to 5% of global GDP, or up to US$2tn through the traditional financial institutions.

‘Money laundering is not as big of an issue in the crypto space as it is often reported to be or often perceived. It’s a misconception and it’s actually very easy to counter,’ maintains Gordon.

‘We’re still in the early adopter phase of cryptocurrency,’ says Roth.

‘In the grand scheme of things, it’s just a tiny fraction of the global financial world. But, I think cryptocurrencies will reach a tipping point where it’ll be common for you to have a Visa, Mastercard and a cryptocurrency backed debit card in your wallet to engage in transactions. We think that the next two to five years will be a mainstream adoption of cryptocurrencies in a way that will fundamentally change the volumes of crypto involved, as well as the risks.’

Gordon agrees: ‘In the coming years, we’re going to see mass adoption, with big traditional financial players eventually entering the crypto industry once the regulation comes in. Crypto will be used as a store of value for a lot of unbanked individuals. Last year around 1.7 billion people were without banking globally. The great thing about crypto is that you can easily set up a wallet by yourself on the phone or computer. I think it has enormous potential to transform economies and provide opportunities to people the world over.’

Preparing for the Worst

At a time of increasing regulatory scrutiny in virtually all corners of business, and with the stakes having never been higher, now is the time for companies to get their house in order in terms of their compliance and investigatory response regimes. Our survey of top in-house counsel from across the globe revealed great disparities between organisations, not just in terms of how they plan for a potential investigation or prosecution, but also in terms of how high a priority such an endeavour is, and who within the business is best placed to take ownership of it.

But while most businesses – and certainly nearly every lawyer – would recognise the risk of inadequate preparation in this area, whether this recognition had translated into action is another story. Just 57% of respondents in our White Collar Investigations Survey reported that their organisation had implemented a response plan for regulatory investigations or white collar prosecutions. 39% reported that their organisation has no such plan.

49% of respondents felt that their company had robust and effective investigative protocols in the event of an external investigation; 29% said that they did not believe that they had such protocols and 22% were unsure.

While it might first seem reasonable to assume larger companies are more well-resourced and thus more likely to be in a position to create an investigatory response plan, this does not appear to be the case. In looking at whether respondents’ organisations had implemented a response plan, those from larger companies (with over 100 employees) were less likely to report their organisations as having implemented a response plan, at a rate of just 57%, compared to almost 80% of those from smaller (less than 100 employees) companies.

‘There can often be too many distinct business units that would be involved in an organisation-wide plan. What you end up finding is in those cases, it’s much harder to get a far-reaching plan together as in-house counsel,’ says one legal director in the Australian telecommunications sector.

‘It is very important in our view to avoid a culture where the operating commercial organisation believe that no written guidelines from the top of the organisation means “green light”,’ says Kjell Clement Ludvigsen, general counsel at Norway’s Nortura.

‘It should be very clear to all that they are responsible themselves for what they do, but they should ask for assistance from legal or compliance if they are in doubt.’


Another problem with trying to get a clear view of where businesses are in their white collar investigations risk is that areas of concern will differ from company to company, and sector to sector. Our survey asked respondents to rate their level of preparedness in a variety of key areas on a scale of 1 to 5, with one meaning ‘not prepared at all’ and five ‘very prepared’. On average, respondents reported that their business was most prepared in terms of their financial compliance policies, scoring an average of 3.9. Companies were least prepared in terms of their modern slavery policies, which came in at an average of 3.0.

Those who said that their organisation had implemented a response plan for regulatory investigations or white collar prosecutions reported being more prepared almost across the board than those who did not. In particular, respondents whose organisations had such a plan rated their preparedness, on average, up to a full point higher than those who did not. In particular, both bribery/corruption policy and modern slavery policy preparedness increased by almost a point (0.97 and 0.92, respectively) from companies without a plan compared to those with one.

‘Aramco has zero tolerance in relation to any anti-bribery and corruption activities,’ says Ahmad Ismail, general legal counsel at Saudi Aramco Shell Refinery Company.

‘Therefore, I align my plan backwards from there. At each board meeting, I will align this with my president – I will check if there are changes, or any fine tuning for the plan. We need to be agile yet able to optimise.

‘Particularly now, as we have seen Saudi Aramco has been listed on the stock exchange, that represents a higher level of responsibility, citizenship and corporate compliance for the organisation, including at the subsidiary level.’

Whose problem?

One reason why organisations appear to be behind the curve on investigatory planning is that it isn’t an area that uniquely lends itself to the legal team. Efforts in this area are likely to require active input from all corners of the business, as well as an ambient level of support from the leadership team.

Indeed, when asked who within their organisation was responsible for designing and maintaining the response plan, answers were split. While the legal team was the most commonly cited department, it ultimately accounted for just 35% of the responses – and just as many reported not having a response plan at all. 13% – the second most common response – said it was currently a multi-departmental effort, and 10% said it was the domain of a dedicated crisis management team.

‘Day by day, the executive team is more conscious of the importance and necessity of the identification, mitigation and follow-up of risks,’ explains Diana Daza, legal director at SGS in Colombia.

‘As a legal team, we are highly involved in daily risk management operations in order to prevent these sort of risks.’

Despite a current lack of ubiquity around which departments are given investigation planning responsibilities, there is a sentiment that this is changing. From interviews with participants in this survey, it seemed a common view that over time, the pre-investigatory planning job is landing more and more with the in-house team.

‘Based on conversations that I have had with peers, it has become quite common that legal teams, in particular the leadership team, are involved in assessing the risk of investigations and prosecutions,’ shares Oliver Jarberg, deputy chief legal and compliance officer and director of integrity & anti-doping at FIFA.

‘I personally believe that it is one of the key aspects – in particular at management level – for the legal and compliance function to be involved with. In particular, in-house legal teams should already be involved at an early stage by the business so as to flag critical operations, transactions, and provide advice and support on measures to be implemented to mitigate legal and compliance risks – including the risk of investigation and prosecution.’

Annual reviews

Another reason that uptake and confidence in organisations’ planning for white collar investigations is subdued might be because there needs to be an ongoing commitment to reviewing and modifying the plan in order for it to stay effective: external risks are changing constantly, while the risk profile of a business will likely change as it expands or contracts into or away from new business units.

When it comes to reviewing their planning and preparation processes in the context of investigation and white collar prosecution risks, 38% said that they review their process annually, while another 38% reported only conducting such a review on an as-needed basis – another 19% said that they never review their plans in this area.

‘In-house legal teams should already be involved at an early stage by the business.’

‘We undertake an annual review and it is critical to understand both the changes in the legal landscape as well as regulators’ approach,’ explains Kwong Wen Wan, group chief corporate officer and group general counsel for Mapletree in Singapore.

Ahmad Ismail is both a proactive participant in his organisation’s investigation preparation, and an avid proponent of conducting regular reviews of any plans or policies.

‘The way I align my plan – especially in relation to anti-bribery and corruption and also in relation to legal and compliance – is that I first understand the company legal risk appetite and then align that to the business cycle of the organisation,’ he says.

‘Clearly, all organisations have their own business planning cycles, and within that business plan cycle you decide on the capital expenditure of the organisation, in other words, what type of investments they are making for the year.’

‘That is normally also mapped against the company’s risk map. So based on that, I will determine what the plan would be for the year in relation to legal compliance. I would analyse that risk map, and get clarification from the auditor and the Chief Financial Officer and the controller. I’d then identify what would be the risk appetite for the organisation, and then I’d map the plan for legal compliance for the year.’

For Jaberg, ‘at FIFA, we have a working group composed of representatives of different professional functions within the organisation, including internal audits, finance, legal and compliance, and different business units.

‘They meet on a regular basis to map FIFA’s main risks and devise strategies and plans so as to mitigate the risks identified within this working group.’

‘I think it is important to establish a formalised risk management process to identify the different risks – including that of investigations and prosecutions – as well as ensuring the processes and measures designed to mitigate such risks are defined, evaluated and implemented. As risks evolve over time, I think it is important that they are reassessed and the processes to address such risks are then amended as required, based on the learnings related to each risk identified. So, in fact, this is a very dynamic task which also requires the legal and compliance function to thoroughly understand the business, the processes and operations of the company.’

‘It’s important to be agile and on top of things, and adapt to the changing circumstances as required to protect the interests at stake.’

Renewed interest from regulators

Give the importance of preparedness for regulatory investigations and white collar prosecutions, why do companies of all sizes and sectors report such vastly different levels of planning in this area?

‘It takes time – lots of time – to see real cultural change take hold in a company.’

While the subject may have been on in-house counsel’s radar for many years, many counsel interviewed for this report mentioned a ‘sea change’ in the wake of the global financial crisis, which saw a redoubling of efforts on the part of regulators to rein in inappropriate and illegal conduct, particularly in the financial sector. While a decade is a long time in some respects, in terms of cultural shifts within massive organisations it isn’t very at all, and businesses are still coming to terms with heightened sensitivity on the part of regulators and similar investigatory bodies.

‘It takes time – lots of time – to see real cultural change take hold in a company, or industry,’ says one long-time banking general counsel based in the United Kingdom.

‘There is an increased level of consciousness around white-collar crime which I would say began post-GFC and has continued since then. But unless an organisation has already been stung, it can be difficult to enact change quickly – something I suspect every in-house lawyer will be familiar with. It is on the in-house lawyer to keep their foot on the gas and make sure the company keeps momentum towards compliance.’

Data Analysis Part Two: Seeking Counsel

The use of external counsel, once an investigation or prosecution has been made official, received across-the-board support from participants in this survey. 77% of respondents considered it at least moderately important for external counsel to be involved at that point, with almost half of those considering it highly important. 14% reported feeling that external counsel would not be involved.

‘Especially in smaller departments I have been a part of, having a good lawyer outside your business who knows your business is critical,’ explains one senior legal director in the European aviation industry.

‘Departments are strapped for resources as it is; the overhead of responding to a regulator – or worse, a formal prosecution – is beyond the capabilities of most departments.’

Those counsel who were a part of smaller departments were more likely to expect external counsel to be involved. Respondents in teams of 50 or larger were less likely than any other group to involve external counsel, with 31% reporting no involvement of external counsel at that stage.


When it comes to involving external counsel in anticipation of an investigation (as opposed to when one has formally been announced), approaches differ. Just 8% or respondents reported always involving external counsel at this stage; 33% reported occasionally involved external counsel and 38% reported involving counsel ‘often’. Almost 20% rarely involve external counsel at any point before the formal launching of an investigation or prosecution.

‘We are in almost constant contact with at least one outside lawyer to consult with on any real or potential investigations,’ says one veteran in-house counsel in the North American energy sector.

‘We can’t afford not to. If the first time you are meeting with a lawyer is when the regulator is at your door, a lot of (avoidable) damage has been done.’


While the in-house community has been vocal in pushing for diversity in their partner law firms, a company instructing external counsel on an investigatory or other white collar matter is typically more likely to involve a single practitioner for representation than other types of legal work. Therefore, survey participants were asked how important of a factor diversity and inclusion is when selecting counsel in these situations. The overwhelming majority felt it important, with 40% considering it a ‘highly important’ factor and another 40% considering it ‘moderately important’. Just 5% felt it unimportant.

In choosing external counsel, respondents reported choosing from a variety of sources. On average, in-house counsel were most likely to have found their chosen counsel by direct outreach to single firms – 20% of counsel reported choosing their representation this way. The next most popular source was the use of a company-curated preferred provider panel at 15%.