This article was first published in the November/December 2019 China edition of
Accounting and Business magazine.

As global organisations move into Asia and home-grown companies expand their footprint across the region and beyond, the differences in how regulations are implemented in different jurisdictions can pose a challenge for accounting firms and their clients.

‘Exposure to compliance risks and regulations vary widely between Asian countries and jurisdictions, so it is important to move beyond ”box-ticking” exercises,’ says Singapore-based Andrew Macintosh, a partner with Control Risks Asia Pacific. He says that it is important for businesses to ‘right size’ their preparation and response mechanisms to the different types of compliance and regulatory exposure they face.

First and foremost, Macintosh believes it is important to have in place what he describes as an ‘outside in, inside out’ approach to cover external macro and internal compliance issues. External risks, for instance, can vary from third-party relationships to geo-political and social risks, while internal risk factors can include transactions, record-keeping and policies and procedures.

Share the risk

Macintosh believes that it is vital for an organisation’s risk professionals to have access to, and assistance from, all functions within the business.
‘The responsibility of identifying compliance risks should not be left solely to an organisation’s risk or compliance professionals,’ he says.

It is important that compliance officers work closely with partners in the human resources, legal and marketing functions to build a company-wide picture. At the same time, organisations can strengthen their performance by empowering employees to embrace compliance as an individual as well as an organisational responsibility. Macintosh suggests developing compliance training programmes that include elements that focus on how to respond if decisions have an impact on family members, thus elevating the importance of compliance requirements and probable outcomes.

Hong Kong has long had a reputation for being one of the easiest locations to set up and operate a business, but this can sometimes cause organisations to overlook statutory requirements. Typical examples include neglecting statutory audit and profits tax-filing requirements, leading to the issue of non-compliance penalties.

‘These situations could easily be avoided with the proper level of awareness and monitoring,’ says Edith Lam, a partner at PKF Hong Kong.

To provide effective compliance checks and balances, a well-designed internal control system is a good place to start, says Lam. As a general rule, she says, key internal control procedures should be prioritised and separated. For example, standardised control documents, financial reporting, review and reconciliation as well as authorisation matrices should each be handled as a separate compliance processes.

IT and talent infrastructure

Meanwhile, as businesses continue to digitise their processes and commercial transactions, having the appropriate IT infrastructure and talent with the necessary skill-sets in place is essential to safeguard compliance obligations and to provide protection against cyber threats.

In addition, as businesses in Hong Kong and mainland China transition from paper to digital transactions, there is a need for technological hardware, applications and professionals with the requisite skillsets to manage, maintain and monitor digital footprints. ‘One of the main priorities of going paperless is to ensure that digital footprints are properly maintained to meet compliance requirements,’ Lam says.

With regulators around the globe increasingly scrutinising the source and legitimacy of financial funding, anti-money laundering features prominently on the concerns list of the majority of clients. The handling of data and data privacy is also a high-priority concern for both clients and BDO, says Clement Chan, managing director of assurance at BDO Hong Kong.

‘These are two of the areas we look at first when we bring new clients on board,’ he says, adding that BDO is sensitive regarding the data that comes into the firm’s possession and how it is managed and stored.

A prime example is the data handled during monthly payroll processing for clients and the data that BDO processes during client internal control reviews. ‘For BDO and its clients, it is crucial to pay close attention to the relevant rules and regulations, including the implementation of new regulations,’ says Chan, singling out the European General Data Protection Regulation (GDPR).

With accountants required to be increasingly vigilant to the risks of money-laundering and terrorist financing, accountancy firms based in Singapore need to be aware of Ethics Pronouncement (EP) 200, says Jocelyn Goh, partner, audit and assurance, at BDO Singapore. She explains that, in line with the standards set by the government’s Financial Action Task Force, EP200 requires accounting firms to conduct risk-based client due diligence checks.

With client risk assessments based on business, geographical locations and risk profiles, Goh suggests that professional firms need to evaluate risks on regular basis. For example, when there is a change of control or ownership of the client company; when there is a substantial change made in the type or conduct of business; and when recurring services are being planned and reviewed.

‘Professional services firms need to make sure they have processes in place to apply due diligence checks based on criteria such as customer profile, risk assessments and nature of the business,’Goh says.

While there is an expanding choice of technology software and platforms to assist compliance professionals to conduct business risk assessments, monitoring and compliance checking, tech-solutions are being overlooked by clients, often due to the lack of knowledge of what is available in the market.

‘Unfortunately, many businesses are not capitalising on the robust compliance technology available due to a lack of knowledge,’ says Goh. ‘Some are getting caught in the here and now, rather than investing in the critical technology and talent that will position them to meet longer term goals.’

Gloria So, principal at ShineWing Risk Services, notes that in addition to meeting Hong Kong Securities and Futures Exchange listing rules, businesses are concerned about trade disputes between the US and various countries. For instance, frequent amendments made to the US Office of Foreign Asset Controls sanctions list raise concerns among clients engaged in international trading activities or manufacturing of electronic components.

‘Businesses are worried they may not have the appropriate tools to determine that they are not trading with any sanctioned entities,’ So says.

Compliance readiness

Another compliance concern is the suspicious transaction reporting requirement. Unlike multinational banks, which tend to use technology-led predictive systems to analyse and identify sanctioned entities to flag up suspicious trading patterns or abnormal data, manual checking processes and periodic sample checks are more likely to miss abnormal data.

‘Businesses can only identify any breaches to the ordinance after the transactions are executed and consequently create a high regulatory risk,’ says So.

Eugene Ha, deputy managing partner at Grant Thornton Hong Kong, agrees that businesses are operating in an increasingly complex and demanding regulatory environment.

‘We are seeing more compliance requirements being made from regulators, especially in the area of anti-money laundering policies,’ says Ha. ‘Businesses have to evaluate their own controls and identify the issues and gaps, and then determine the appropriate solutions needed to close the gaps.’

Establishing accountability and responsibility is also vital to maintain effective compliance programmes. To support this, Ha says it is important to involve the IT department to introduce and support the development of new technology infrastructure: for example, money-laundering screening tools. Staff are encouraged to equip themselves with the right skill sets and know-how to handle the impact of any newly introduced technology or changes to in-house technology infrastructure.

A prime example, according to Ha, is the handling of data privacy. Due to the popularity of mobile applications and social media. It has never been easier to collect the personal information. Moreover, GDPR and updates made to the China Cybersecurity Law require companies to enhance their cyber security controls across three areas: people (having a dedicated data privacy officer in place); processes (maintaining well-planned incident handling procedures); and technology (the implementation of data encryption and network monitoring technology).

‘To fill in any missing compliance readiness gaps, additional investment in staff training and support from third party professional services are required,’ says Ha.

Chris Davis, journalist