Companies Registry Disclosure Rule Changes Still Create Opportunities to Update Anti-Bribery and Anti-Corruption and Anti-Fraud Compliance Processes.

I-OnAsia is a premier vendor of Enhanced Due Diligence and FCPA Due Diligence services to major corporations and financial institutions, often working at the instruction of premier law firms’ Capital Markets and White Collar departments.
Every day I-OnAsia is working dozens of FCPA Due Diligence assignments in Hong Kong, where our business is headquartered. One of the key aspects of an FCPA Due Diligence performed for a private company is to check for risks of bribery or corruption. There are many different approaches to an FCPA Due Diligence to check for these risks. Sometimes these approaches differ by screening level. Sometimes these screening levels include verifying information found on a business record in Hong Kong that may be maintained and archived by the Companies Registry.
Today the Companies Registry data includes far more information about the shareholders and directors of companies in Hong Kong than you might find on a similar record available to the public in the State of Delaware or in the United Kingdom. A Companies Registry document today includes the full identity numbers of individual directors and details their home addresses. In the post-GDPR world we now live in, I-OnAsia has seen a global trend of regulators responding to legitimate questions about the potential privacy downsides of their public database disclosures by changing disclosure rules. In line with this trend, the Hong Kong Government has recently proposed some changes to the disclosure rules, which basically redact some portions of individuals’ private information.
Over the past few months there have been some very heated comments made about the rule changes, including suggestions that new approach effectively means that the Hong Kong Government now “encourages corruption, money laundering and fraud“. Such heated accusations don’t seem to take into consideration the continued regional leading work of Hong Kong’s Independent Commission Against Corruption or the Chinese National Government’s strong commitment to anti-corruption or the Hong Kong Press’ continued freedoms to report on corruption cases or the fact that Hong Kong overall remains one of the LEAST CORRUPT places on the planet, as measured by Transparency International.
Market watchers have seen the Hong Kong Government make regular updates to approaches on personal data over the past decades, including in the mid-1990s with the establishment of the Personal Data (Privacy) Ordinance. A key update in 2012 significantly shifted what data companies could hold on their employees and share with third parties. More recently there have been updates to rules covering personal health information.
Considering Potential Impacts of Rule Changes Through Hypothetical Case Examples
* Consider an FCPA Due Diligence background check for a hypothetical North American FMCG company with a robust compliance program. The factory produces goods in the EMEA region. The group that controls the EMEA factory is headquartered in the APAC region. But, the FMCG client is being asked to make payment for the goods through a Hong Kong bank account controlled by a Hong Kong registered company. Before the FMCG client will approve payment, the CEO of the group is asked to authorize an FCPA Due Diligence check and the CEO agrees a check can be performed on the Hong Kong enterprise. As work proceeds on this case there is no public information about the Hong Kong enterprise found in the public media. So, the Hong Kong Companies Registry archive is checked by I-OnAsia researchers seeking more information about the local company. The search finds a Companies Registry filing which shows that the CEO is, in fact ,the sole shareholder of the Hong Kong company. As such, the FMCG is being asked in this hypothetical example to make a payment to a CEO in an offshore account for goods produced by a factory in EMEA. I-OnAsia might flag the transaction as having certain potential fraud, tax avoidance, and money laundering risks, but the new rule changes proposed by the Hong Kong company would have had little impact on the FCPA Due Diligence process for this project.
* Consider an FCPA Due Diligence background check on a hypothetical Hong Kong based Hedge Fund manager. The Hedge Fund manager is seeking to raise US$100 million from an institutional investor in EMEA who has a mature AML process. Prior to agreeing to invest, the institutional investor wishes to verify the background and activities of the Hedge Fund manager. A release is signed by the Hedge Fund manager approving the conduct of a check, which the institutional investor requests includes a verification of personal biographical data disclosed by the Hedge Fund manager on his application. Historically, the residential address of the Hedge Fund manager might be verified by checking the Hong Kong Companies Registry for an address listing, but there was actually never a guarantee that the contract address for the Hedge Fund manager as listed on the Companies Registry record was actually the true place of residence of the Hedge Fund manager. Historically the contact address could have been a place of business for a Hong Kong corporate secretarial company, for example. In this case, we might use best practice and ask in an interview of the Hedge Fund manager for verification and the new rule changes proposed by the Hong Kong company would have little impact.
* Consider a global FCPA Due Diligence background check on a hypothetical foreign national named Mr Patil. As part of the global FCPA Due Diligence background check on Mr. Patil, a search is undertaken to determine if Mr. Patil holds a stake in any businesses, including in the jurisdiction of Hong Kong. Historically and under future rule changes, Mr. Patil’s first and last name could be used as search terms for a search on the Companies Registry and the new rule changes proposed by the Hong Kong company would have limited practical impact, as a partial identifier would be available. However, it is not impossible to imagine a circumstance where two individuals with the same names exist and share similar partial identity numbers. In such a circumstance, it would be possible that a finding of the FCPA Due Diligence search contains what is known as a “false positive” result: basically that a link is made in a database result that does not reflect reality. In this hypothetical case, it would be best practice to add a caveat to the FCPA Due Diligence report which notes a need for additional research to rule out a potential false positive.
Opportunities for FCPA Due Diligence Program Updates
These recent events highlight the importance of staying up-to-date on Hong Kong’s ever changing approaches to privacy, which have occurred throughout the decades.
For companies and their legal advisors, a major consideration today is whether FCPA Due Diligence programs have been updated appropriately. Obviously short-cuts to gaining access to an individual’s private data are “out”, and the use of permissions and releases to support data collection is “in”. Frankly, many of these shortcuts were not practically available in other jurisdictions across Asia already, and there shouldn’t be many changes for companies with global best-in-class FCPA Due Diligence program approaches.
I-OnAsia regularly supports FCPA Due Diligence program developers, including White Collar and Investigations lawyers at major law firms and their clients. I-OnAsia provides insights on release form language and questionnaire questions that work. Our team is knee deep in the weeds of data quality and data availability issues affecting FCPA Due Diligence programs and can answer other questions. We are also very active in the performance of FCPA Due Diligence checks for businesses that are concerned about fraud prevention.