DRIVING COMPLIANCE WITH CONTRACTS

Compliance is the active obedience by entities of orders, rules requests, standards or laws ("Regulations") applicable to the sector or industry in which they operate in, within a country or internationally.

In 2022, a myriad of regulations is binding on many Companies regardless of where such businesses are based or operating from. For instance, the OFAC sanctions prohibits a lot of Companies worldwide, from doing business with certain persons, entities or countries.

However, in spite of the many regulations and regulators internationally, it is still difficult to ascertain the compliance level of Companies generally, as it is almost impossible for regulators to know in full whether or not a Company is compliant, until a whistle is blown. This is full proof that passing laws alone are not sufficient. Laws must take into consideration a means for implementation and ensuring compliance, and one of the ways to do this is to mandate Contracts. Contracts are an effective tool that regulators can impose, to drive and monitor compliance.

This is very evident in Data Privacy Compliance. Certain Contracts and clauses have been mandated for the processing and transfer of data. Not only that, regulators in this space define what is expected at a minimum in these contracts. For instance, a Data Controller must enter into a Data Processing Agreement which also provides that Processors will be audited frequently. Then on a yearly basis, regulators can demand for proof of the existence or occurrence of these Agreements and Audits etcetera.

In view of the above, I believe that the standards used in driving compliance with data privacy laws and regulations, should be extended to all other areas of compliance. This can be driven by Regulators, who should insist in their Regulations, on the entering into of certain contracts, with defined contractual clauses, that can be audited by the Regulators to assess an organization’s compliance level. What this does, is that Compliance, is largely no longer artificial. Artificial compliance as we generally see today, is a "tick-the-box" activity. When we tick boxes alone, it is difficult to ascertain whether or not all employees for instance, have complied with the Gifts, Hospitality and Entertainment Policy of a business.

In my years as a Compliance Officer, I have read on some Regulatory related news, how some CEOs sign-off compliance statements that are untrue. This is because there are no true documentations or contracts in place to measure compliance at every level.

Regulators must not let Companies individually decide what their Compliance Programs should look like, but they should define this, and use Contracts as one of its tool towards ensuring organizational compliance internationally.