The phone rings. It’s always on the busiest days. It’s probably raining, too. A whistle-blower has reported corruption of public officials in one of your South East Asian business units. A local issue meriting a routine response?

Bribing a customs official is, unfortunately, commonplace within South East Asia. But to treat the region as one homogenous block is to make the first error. More than 8% of the world’s population live in the region. It includes the largest Muslim population in the world, the second-largest Buddhist population, and the third-largest Christian population.

Consider, too, the pluralism of politics across the region. Contrast the King-in-Parliament who reigns in Thailand, to one-party communism in Vietnam. Distinguish stability in Singapore to dramatic political upheaval in adjacent Malaysia. Populist power in the region is most demonstrable in the Philippines under President Duterte.

This variety is also exhibited in corruption perception. After Singapore — ranked 6th (out of 180 nations) on Transparency International’s Corruption Perceptions Index and comparable to the Scandinavian nations of Denmark, Finland, Norway, and Sweden — sits Malaysia, 62nd, still troubled by 1MDB.

Then there’s a void until the bunched, and more corruption-prevalent Indonesia, 96th; Thailand, 96th; Vietnam, 107th; and the Philippines, 111th; which are only slightly better than Bolivia. The best in the region competes with Switzerland; the worst (Myanmar, 130th) battles Sierra Leone.

Actions by corrupt employees within the region merit concern, but the early engagement required must be sensitive to cultural and local nuances.


How do you gather further evidence? Who do you involve in this process of collection and analysis? How do you protect information and documentation? And if you have invoked privilege, will it guide the success of the process?

The data following the whistle-blower report will inform interviews, and the future of the business.

When starting an investigation, contemplation of the collection, transfer, retention, and disclosure of data is required. South East Asia’s data privacy laws are well established domestically in Malaysia, the Philippines, and Singapore, with a data compliance burden to increase with Thailand’s imminent Personal Data Protection Act, Vietnam’s 2019 Cybersecurity Law, and Indonesia’s data protection framework evolving beyond existing data localization requirements.

Compliance with the GDPR (General Data Protection Regulation) has concerned APAC businesses offering goods and services to EU data subjects. But many of the region’s nations contemplated the GDPR long before its inception in May 2018. Data protection authorities in the Philippines, when deploying their first data protection law in 2016, were clearly influenced by the GDPR. See their EU-comparable mandatory 72-hour data breach notification requirement and the legitimate interest grounds for processing personal data.

ASEAN data protection rules remain fragmented, however. Understanding these rules, though, is critical when conducting an investigation. There is a variety of data from multiple custodians, across different languages, to obtain and analyze. Examples include email, documentary, social media, oral, e-data, metadata — and regulators, too, are evolving in how they use this data. The Monetary Authority of Singapore, in late November 2018, indicated a plan for greater adoption of data analytics to fight money laundering and counter-terrorist financing. And this is a global trend.


Further evidence gathering has indicated the bribe to the customs official was to change the destination of a shipment from Cambodia to North Korea.

From a domestic compliance issue in one nation, our scenario will likely now invoke — if not already — the spotlight from U.S. regulators, especially the U.S. Treasury’s Office of Foreign Assets Control. And if the business has a UK or U.S. presence, the long-arm reach of the UK Bribery Act and the U.S. Foreign Corrupt Practices Act. Suddenly, that domestic bribery issue has global ramifications, unclear from that initial call.

A fact pattern of multiple jurisdictions overlapping due to corporate ownership, employees, and business units necessitates understanding domestic and international laws, especially thresholds, self-reporting, and how to manage various regulators. Too often, clients and their advisers become myopic about one international regulator, overlooking intra- and inter-regulators’ conversations across countries.


You’re about to brief the board. They’ve asked if we knew about the possibility of bribes when we bought the business unit in 2016. The due diligence report from the acquisition conducted by corporate counsel had flagged small facilitation payments by third parties, but it was deemed low risk, and left unexplored.

To cultivate a culture of compliance, to minimize misconduct, start from the get-go. Anti-bribery and corruption (ABC) due diligence by experienced specialists at the point of acquisition can give a true asset value of the business. It can identify risk points, guide the transaction’s viability, and inform the bottom-line negotiation. And it can protect against successor liability from (continued) transgressions or proceeds of crimes violations.

Conducting thorough ABC due diligence anywhere, but particularly within Asia-Pacific — the second most-active M&A region in Q3 of 2018 and well positioned entering 2019 — is important. This positions the buyer to establish at the target institutional systems and incentives. These include compliance committees, storytelling, concise training, whistle-blowing lines, and internal audit functions that prevent and identify corporate malfeasance.

2019 requires navigation of diverse data protection frameworks; observation of liability across different domestic, regional, and global standards even outside traditional fraud, bribery and corruption offenses, and prevention of corruption risks by positioning your business’s compliance framework from acquisition. South East Asia is rich in opportunity, but rife with variety.