Avoid the 7 Deadly Sins of Drafting and Implementing Global Conduct Codes

Avoid the 7 Deadly Sins of Drafting and Implementing Global Conduct Codes

A LexisNexis® Webinar Report

Edited by Susan Winchurch, J.D.

U.S. multinational companies that adopt global codes of conduct in an effort to “do the right thing” may find those good intentions backfiring―with the results including civil or criminal liability―if their codes are driven solely by U.S. laws, protocols and customs.

“Good companies, trying to do the right thing, if they [adopt] an overly U.S.-centric mindset in their quest to be ethical, can actually inadvertently create criminal and civil legal exposure,” warned Cynthia L. Jackson, a partner with Baker & McKenzie LLP, and chair of that firm’s North America Compensation and Employment Law Practice Group. Jackson is a 30-year practitioner and serves on her firm’s Global Employment and North America Corporate Compliance steering committees.

 Jackson teamed with Hazel-Ann R. Meyers, senior vice president, assistant general counsel and chief compliance officer for CBS, in an April 10, 2013, Webinar hosted by LexisNexis®, focusing on ways companies can avoid “the seven deadly sins” encountered by multinational companies.

Too often, they said, companies let their codes of conduct be too heavily influenced by U.S. norms, without regard for the legal and cultural environments of the countries in which they operate. The code of conduct, Jackson said, is the “bible” and therefore needs to set standards that are clear, workable and enforceable. If the code runs afoul of local rules, it will be devoid of credibility.

Disciplinary “Teeth”

Enforcement agencies around the world, Jackson said, will home in on whether a company has in place proper standards and controls when assessing compliance under regulatory schemes established under Section 301 of the Sarbanes-Oxley Act, the Dodd-Frank Act, Department of Justice Anti-Corruption guidelines, the Organisation for Economic Cooperation and Development (OECD), and the U.K. Bribery Act, to name a few.

The corporate code of conduct plays prominently in the implementation of those controls, but can only work if it is enforceable.

“As a starting point, you need to make sure that document not only fulfills U.S. requirements but also, if you’re in a global environment, you want it to comply with, and certainly not offend, local non-U.S. compliance rules,” Jackson said. “You need to make sure that [the code] has disciplinary teeth, and has credibility with the audience you’re pushing it out to.”

In addition, Jackson said, having in place a properly drafted code of conduct affords a potent defense if employee conduct lands the company in legal hot water. In the U.K., for example, the Bribery Act recognizes an affirmative defense based on a company having in place proper standards and controls. With such a defense potentially available, she called it “almost inexcusable” not to have in place a properly drafted code of conduct.

In addition, Jackson noted, certain laws, such as Section 301 of Sarbanes-Oxley, mandate the establishment of anonymous whistleblower hotlines, a form of data transfer. A company that establishes such a hotline, Jackson cautioned, must ensure that the hotline complies with local data privacy and employment laws. Dodd-Frank, she noted, “upped the ante” for whistleblowing and increased possible incentives, awarding a maximum of 30% of the amount collected.

But stark conflicts may quickly surface between U.S. laws like Sarbanes-Oxley and Dodd-Frank, the speakers said, and other countries’ privacy and employment laws.

The requirement of anonymity for whistleblowers is one striking example. The U.S. favors anonymity, abhors document destruction, and, unique among nations, widely favors “at-will” employment. In contrast, countries in the EU are more concerned with data privacy, fear potentially malicious or anonymous reporting, and favor prompt destruction of outdated documents. In addition, EU countries generally have restrictive employment laws and reject the “at will” concept―so including any reference to at-will employment or the negation of an employment contract in a code of conduct undercuts the code’s enforceability.

The Seven Deadly Sins

Jackson and Meyers identified the following “Deadly” Sins:

1. Including Overly U.S.-Centric Language in a Code of Conduct. Expressing concepts like “employment at will” in a code that is intended to be enforced across borders will not resonate, Jackson said. In particular, common language that may be regarded as “best practice” in the U.S.―the negation of an employment contract―is plainly counterproductive in countries where, in order to be enforceable, the code of conduct must be contractual. Other problems include differing concepts of “cause” for termination and concepts like nepotism and discrimination. In Muslim countries, there may be cultural or even actual legal requirements to discriminate, and in the international business context, local law trumps Title VII of U.S. civil rights law.

2. Illegal―Even Criminal―Hotlines. The hotline, as a data transfer vehicle, must be data privacy compliant. Depending on the country, Jackson said, this may include notices to the employees, registrations, filing requirements and consents.

3. Failure to Limit Subjects of Reporting to the U.S. The instinct to report “any and all” violations of law or the code of conduct may result in an employment law or data privacy violation. “Depending upon your global footprint, this may not only be not appropriate but may be an employment and data privacy violation,” Jackson said.

4. Failure to Translate or, Where Required, Locally Adopt the Code. In some countries, such as France and Belgium, the code is a legal nullity if not translated into the local language. Even where not required, it is advisable to translate the code for three reasons, Jackson said. First, employees should understand the standards to which they’re being held; second, the company wants to defuse the potential “alibi” that the employee didn’t understand the code; and, finally, initiating translation allows the company to control the language nuances. If, in a legal context, the untranslated code must be translated, the company will be forced to cede control of the translation to a judge or administrative agency. In addition, in some countries, such as Russia, India and a number of others, the local entity must “adopt” the code in order to be enforceable.

5. Failure to Roll Out the Code Consistent with Local Employment and Data Privacy Rules. If reporting requirements, data privacy laws, or local employment rules are violated, Jackson said, a company risks rendering the code unenforceable, or worse, a violation of law. Companies need to be sensitive to the myriad local rules imposed not only by governments, but by labor unions and work councils. Some countries, such as France and Belgium, mandate that the code of conduct be incorporated into local work rules.

6. Overzealous Investigations and Monitoring. In its quest to be ethical, Jackson said, a company may launch aggressively into a full-scale U.S.-style investigation of an alleged violation of law or the code. In doing so, she cautioned, companies must proceed with caution or risk violating data privacy laws.

7. Overly Aggressive or Untimely Discipline. Some countries, Jackson said, mandate a relatively short time from the discovery of a violation to the imposition of discipline. Companies must weigh this timeliness requirement against the need to conduct a detailed investigation into alleged wrongdoing, breaches of the code, or violations of law. In some countries, the timeline is as short as two to four weeks, Jackson said.

Companies also should weigh against the need for uniformity the potential benefits of adopting regionalized codes of conduct, Meyers added. “You have to be familiar with the dynamic in your company. It is very important to have discussions with local HR, legal, finance and internal audit to make sure you know what’s going on, on the ground,” she said, noting that CBS, a relatively “decentralized organization,” found it advantageous to have regionalized codes that reflected local nuances.

The “Code Burger”

Both speakers urged companies to keep the code of conduct at a “high level” so that it is manageable, accessible, and comprehensible to all employees. Both cautioned against wholesale incorporation of other documents or links.

“If you choose to do that it is very important to recognize that if you’re incorporating by link to another policy make sure that other policy has passed the same global test and works,” Jackson said. Meyers noted that companies are increasingly including links to their social media policies in codes of conduct.

And in countries that don’t recognize the protections of U.S. laws, such as Title VII, they cautioned, wholesale incorporation by reference of such provisions can cause the company to be obligated to give protection to employees that those employees otherwise would not have, and puts the code directly in conflict with local law.

Jackson and Meyers told their audience to envision a “Code Burger.” The “beef” is the code, but it sits on the “data privacy bun” and with “condiments” consisting of notice requirements, acknowledgements of receipt and the like, with the “top bun” of internal regulations completing the dish.

“Many people focus on the beef. They look at the code, and they’re done,” Jackson said.

Companies take this approach to their peril. Jackson told the story of a German subsidiary of a U.S. multinational whose fired German employees committed undisputed violations of the company’s code of conduct. They took their cases to the German courts and ultimately won payments of $1 million each. The U.S. company’s code of conduct failed to pass the requisite tests, and the U.S. company did not consult with the local works council before rolling it out.

Key Takeaways:

1. Companies should steer clear of U.S.-centric language in their codes of conduct. Don’t assume that “best practices” for drafting an employee handbook for a U.S. corporation will translate into an enforceable global code of conduct.

2. To be enforceable, a code of conduct must not only comply with U.S. laws, but must avoid violating foreign data privacy and employment laws. Pay heed to local and regional requirements so that the code has the disciplinary teeth to be enforced.

3. Consider the “Code Burger.” Companies should broaden their focus beyond the code language itself.

4. Avoid over-inclusiveness. Incorporation of protection afforded by U.S. laws, like Title VII, is unnecessary and potentially creates liability where none otherwise would exist.

Editor’s Note: You can still hear the full Webinar on-demand from LexisNexis®. Click HERE to register and listen in. Also, for more on this subject see Tom Hagy’s article in the January 2013 issue of the LexisNexis® In-House Advisory titled: Cracking the Code of Conduct Conundrum: Synchronizing Words and Behaviors.