Geopolitical factors, in particular the strained relationship between China and the U.S., are continuing to have a profound impact on the regulatory landscape in the region, along with emerging trends in fintech, data privacy and ESG.
Here, we consider some of the key regulatory challenges businesses will need to proactively manage in 2022.
1. United States-listed Chinese companies face threat of removal from U.S. stock exchanges
Long-standing tensions between the U.S. and Chinese governments over disclosure requirements for corporate auditing have come to a head. The U.S. Securities and Exchange Commission (SEC) has outlined plans for a new law requiring foreign companies to open their audit papers for inspection or face being de-listed from U.S. stock exchanges within three years of non-compliance. China and Hong Kong are the only jurisdictions which do not permit such inspections. The uncertainties will certainly mean a downside risk for investors and these Chinese companies will be more vulnerable to short-seller attacks.
2. FCPA – a priority for enforcement once again?
As we explained in a recent article on the U.S. regulatory landscape, two keys areas of enforcement focus for the Biden administration are anti-money laundering and anti-corruption. Enforcement agencies have been given extra resources to investigate offences under the Foreign Corrupt Practices Act (FCPA), including bribery and other financial crimes relating to foreign corporates. China has been historically the top country for FCPA enforcement actions and will likely remain the enforcement focus, given U.S. companies’ exposure to this strategically important market.
3. Sanctions and counter-sanctions
These developments come amid a backdrop of increasing U.S. sanctions activities against China and within the context of secondary sanctions. Hundreds of Chinese companies are finding themselves on the U.S. SDN List, CMIC List, and Entity List, among others.
As we discussed in a recent post, China has reciprocated by accelerating the development of its own legal and regulatory framework for anti-foreign sanctions. The Anti-Foreign Sanctions Law, published last year, is a particularly significant development, and China has already implemented counter-sanction measures against a number of foreign entities and individuals (including restricting travel to China and freezing assets).
4. Hong Kong considers regulatory regime for cryptoassets
How to monitor and manage risks relating to the proliferation of cryptoassets is a challenge that is exercising the minds of regulators across Asia. Following the central government’s decision to outlaw virtual currency-related activity in mainland China last year, the Hong Kong Monetary Authority has now launched a consultation paper on cryptoassets and stablecoins, setting out the regulator’s review of how to expand the regulatory framework for cryptoassets and obtaining feedback from market participants.
5. Cyber security and data privacy
Another example is data protection – within the last year China has rolled out new legislation, the Personal Information Protection Law (PIPL) and Data Security Law (DSL). These two pillars of data regulation have dramatically changed the ways in which data should be handled, and also introduce significant penalties for non-compliance.
PIPL aims to protect individuals from the potentially harmful consequence of abuse of their personal data and, taking some inspiration from EU GDPR law, now requires that digital platforms collecting personal data must create independent bodies to monitor its use in areas such as algorithmic content recommendations.
The DSL is more all-encompassing legislation, covering all types of data beyond just personal information. The law, which will affect all Chinese entities involved in any form of mass data collection, requires them to categorise themselves within a five-tier system, the higher of which will bring increasingly robust requirements around software and hardware maintenance, reporting and auditing.
How should businesses respond to the evolving regulatory landscape?
It is critical that organisations stay abreast of the regulatory landscape and ensure that they have the skills and expertise to manage and mitigate regulatory risks and defend the organisation in the event of regulatory intervention.
More broadly, businesses must understand that regulatory risk is a dynamic, constantly moving arena. To take the ongoing political tension between China and the U.S., regulations and sanctions regimes are being updated so frequently that individuals and companies are continually being added to or removed from the countries’ respective entity lists.
The key takeaway is that focusing on managing the risks that exist today is simply not enough. Businesses need to have the organisational structure, resources and capabilities to scan the horizon for new and emerging risks. Equally, there is recognition of the imperative to integrate risk and compliance, looking ahead together in order to prepare for the risks of tomorrow, rather than simply following the rulebook as it is written today.
By the same token, the business environment can change as quickly as the regulatory and risk landscape, and there needs to be a balance struck between business needs and risk management. Businesses must understand that responsibility for risk cannot be siloed to the risk team or one individual. Risk is a business problem.
In some areas, there have been positive signs that attitudes to risk and compliance are changing. For example, businesses are beginning to recognise the need to take positive action on ESG (and be seen to do so), rather than waiting for a knock on the door from regulators to spur a response. A holistic business strategy, integrated with a robust risk agenda, provides the foundation for a sustainable business model and positive corporate culture, and in return a level of brand authenticity that will attract more customers.