Managing third party risk and understanding compliance considerations are key to conducting business across borders.

In this panel discussion with Tiffany McConnell King (Corporate Director and Division Counsel, Global Sustainment and Modernization, Northrop Grumman Corporation) and Kirk Foster (Assistant General Counsel and Director of Compliance and Privacy, HII Mission Technologies), Marilyn Batonga (Partner, Baker, McKenzie) and Maurice Bellan (Partner, Baker McKenzie), we uncover the latest trends and analyze enforcement actions related to international government procurement, focusing on risks based on conduct abroad as well as False Claims Act risks. We provide practical tips on:

  • Maintaining a uniform culture and processes at the global, regional and local levels
  • Dealing with uncertainties of foreign legal regimes
  • Implementing key elements of corporate compliance: leadership, risk assessments, standards and controls, training and communications, oversight
  • Properly vetting and managing third parties


The post United States: Practical Tips for International Procurement – Performing Overseas appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled US President signs bills revoking Russian trade status and barring energy imports on 11 April 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: US President signs bills revoking Russian trade status and barring energy imports appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled BIS expands sanctions against Russia and Belarus and adds four countries to global export controls coalition on 12 April 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: BIS expands sanctions against Russia and Belarus and adds four countries to global export controls coalition appeared first on Global Compliance News.


The SEC’s recently released (and long-awaited) proposed rule changes that will require disclosure of climate-related risks (“the Proposed Rule”) are likely to have significant supply chain implications.  The Proposed Rule would require listed companies to disclose information on climate-related risks and Greenhouse gas (“GHG”) emissions; as explained below, both of these disclosure categories include data related to corporate supply chains, and thus the Proposed Rule would essentially require public companies to obtain and analyze climate risks and climate impact data related to its upstream and downstream suppliers.

Climate-Related Risks Disclosure – the Extended Enterprise (including supply chains)

The Proposed Rule broadly defines “climate-related risks” to encompass both actual and potential negative impacts of climate-related conditions and events on companies’ consolidated financial statements, business operations, and value chains, as a whole.  In turn, “value chains” are defined as both upstream and downstream activities related to company operations.  The Proposed Rule clarifies that under this definition, upstream activities include activities by a party other than the registrant that relate to the initial stages of a registrant’s production of a good or service (e.g., materials sourcing, materials processing, and supplier activities), and downstream activities include activities by a party other than the registrant that relate to processing materials into a finished product and delivering it or providing a service to the end user (e.g., transportation and distribution, processing of sold products, use of sold products, end of life treatment of sold products, and investments).  The SEC explained that it deliberately included value chains within the definition of climate-related risks in order to capture the full extent of registrants’ potential exposure to climate-related risks, which can extend beyond their own operations to those of their suppliers, distributors, and others engaged in upstream or downstream activities.  Therefore, in order to comply with the proposed disclosure requirements, public companies will have to analyze and disclose not only their own climate-related risks, but also the risks stemming from their upstream and downstream suppliers (including impact of so-called “Scope 3” emissions).

Moreover, in addition to disclosing relevant climate-related risks, registrants would be required to describe the actual and potential impacts of the identified risks on their strategy, business model, and outlook.  The Proposed Rule specifically notes that this disclosure includes any actual and potential impacts of climate-related risks on “suppliers and other parties in the company’s value chain.”  Finally, publicly listed companies would be required to disclose governance related information related to any oversight of climate-related risks by the board of directors.  Specifically, companies would be required to disclose:

  • any board members or board committees responsible for the oversight of climate-related risks;
  • whether any member of the board of directors has expertise in climate-related risks, including sufficient detail to fully describe the nature of the expertise;
  • a description of the processes and frequency by which the board or board committee discusses climate-related risks;
  • whether and how the board or board committee considers climate-related risks as part of its business strategy, risk management, and financial oversight such as when reviewing and guiding business strategy and major plans of action, when setting and monitoring implementation of risk management policies and performance objectives, when reviewing and approving annual budgets, and when overseeing major expenditures, acquisitions, and divestitures; and
  • whether and how the board sets climate-related targets or goals and how it oversees progress against those targets or goals.

Similarly, the Proposed Rule would require disclosures about management’s role in assessing and managing any climate-related risks.

GHG Emissions Disclosure – Scope 3 Emissions

The second category of disclosures required under the Proposed Rule are GHG emissions.  The SEC noted that GHG emissions information is important to investment decisions, including because GHG emissions data is not only quantifiable and comparable across industries, but also capable of being used to evaluate the progress in meeting net-zero commitments and assessing any associated risks.  The GHG emissions disclosures required under the Proposed Rule are based on the concept of scopes, which are themselves based on the concepts of direct and indirect emissions, developed by the GHG Protocol.  The GHG Protocol has become the leading accounting and reporting standard for GHG emissions and thus the proposed definitions of Scope 1, Scope 2, and Scope 3 emissions are substantially similar to the corresponding definitions provided by the GHG Protocol.  

Any supply chain related emissions disclosures are encompassed by the term “Scope 3 emissions,” which are defined as indirect emissions, not otherwise included in a registrant’s Scope 2 emissions (i.e., emissions  generated from the electricity, steam, heating and cooling consumed by the company), which occur in the upstream and downstream activities of a registrant’s value chain.  These emissions stem from the use of the registrant’s products, transportation of products (for example, to the registrant’s customers), end of life treatment of sold products, investments made by the registrant, as well as the transportation of goods in the registrant’s downstream supply chains and employee business travel and commute.  Recognizing the potential difficulty of calculating Scope 3 emissions, under the Proposed Rule, disclosure of Scope 3 emissions would only be required if those emissions are “material,” i.e., if there is a substantial likelihood that a reasonable investor would consider them important when making an investment or voting decision, or if the registrant has set a GHG emissions reduction target or goal that includes its Scope 3 emissions.  The Proposed Rule also includes a safe harbor for Scope 3 emissions disclosure from certain forms of liability under the Federal securities laws, an exemption for smaller reporting companies from the Scope 3 emissions disclosure provision, and a delayed compliance date for Scope 3 emissions disclosure.

Key Takeaways on Supply Chain Implications

Although the Proposed Rule has not yet been adopted and is almost certain to be challenged in court, companies are well-advised to begin implementing processes and procedures that would allow them access to their climate-risk and impact related supply chain data.  As recognized by the SEC, the investment community is interested in having more visibility into how companies are responding to climate risks, and thus a mandatory set of disclosures in this area appears to be on the horizon.  At the same time, because they are indirect and often several layers removed from the company, assessing supply chain related risks and impacts can be more difficult and thus time-intensive.  Even non-listed companies not directly subject to the Proposed Rule will likely be impacted as listed companies in their value chains require additional reporting and cooperation by their value chain partners to comply with SEC obligations. Therefore, to prepare for upcoming regulatory requirements (and demands by key value chain partners), companies should consider:

  • mapping out their upstream and downstream supply chains to understand relevant tier 1, tier 2, and below suppliers and their role in the company’s value chain;
  • developing a supply chain risk assessment process (in addition to climate risks, it may be useful and efficient to assess risks of social risks also subject to emerging regulation and litigation, including forced and underage labor, human trafficking, and workers’ rights violations);
  • establishing a board of directors committee that would regularly review climate-related supply chain risks and impacts;
  • reviewing the efficacy of current policies, procedures, and other program elements to cover the risk of climate and governance failures both in supply chains and in broader enterprise operations;
  • reviewing their current emission and other climate-related targets to make sure they are achievable; and
  • communicating to their suppliers any climate impact and GHG emission goals and/or expectations.

The post United States: SEC’s Proposed Climate Disclosures: Supply Chain Implications and Key Takeaways appeared first on Global Compliance News.


The first wave of retaliatory tariffs against certain Chinese-origin goods (the so-called Section 301 duties) are set to terminate under the Trade Act of 1974 (“Trade Act”). By statute, the measures terminate after 4 years unless an affected party benefitting from the tariffs submits a request to the United States Trade Representative (“USTR”) that the action be continued within the final 60-days of the 4-year period. Once such a request is submitted, the USTR must conduct a review and determine whether the action should be continued. The first round of the Section 301 retaliatory tariffs on products of China, commonly known as “List 1,” was effective July 6, 2018, which means a request that this action be continued would need to be “submitted” between May 7, 2022 and July 6, 2022 to trigger USTR to conduct its review.

It is likely that the retaliatory tariffs will be maintained, and USTR’s review process may also create new opportunities for companies to submit comments concerning additional exclusions, reduced duty rates, and/or modifications to the list of products subject to the retaliatory duties. This process will also provide meaningful insight into how the Biden Administration intends to navigate the US-China trade relationship going forward.

Relatedly, on March 23, 2022, following review of public comments requested on October 8, 2021, USTR announced its determination to reinstate certain previously granted and extended product exclusions in the China Section 301 investigation. The determination reinstated 352 of the 549 exclusions under consideration. The reinstated product exclusions will apply retroactively from October 12, 2021, and extend through December 31, 2022. The reinstated exclusions are set forth in the Federal Register notice, which can be viewed here.

Companies should review the notice to confirm whether their imported products are covered by a reinstated exclusion and, if so, consider filing for Section 301 duty refunds (through either post summary corrections or protests). These reinstated exclusions cover articles entered for consumption on or after October 12, 2021. If entries of merchandise subject to a reinstated exclusion have already liquidated, a request for a refund must be filed via protest within the 180-day protest period.

If you have any questions, please contact one of our international trade team members.

The post United States: US Section 301 Duty Update: Section 301 Expiration Coming Up & Certain Product Exclusions Reinstated appeared first on Global Compliance News.


In brief

On 8 December 2021, Treasury issued Notice of Proposed Rulemaking to allow the public to review and comment on proposed regulations (“Proposed Regulations“) to implement the beneficial ownership information reporting provisions of the Corporate Transparency Act (CTA). Passed on 1 January 2021, the CTA imposes on so-called “Reporting Companies” the obligation to report to Financial Crimes Enforcement Network (FinCEN) information regarding their “Beneficial Owners” and company “Applicants.” This Client Alert reviews the Proposed Regulations and is a companion to our January 2021 Client Alert that provided an overview of the CTA shortly after it was enacted and which can be found here: Client Alert – Updates on Beneficial Ownership Reporting in the United States.

The CTA itself does not sufficiently define various terms essential for its implementation. The Proposed Regulations are intended to provide clarification and guidance on the reporting obligations mandated by the CTA. The Proposed Regulations are essential for another reason as well, since the CTA provides that its beneficial ownership reporting requirements take effect”… on the effective date of the regulations prescribed by the Secretary of the Treasury.”

Below we summarize the Proposed Regulations and draw special attention to FinCEN’s clarification of issues of concern for high net worth individuals.

Click here to download the full alert.

The post United States: Beneficial ownership reporting – Part II appeared first on Global Compliance News.


In brief

An influx of high-profile whistleblowing cases have made headlines in recent years, and claims (and awards) are on the rise. At the same time, more defined and greater protections for whistleblowers are coming into play in the US, UK and European Union. It’s essential that multinational employers be aware of the whistleblower regulations proliferating across the globe and the notable differences between regimes.

In this quick Chat Video, our Labor and Employment lawyers provide an overview of the changing landscape of whistleblower protections in the US, UK and EU. Our global team is regularly advising multinationals on:

  • How to create a “speak up” culture
  • How to build compliant whistleblowing systems (including navigating data privacy protections)
  • Best practices for management training
  • Sensitive cross-border investigations
  • How to draft and implement a global Code of Conduct

Speakers: Joseph DengKrissy Katzenstein and Julia Wilson.

Review Building a Holistic View of Inclusion & Diversity: Mind the Gap Series – Part 2: Insights from Global Employment Leaders

With stakeholders pushing organizations to take their Inclusion and Diversity initiatives further, faster – culture and strategy are the focus for diversity leaders. However, many organizations are less far along the path than they hoped and continue to work on long-held priorities, including raising awareness of I&D and recruitment and retention of diverse talent.

The latest report in our global Mind the Gap series outlines how organizations can strengthen performance, manage risk and accelerate progress through their I&D programs.

Read our additional whistleblowing publications: 

Subscribe to The Employer Report blog where Baker McKenzie lawyers provide legal updates and practical insights to help clients understand, prepare for and respond to the latest domestic and cross-border Labor and Employment issues affecting US and multinational employers. Past videos are linked in the blog sidebar for easy access to topics including guidelines for accommodating sincerely held religious beliefs, COVID-19 employment litigation trends, and much more.

The post United States, United Kingdom and European Union: Whistleblower developments for multinational employers (Video Chat) appeared first on Global Compliance News.


By Monique Henderson, Director of Third-Party Risk Management, HITRUST

Every organization has multiple processes scattered throughout every department to manage workflows and make them more repeatable. Inescapably—over time, these processes, procedures, and workflows become antiquated and unwieldy.

For example, years ago, everyone was used to paying highway tolls manually by following the existing process of throwing coins in the bucket. And we were good at it! We allowed extra time in our daily commutes for paying tolls along the way. We had change holders in our cars with quarters, dimes, and nickels, so we did not have to wait in the slower line to change out dollar bills for coins.

We got used to the process. Eventually, someone thought, “there’s got to be a better way to pay tolls!” This thinking led to the innovation of the digital toll tag and open road, overhead toll readers.

We’re All Tired of Inefficient Processes for Sharing and Consuming Information Protection Assurances

For organizations needing to share their data security results, the newer approach to managing tolls offers an example of how technology can transform an existing process to similarly add efficiency into managing vendor IT security assurances, much like the introduction of toll tags and overhead readers did for paying highway tolls. For years, businesses have exchanged reports by emailing PDFs to each other, manually receiving and processing one security and privacy assessment at a time. The existing process to obtain, interpret, and analyze vendor IT security and privacy assessment results is outdated for both assessed entities and their relying parties. It’s highly inefficient and time-consuming, which makes it extremely difficult to effectively monitor and manage vendors.

That’s because companies vetting vendor security risk are typically using an approach similar to the clunky old toll analogy of throwing coins into the bucket—by asking new vendors to answer lengthy, manual questionnaires as they try to navigate past the onboarding booth. Or requiring current vendors to provide annual assurance reports, which equates to relying on the toll attendant to make change and let them pass through. In addition to taking up valuable time from the vendor IT teams, it takes the companies requesting questionnaires and reports countless hours to receive vendor assurances and manually enter data into tracking spreadsheets or TPRM systems. Plus, since all the coins don’t always end up in the bucket; relying parties often must “honk their horns” to get their questions answered in a timely manner.

Under the current system of exchanging PDFs, once assessments are complete and received, then the relying party is forced to manually evaluate the scope and scoring of the security controls deployed by their vendors to determine third-party risk. Next, the organization must upload the report into a vendor risk management system and then repeat the process annually with every vendor—often at different times of the year, with different scopes, and different results. Today, it is difficult to effectively evaluate and manage vendor risk when there is little automation or analytics capabilities to rely upon.

In addition to the resources required to collect and manage the minimal information collected by questionnaires and reports, there’s also a huge opportunity cost. The current time-consuming process often distracts risk managers from focusing on higher value vendor management activities to mitigate risk. Just think of what else those resources could be doing if they received assurance data more efficiently — flowing digitally into a vendor risk management platform rather than in the typical PDF format.

The HITRUST Results Distribution System (RDS) Addresses the Highly Inefficient Process of Obtaining, Interpreting, and Analyzing Third-Party Assessment Results

Finally, The HITRUST Results Distribution System: A Fundamental Change to Managing Assessment Results

Here at HITRUST, we thought, “there must be a better way.” This led to an innovation called the HITRUST Results Distribution System (RDS), which makes it possible for assessed entities to share their HITRUST Assessment results securely and electronically with designated relying parties who can seamlessly view key aspects of the assessment through the RDS portal or by using an API interface with their own TPRM solution.

When I was a Sr. Risk Advisor for a major health plan, I would receive huge PDF reports from the vendors we were trying to evaluate or on-board. It would take at least 1-2 hours per report to find the bare minimum information we needed. I also had to make sure the report was authentic and current. In some cases, the PDFs were copy-protected or password-protected, which meant I had to go back to the vendor to get access to the data and then pour through these lengthy reports to manually find, cut, and paste key information into our GRC tool. We had to do this for hundreds of vendors! The existing process is so tedious and time-consuming that we had to pay to outsource it. It was just too much for our team.

Now that I am at HITRUST, I am passionate about the value the RDS solution can bring to my old team and any organization focused on managing third-party risk. Not only because it drives efficiency, but also because it can:

  • Reduce labor costs and enable risk managers to focus on higher-value activities
  • Allow organizations to better understand, monitor, and track vendor gaps in real-time
  • Allow relying parties to unleash analytics to make better business decisions faster
  • Speed up the process of onboarding new vendors

Buckle Up, the High-Speed Lane Solution is Here!

There is no scenario where large PDFs should be manually distributed to share the important assessment results another organization needs. We are beyond that in the supply chain risk management profession and in the cyber security industry. Much like the efficiencies toll tag authorities implemented in the transportation industry, HITRUST is the only assurance program that can integrate and innovate technologies that improve the user experience in assurance sharing. Once organizations realize that they can get their vendor risk assessments delivered through the HITRUST Results Distribution System, they will wonder how they ever lived through the old process.

Can you imagine going back to the time of toll booths and pocket change?

Me neither!

As a sneak preview, coming from HITRUST in the second half of 2022: Look for additional RDS analytics and reporting capabilities as well as more API interface options.

Learn more about the HITRUST Results Distribution System.

For additional information about how RDS can help your organization efficiently manage your vendor security evaluation processes:

Contact a HITRUST Product Specialist
Call: 855-448-7878 or Email:

Follow HITRUST on Twitter.
Follow HITRUST on LinkedIn.


About the Author

Monique HendersonMonique Henderson, Director Third-Party Risk Management, HITRUST

Monique has more than 15 years of expertise in Third-Party Risk Management, Cybersecurity/Continuous Risk Monitoring, and Vendor Contract Negotiation. In past positions, Monique stood up entire GRC programs as well as matured existing TPRM functions. Monique serves as a TPRM consultant to HITRUST clients offering suggestions on how to best leverage HITRUST certifications throughout their vendor populations, as well as counsel on how to mature other TPRM functions. Monique holds a BS degree from North Carolina Wesleyan College.

The post HITRUST Results Distribution System – New Tool for Obtaining, Consuming, and Managing Third-Party Assurance Results appeared first on HITRUST Alliance.


Baker McKenzie’s Sanctions Blog published the alert titled US Issues Full Blocking Sanctions on Sberbank and Alfa-Bank; New and Amended General Licenses; New Investment Ban for Russia on 7 April 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post US Issues Full Blocking Sanctions on Sberbank and Alfa-Bank; New and Amended General Licenses; New Investment Ban for Russia appeared first on Global Compliance News.


Sweeping reforms to the regulation of SPACs announced by the SEC

In brief

On 30 March 2022, the Securities and Exchange Commission (SEC) approved proposed rules relating to special purpose acquisition companies (SPACs) and released an accompanying fact sheet. Work on the final rules will begin following the public comment period, which ends on the later of 31 May 2022 and 30 days following the publication of the proposing release in the Federal Register.

Over the last year, the SEC has signaled that the SPAC market should expect regulatory changes in response to the unprecedented growth in use of SPAC vehicles. Prior to this proposal, guidance from the SEC on the topic has largely focused on disclosure requirements. The proposed rules are notable in that they reach beyond enhanced disclosure and address the following topics:

  • enhanced disclosure requirements, including those related to SPAC sponsors and projections;
  • liability of participants in de-SPAC transactions, including revised registration requirements for de-SPAC transactions, rules expanding when underwriters of SPAC initial public offerings will be deemed underwriters of de-SPAC transactions and the availability of the safe harbor for projections under the Private Securities Litigation Reform Act of 1995; and
  • the status of SPACs under the Investment Company Act of 1940 (“Investment Company Act“).

Click here to access full alert.

The post United States: SEC proposes rules for further disclosure and enhanced investor protections regarding SPACs appeared first on Global Compliance News.