Focus on compliance and governance in the Indian IT-ITeS sector

Traditionally not deemed as a ‘regulated’ industry, the Information Technology (IT-ITeS) is now among the key ones impacted by the changing and enhanced regulatory environment. Today, the sector is grappling with laws around stricter immigration, data localization and anti-corruption, as well as data governance and privacy. In addition to ensuring compliance with new and improved governance reforms, IT-ITeS companies need to tackle challenges around data theft, cybercrime and recruitment frauds.

These emerging trends and recent legislation related to governance are simultaneously creating compliance obligations and business opportunities for IT-ITeS companies in India. In line with this scenario, listed below are some key developments impacting the governance and compliance environment that the companies in this sector need to address on priority.

1. Anti-bribery and anti-corruption

India has witnessed increased enforcement actions impacting the compliance landscape with respect to anti-bribery and anti-corruption. The Prevention of Corruption (Amendment) Act (POCA) strengthens existing provisions and expands coverage of offences with some key changes including:

  • The party offering a bribe may now be pursued for POCA violations
  • Commercial organizations are now included in the scope, and
  • Commercial organizations will be held responsible for bribes originating from employees or agents

IT-ITeS companies tend to have multiple government touchpoints in real estate and operations. Accordingly, they must design, implement, and/or revisit existing anti-bribery and anti-corruption programs to identify, evaluate and prioritize high risk areas and to promote compliance with the POCA.

On the other hand, violations under the US Foreign Corrupt Practices Act (FCPA) can lead to the Securities and Exchange Commission (SEC) indicting corporations and imposing sanctions. These include disgorgements, pre-judgement interests, civil monetary penalties which can exceed the value of improper payments made by companies for seeking undue business advantage.

Recent incidents

A technology company
  • The company agreed to pay millions of dollars to settle charges that it violated the FCPA, and two of the company’s former executives were charged for their roles in facilitating the payment of millions of dollars in alleged bribes.
A medical technology firm
  • The SEC found that the company’s internal controls were insufficient to detect improper payments (in sales) in several countries
  • SEC found that its subsidiary was unable to maintain accurate books and records
  • The company agreed to settle the charges and pay a penalty

With the recent sanctions and settlements, in addition to conducting customized trainings, companies are increasingly resorting to adopting comprehensive multi-modal audit plans proactively for FCPA compliance, demonstrate their commitment in mitigating violations, and periodically reviewing the existing anti-bribery compliance programs to test its effectiveness.

2. Prevention Of Sexual Harassment of Women at the Workplace

In July 2018, the Companies Act was amended to mandate disclosure as part of the Board of Directors report, the compliance on constitution of Internal Committee (IC) under Sexual harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013.

The current environment demands that organizations focus their efforts on aligning their policies and frameworks with the Prevention of Sexual Harassment of Women at the Workplace regulation. Compliance and understanding the readiness should include carrying out customized training and awareness sessions for the IC, senior management and employees (including web-based learning modules) and creating adequate internal awareness on the subject (awareness campaign). Organizations should also continue investing in background screening while hiring new employees that can indicate behaviour and personality of the prospective employee. A zero tolerance approach toward inappropriate behaviour will also help set an example in organizations’ commitment to protect women at the workplace. Conducting fair and impartial investigations whenever an incident is reported is a key determinant of how employees and others view the commitment of the board and top management toward this important initiative.

3. Unpublished Price Sensitive Information

Recently, the Securities and Exchange Board of India (SEBI) amended the Prohibition of Insider Trading Regulations, 2015 that mandates companies, inter-alia, to 1) frame policy for determination of “Legitimate Purposes” for sharing of unpublished price sensitive information (UPSI); 2) set up and maintain digital database containing names of organizations and individuals with whom UPSI is shared; 3) formulate or amend code of conduct by the board of directors to regulate, monitor and report trading by designated persons and immediate relative of designated persons; and 4) place adequate and effective internal controls to ensure compliance with the requirements given in these regulations including identifying all the employees who have access to UPSI and signing confidentiality agreements or serving notice to all such employees and persons.

All IT-ITeS companies that handle their own or other companies’ sensitive data will have to design and implement policies and procedures to safeguard UPSI in line with the requirements of the amended regulation. They should also formulate written policies and procedures for inquiry in case of leak of UPSI or suspected leak of UPSI, and accordingly initiate appropriate inquiries on becoming aware of leak of UPSI and inform the board promptly of such leaks, inquiries and results of such inquiries.

4. Data privacy

The proposed Data (Privacy and Protection) Bill 2018 has a data localization clause, which can lead to increased costs for software companies. This can hinder their ability to transfer and process personal data across jurisdictions. For instance, the Bill requires that certain personal data be processed on servers or data centres located in India exclusively. This will prove to be a barrier resulting in difficulties for companies’ utilizing cloud based technologies for managing the data

The draft bill also proposes to make data fiduciary responsible to implement policies for embedding privacy in all systems, applications and architecture (Privacy by design and default). Changes to existing IT systems of companies may create new business opportunities for IT-ITeS companies. The bill would impact the way global technology companies invest and operate in India. New programs will need to be put in place while existing compliance and data privacy programs will require revision. With the advent of artificial intelligence, public concern at the prospect of organizations’ compromising the security of personal data has reached a new level.

5. Data theft and data breach

Data theft and cyber-attacks have seen a rapid rise in India. Between Jan to Nov 2018, over 15,700 Indian websites, including 100 government portals, were hacked as per data provided by the Minister of State for Electronics and IT. One of the direct consequences of companies’ increasing dependence on data, is the rapid rise of cybercrime. Data theft, identity theft, hacking, malware and viruses have become common occurrences and are some of the biggest perceived risks for modern-day business. Recently, the courts have demonstrated a new appetite for data security enforcement. Breaking with precedent, in a case regarding the theft of product information and supply chain data by a senior employee, the court directed the accused to disclose what confidential and proprietary information was in their possession.

It is increasingly important for organizations to take steps to protect data that originates, is shared, and is stored in India. Unlike the past, courts and enforcement agencies are pursuing those that misuse a company’s intellectual property and confidential data. IT-ITeS companies must be prepared to participate in due process whenever an incident is discovered or there is suspicion of the misuse or theft of the company’s IP or confidential data.

6. Social media policies

Maintaining brand sustainability can be one of the biggest challenges for any organization. Threats to brand reputation can come in many forms including the misuse or ill use of social media by employees. While some organizations have included relevant clauses as part of their code of conduct on damage to the brand, off-duty conduct, political affiliations or contributions, social media or instant messenger guidelines among others; there are still many organizations which do not have a dedicated social media policy. Further, the policies instituted by the companies may become ineffective over a period of time if regular training and awareness sessions are not conducted for the various stakeholders. For example, it is increasingly important to have annual declarations from employees when they have completed training and their understanding of the policies and procedures related to them.

A social media incident response plan should be prepared by the company, with the appropriate steps to be taken when reporting incidents or discovering unethical matters. The plan should also identify responsibilities, define committees, timelines and criteria to determine the action to be taken.

Prakash Lohia, Director, Forensic & Integrity Services at EY India also contributed to the above post.