Engineers, Know Your Customer!

There’s quite a bit of value to knowing who your customer is. For one, you’ll better understand what’s important for the business, and you’ll be able to avoid deep pits that could get you (or your customer) into trouble. In my opinion, this kind of research makes sense, even if you’re a software engineer. We’re not trying to match some regulatory requirement, which means we can keep this light.

For many large-scale enterprises, the following approach won’t work, but for many small and medium-scale For companies with limited business dealings, it works quite well. In particular, the same methodology also applies to suppliers.

Some of these things are centered around Germany, some cover international postings. You might need to adapt these to your circumstances.

Research

For starters, we’ll try to map out what kind of business we’re actually dealing with. Somebody asks you: “Would you mind doing some Kubernetes revamp at ACME Inc. in six weeks?” That means, I’ll look into what ACME is actually trying to achieve, product-wise.

If you feel you’re getting too much information into your system, I can assure you that many people have this feeling. My solution is to quit/block janky social media shit (like LinkedIn) and stick to the evening news. It’s worked for a couple of generations, and it might work for you, too.

Wikipedia

Check the Wikipedia page and the discussion page. The Wikipedia page should list a couple of things:

• legal entity type (e.g., GmbH, or such)
• Where are the headquarters, from where is the company controlled
• company history: renaming and past scandals (predecessor companies)
• What do these people actually sell (e.g., paint and solvents) and roughly how their position in the market is

You would be surprised how many people never look up the Wikipedia page of their customer/posting. I really enjoy this because it gives me some context about the companies I work with.

Public Register

The public register is important to assert company ownership (see above) and the current state. If a court has opened insolvency proceedings, the company should be stricken from the register, i.e., the entry will read that the company ceases operations.

You can find the register for Germany here: https://www.handelsregister.de

The register is fairly reliable, but there are quite a few technical hiccups. It’s possible to lock entries, but only temporarily. The register actually has unnamed and unexplained numeric error codes, and these can be explained by referencing this document (obtained via IFSG, German FOIA):

https://fragdenstaat.de/anfrage/errorcodes-des-gemeinsamen-registerportals-der-laender

This register includes commercial and not-for-profit companies and associations. It does not contain foundations, which should be listed in the “transparency register”. This register is not public and last I checked it was incomplete and out of date. It’s probably time to rename it to “instransparency register”. A foundation is the standard way to cloak ownership, i.e., for wealthy families.

The other standard way is to register a company in, e.g., Luxembourg.

In general, the register tells you who is responsible, but the information might be less useful to see the true owners, i.e., if the ownership information is a dead end (like a foundation or a hard-to-find post box in Luxembourg).

Regulator

Most of the time, regulatory requirements are molded into specific company regulations. These company regulations usually follow some ISO scheme, and there are quite a few to choose from.

If you work in IT, you’ll have to deal with a couple of general regulations and laws. Here’s the most general stuff. You should know that these exist and where to find them. Knowing that these exist gives you some context on why you need to jump through some extra hoops.

• Confidentiality of Mail and Telecommunication, which in German is the Fernmelde- und Postgeheimnis. This privileged status of communications is internationally accepted. There’s a page in the German Wikipedia (https://de.wikipedia.org/wiki/Fernmeldegeheimnis) and the ITU has a page here (https://www.itu.int/en/wcit-12/pages/itrs.aspx).
• General Data Protection Regulation, which led to the DS-GVO, which in turn is a more precise version of the Bundesdatenschutzgesetz (BSDG). Again, Wikipedia has you covered: https://de.wikipedia.org/wiki/Datenschutz-Grundverordnung
• Critical Infrastructure Regulation, in Germany, this is covered by the Kritis-VO (https://www.gesetze-im-internet.de/bsi-kritisv/BJNR095800016.html).

Check who the regulator is for your company. Many industries have a dedicated regulator (as part of the public administration). Companies can and often are regulated by multiple regulators. All of the following offices should be neutral politically and base their recommendations on the best current practice.

• data/it regulators, in Germany this role is taken by the Bundesamt fuer Sicherheit in der Informationstechnologie - BSI. They do limited operations (like ordering sinkholing) and provide standards and guidance for government IT operations and the wider public. https://www.bsi.bund.de
• financial services authority, like the German BaFin (https://www.bafin.de); These people directly set IT standards/requirements if you handle financial transactions,
• environmental protection agency, like the Umweltbundesamt (https://www.umweltbundesamt.de/); tracks chemical accidents, release of dangerous substances; they also engage in refining regulations like REACH and ROHS, and tracking population levels of lead, among many other things; their task is to provide consulting to politicians and the wider public
• occupational health and safety, this is mostly tracked by the German Deutsche Gesetzliche Unfallversicherung (https://www.dguv.de), these people set standards regarding exposure to dangerous substances; they moderate the process that results in a recognized occupational health risk.

You’re less likely to come into conflict with the latter two agencies, but that can happen, e.g., if your postings focus around industrial settings.

Whistleblower laws are common around Europe. In Germany, the law in question is the “Hinweisgeberschutzgesetz”. Many companies run their own whistleblower portal that allows you to report violations directly to the management. You can choose whether to use the company’s portal or to send it to the corresponding regulator. (See: https://de.wikipedia.org/wiki/Hinweisgeberschutzgesetz)

General Sources

There are a couple of organizations that provide useful general guidance around assignments with touchpoints in foreign countries. This particular selection I checked, because these organizations are “established” and offer a global footprint.

• Human Rights Watch https://www.hrw.org
• Amnesty International https://amnesty.org
• Transparency International https://transparancy.org

The foreign office has an official list of “travel warnings” and other information around security in different countries, this includes security issues like civil war, civil unrest, and armed conflict.

https://www.auswaertiges-amt.de/de/reiseundsicherheit/10-2-8reisewarnungen

Quite a few small and medium-scale companies have extensive overseas engagements, especially if we go into high-value products. Companies like Cargill, Nestlé, Siemens, or BMW basically cover the globe. Problems with shady regions or engagement in shady activity might show up on Wikipedia; the info here can help to contextualize.

Finally, you can query a newspaper archive. My recommendation is to look into the following:

• Financial Times, https://ft.com
• NY Times, https://nyt.com
• South China Morning Post, https://scmp.com

All of these should be obtainable in a good library.

Backgrounder: How Kickbacks Work (PEP)

You might have had to fill out some forms about your relationship to politically exposed persons in recent years. The regulations in question try to reduce corruption. They specifically target some scenario, like the following fictional case of bribery.

Your wife is a high-ranking member of the government with executive powers. Let’s say, she’s the mayor of a city with 5 million people.

You’re a member of the “Club of the Nouveau Riche,” which is a registered charity.

Now ACME Inc pays 5 million EUR to the Club, which gets transferred to you to pay for your consulting services, or let’s say the Club funnels this money to you in the form of a very nice car.

In exchange for this very nice gift, your wife buys the latest ACME Inc. bubble cannons for the city cops.

The bribery here is clear: ACME funnels the money via a registered charity, and this way they bribe “your wife” to buy their stuff with taxpayer money.

The regulation in question does not mandate that you can’t transfer money to PEPs. It mandates that ACME Inc. and its compliance department make a strong effort to prevent this from happening.

That’s the reason you had to fill out this form. These requirements flow from the FATF.

The Final Countdown

I don’t think this is super involved. You check Wikipedia and poke the register. Then make sure that you know which regulator is applicable, and you’re mostly good, IMO.

I cover some basics in this article. There are quite a few unwritten chapters: Proliferation risks and financial crime, among others. And a lot of ways to dig deeper.

I think this has helped me in the past, even if I worked in an FTE capacity.

Happy hacking.