Introduction – Early Execution Decisions Shape Review Outcomes
The legal and practical considerations for internal compliance reviews conducted in China by corporate headquarters of international companies are non-trivial and can be daunting, both for in-house teams and external counsel. However, the challenges are far from insurmountable, particularly where cross-border assignments are conducted with the support of experienced in-country experts and attention is paid to several common execution pitfalls.
Failure to make the right decisions around data handling, scope of review, and review methodology during the early stages of an internal compliance review may cause issues to arise later, when findings are scrutinized, when external auditors probe any gaps, or when outside authorities get involved. In practice, this frequently requires a shift in mindset away from “exporting data for review” towards “reviewing in situ,” to comply with data laws while conducting an effective review.
It should be noted that all such reviews are conducted within the scope of corporate authority and established compliance, audit, and employment frameworks, and are distinct from any law-enforcement or regulatory authority’s investigation.
Pitfall #1 — Treating Data Handling as a Binary Question
There sometimes is a misperception that “getting information out of China is almost impossible,” which deters counsel from conducting necessary and valuable fact-finding reviews in China. In practice, the view that data issues are intractable is extreme and does not reflect how data compliance frameworks are navigated by many companies. Routine internal reviews are feasible and common, so long as data compliance and data sovereignty requirements are respected. Corporate ethics and compliance programs are expected, and multinational companies maintaining internal controls and whistleblower mechanisms are viewed as reducing systemic risk, not creating it.
Data preservation, data processing, and any cross-border sharing of information are distinct stages, each carrying different legal considerations. A general principle is to keep data review in-country, using onshore data hosting and in-China reviewers. Any data potentially touching state secrets or other sensitive information should be segregated, and People’s Republic of China (PRC) counsel should be enlisted to screen data prior to cross-border transfer. Certain data may need to be withheld from export or redacted to comply with relevant laws and regulations.
Indiscriminate access, review, and data export practices can create compliance exposure even where underlying objectives are legitimate. In practice, many avoidable difficulties arise not from whether data can be accessed at all, but from how early decisions are made around scope, sequencing of the review process, and review location.
Pitfall #2 — Corporate Systems Alone Rarely Tell the Full Story
Another significant challenge when conducting internal reviews in China is the widespread use of the personal messaging tool WeChat to conduct business. As a result, information relevant to internal compliance reviews often does not reside solely within company-controlled systems, and reviews built around email servers, enterprise resource planning (ERP) data, and accounting records frequently fail to reflect how business is actually conducted in practice.
Discussions with distributors, agents, vendors, customers, and colleagues routinely occur through mobile messages, voice notes, and group chats in WeChat, despite efforts through corporate policies to prohibit or prevent this. Failure to gain access to such records, with appropriate consent and consideration given to privacy laws, can impose material limitations on internal reviews which compromise the reliability of their conclusions, particularly when findings are later scrutinized by auditors or other stakeholders.
Careful consideration therefore needs to be given to collection scope, when and how to request chat records, and the appropriate legal safeguards. Where access is not possible, this should be clearly documented, along with the reasons, so that any evidentiary limitations are transparent and defensible if review conclusions are later challenged.
Pitfall #3 — When Interview Missteps Distort Review Outcomes
Information-gathering interviews conducted as part of internal compliance reviews in China require more than technical questioning skills. Cultural calibration, including rapport-building and respectful tone, is important to avoid approaches that could shut down disclosure from interviewees. Caution is also needed to avoid misinterpreting cultural differences and language barriers, such as reserved behavior, indirect communication styles, or hierarchy-driven reticence, which can otherwise be mistaken for evasiveness or lack of cooperation.
Interview planning also matters a great deal, including logistical considerations such as where the interview should take place and who should be present. In practice, interview format, location, and participant composition can materially affect how forthcoming interviewees are. Face-to-face interviews are often more effective, and sometimes necessary, particularly where mobile device collection is anticipated or sensitive topics are being discussed.
When approached thoughtfully, interviews can provide important context and clarification to support internal reviews; when mishandled, they can distort fact patterns, limit cooperation, and reduce the reliability of information obtained. Careful planning, cultural awareness, and consistency with employment and compliance frameworks are therefore essential to ensuring that interview outcomes remain balanced, constructive, and defensible.
Pitfall #4 — Missing Patterns That Only Emerge at Scale
China’s business environment has become highly digitized, transaction-dense, and platform-driven. For instance, routine use of cash has largely been replaced by digital payments. Corporates also generate significant volumes of transactional and activity data across multiple systems and databases.
In this environment, traditional reliance on interviews and sample-based testing is often insufficient. Forensic data analytics applied to internal business data — such as micro-payments, system metadata, and user-activity logs — allow review teams to identify issues through patterns, trends, and anomalies rather than isolated transactions. This approach helps surface connections and risk indicators that may not be apparent through conventional review techniques.
Analytics do not replace professional judgment. They inform it, providing an objective basis to assess whether issues are isolated or systemic and whether explanations align with actual business activity. When used appropriately, analytics also enhance efficiency and support risk-based scoping. For example, they can be used to identify higher-risk areas, employees, customers, third parties, time periods, or regions for deeper review and targeted follow-up.
In practice, internal reviews that rely too heavily on interviews and sample-based testing often miss patterns that only become visible at scale. Without analytics, teams may draw comfort from explanations that are not tested against underlying transaction data. Integrating proportionate analytics helps ensure that review conclusions reflect how the business actually operates, rather than isolated data points or narratives.
Case Examples
| Pitfalls | Practical Examples of Good Practice |
| #1 — Treating Data Handling as a Binary Question | Certain documents collected during an internal review in China into allegations of financial statement fraud were required to be produced to a U.S. regulator. The documents were hosted and reviewed within China, with PRC counsel assessing them for state secrets and other sensitive data. Cross-border transfer was undertaken only after appropriate redactions were made and certain documents were withheld. Relevant Chinese regulators were also notified of the data transfer. |
| #2 — Corporate Systems Alone Rarely Tell the Full Story | During an internal review into alleged bid-rigging in connection with a public tender, WeChat records collected during witness interviews provided evidence that team members had colluded with one another and with external parties to ensure that their company won the tender. The chat records included discussions about coordinating with bidders who were expected to lose, as well as incriminating files. |
| #3 — When Interview Missteps Distort Review Outcomes | An interview of a China-based employee was conducted by U.S. external counsel via Teams, with the assistance of a bilingual forensic professional physically present with the interviewee in China. The forensic professional acted as an interpreter and, with the interviewee’s consent, reviewed relevant WeChat records during the interview. It was determined that the interviewee appeared to have intentionally deleted certain chat records prior to the interview and that there were a number of credibility concerns. |
| #4 — Missing Patterns That Only Emerge at Scale | Certain allegations were received against employees at a Chinese affiliate of a multinational life sciences company. During the subsequent internal review, analysis of Internet protocol (IP) address records and other metadata relating to virtual speaker programs identified widespread falsification of meeting attendees in order to fraudulently satisfy compliance requirements. |
Closing Perspective
Internal compliance reviews in China are rarely undermined by a single legal restriction or data rule. In practice, challenges more often arise from early execution decisions that do not fully account for how business is conducted and how information is generated and retained.
Well-designed reviews integrate legal oversight with in-country data review, proportionate access to relevant business communications, culturally attuned employee discussions, and appropriate use of data analytics. In our experience, this integrated, execution-focused approach — grounded in corporate authority, proportionality, and disciplined documentation — supports clearer conclusions and greater resilience under scrutiny from audit, governance, or regulatory stakeholders.
For legal teams, insisting on this execution discipline at the outset is often what determines whether a review contains risk or escalates it unnecessarily.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
