!

Legal and compliance risk management:Towards principles of best practice

Roundtable one, 29 April 2008:Challenges of a changing environment

Chairman’s opening remarks

The recent credit crunch has highlighted the extent of therisks, as well as the rewards, inherent in the financial servicessector. Banks are charged with delivering a quasi socialservice; the provision of products such as current accountsand mortgages is no longer just a matter of private contractbut is heavily regulated in favour of consumers and accordingto imprecise yet ever expanding concepts of fairness.

Banks trade in legal constructs at the centre of a complexweb of law and regulation – the days when such issues werejust a matter for shareholders are long gone. If the lawgoverning those constructs does not function as expected,this will impact on the heart of their business models.

Legal risk is thus an all-pervasive threat, yet there has been todate no consensus over what legal risk actually is, and it isincreasingly apparent that the managers and owners of legalrisk need some precision as to its definition andmanagement.

Introduction andChairman’s opening remarks

On 29 April 2008 a group of academics, practitioners and legal,compliance and risk professionalsmet at Herbert Smith LLPto debate the definitions of legal and compliance risk, the keychallenges and drivers for change in how these risks aremanaged, and the response of the financial institutions tothese challenges.

The discussions were conducted undermodified ChathamHouse rules, with participants agreeing that their comments,duly anonymised, could be reproduced subsequently on anunattributable basis.

329 April 2008: Challenges of a changing environment

• There is some variation in the extent to which differentfinancial institutions maintain a distinction between theirlegal and compliance functions in terms of theirorganisational structures and definitions.

• There remain concerns at the use of traditional operationalrisk management techniques for the management of legaland compliance risk and about how best to attributequantitative value to these risks (although this is commonwith most operational risks).

• There is also concern that institutions lack clarity as to theexpectations of regulators in relation to legal andcompliance risk management policies and techniques.

• There appears to be some consensus that, despite thelimitations of a “box ticking” exercise, such systematicidentification and assessment of legal and compliancerisks (when developed and used properly) can beextremely valuable.

Executive summary

There is a wide spectrum of definitions of legal andcompliance risk. Some seek to use a mixture of soft andhard norms; some focus on the risk of loss arising fromnon-compliance with such norms; and some focus on theenvironmental uncertainty created by the institutions thatcreate the law within which the sector operates.

Definitions have acquired more of an operational riskcontent but it is not clear whether there is any consensus asto how firms operationalise their risk managementfunctions to encompass legal and compliance riskmanagement. This may be influenced in various ways:

• by trends towards structuring expertise in certainways, with compliance risk sitting within legal risk insomemodels;

• as a response to scandals or shocks (eg, Siemens’response to bribery investigations); or

• because responsibility for legal risk is moving away fromthe legal function towards risk management as thisevolves more generally.

Key questions include how firms’ risk managementfunctions relate to their compliance and legal departments;which professionals should be or are involved in theprocess; how lawyers, accountants and risk managementprofessionals can work together best to manage legal risk;and whether there is any demand for a more holistic systemof legal risk/compliance management.

One firm simply defines “legal risk” in terms of financial loss,being a simple concept that is readily understandable bynon-lawyers. Others have extensive definitions, but expressscepticism about the way they are used.

Some organisations draw stark differences between legalrisk and compliance risk. Legal risk issues revolve aroundlegal advice given to an operational section of the business,but it is those in the business, not the lawyers, who remainresponsible for the risk – they decide whether to accept orreject legal advice, which is risk based. Compliance, on theother hand, is ultimately owned by the Chief Executive, andis conceived of in terms of enforcing the firm’s establishedpolicies and procedures: compliance input is prescriptiverather than advisory.

Others take a different view – that risk ownership dependsmore on the certainty or uncertainty of the risks. Where it isclear that to act in certain ways will give rise to adverse legal

or compliance consequences, then it is for the risk managerto make this plain to the business and, if the message isignored, to escalate it. In cases of uncertainty, regulatory orotherwise, it would be for the business to make the riskdecision. The business should be the first line of defence tosuch risks, and compliance acts as the “conscience” of thebusiness, rather than as its police. Ideally legal andcompliance risk managers would also work closely withinternal audit, to achieve amore sophisticated result,although in practice it is difficult for internal audit to strike abalance between the need tomaintain independence and afull understanding of the business.

Many feel that the business owns legal and compliance riskbut the legal and compliance teams analyse and identifyhow those risks arise and quantify them - often in ways thatthe business will not understand - although a moreintegrated approach would be preferable.

Elsewhere, legal risk ownership is shared between the legaland operational functions, particularly when defined as arisk of financial loss - which is easily understood by non-lawyers. Concerns over the availability of attorney/clientprivilege often mean that the business’s legal andcompliance functions are combined under the supervisionof a lawyer to ensure that privilege is preserved – but this isnot necessarily seen as a step in an evolutionary processtowards a fully integrated team.

In terms of structure, the issues can be usefully illustrated bythe following example - most banks and securities firmshave a control room fromwhich all potential conflicts andflows of price sensitive information are managed. Regulatoryrules do not prescribe how this should be structured, but it isusually located within compliance. What is managed there isboth legal and compliance risk but in order to manage it,firms need to rely on operational controls: althoughorganisationally the management of these three types of riskis separated, in practice they cannot be delinked. This maysuggest that it is wrong to focus on complex issues ofownership of risk.

Session 1:Defining legal and compliance risk

4 29 April 2008: Challenges of a changing environment

Regulatory ideology seems to be moving compliancetowards risk management practices, not least becauseBasel II speaks of legal risk as a subset of operational risk,but this has some drawbacks as a risk managementapproach as it is quite mathematical and not alwaysappropriate to the measurement of legal risk. Attempts tomerge the two functions can run into difficulties: lawyershave historically demonstrated little appetite forspreadsheets, for example. However, there are activitieswhich either class of professional could perform; forexample, the analysis of a contract to ensure that thecorrect dates on which to exercise options are recordedand acted upon.

The overlap between the interests of legal and otheroperational risk departments has becomemore apparentmost recently in the transition to more principles-basedregulation (MPBR). As MPBR imports “softer” concepts offairness, integrity and the like, all areas must work togethermore closely even whilst maintaining separate reportinglines and duties for each discipline. However greaterintegration with operational risk management leads toabstract concepts being isolated and transformed into hard(although not necessarily detailed or prescriptive) rules

which can then be made subject to operational riskmanagement. Legal and compliance risk are notnecessarily adequately identified or assessed by theirinclusion in an organisational operational risk matrix.

Although integrated assurance frameworks can work, frontline managers are the first line of defence, and assurancefunctions tend to exclude legal risk management. This maybe because in many cases legal risk is a difficult concept todefine, but for measurement, clear definitions are needed.Legal functions tend to be more transactionally focussedand less inclined to measure and monitor risks.

The mere fact that Basel II puts legal risk under theoperational risk umbrella does not necessarily meanoperational risk techniques should be used.

529 April 2008: Challenges of a changing environment

Conclusions

There are some signs of a trend towards the merger of the management of legal, compliance and other operational

risks although this is not a universally observed phenomenon. The effectiveness of internal structures in which different

risk types are allocated to certain functions may often depend on the interaction between individuals regardless of the

formal structuring of the organisation. To an extent, internal structure will be less relevant if individuals from each

function work together in practice- although this is more likely to happen if the respective functions are organisationally

aligned. The key regulatory imperative is to ensure that senior management are engaged in the management of all

risks. Although it is increasingly difficult to draw clear distinctions between legal and compliance risk, the question

remains whether it is appropriate to use operational risk management tools to attempt to manage legal risks. As the

discussion above shows, there is a demonstrably wide range of different approaches and cultures in the identification,

logging and measuring of legal risk. This makes it difficult to draw conclusions about which structures, skills and tools

are optimal for managing legal risk.

6 29 April 2008: Challenges of a changing environment

Session 2:Key challenges anddrivers for change

The Basel II accord includes legal risk in its definition ofoperational risk; and in this context “legal risk”encompasses compliance risk. It would be interesting tohear how firms have implemented Basel II and the CRD,and how this is playing out in practice. Basel II does notspecify what the “advanced approach to the managementof legal risk” might look like, and neither the regulator, in-house lawyers or practitioners have currently producedmuch thinking on this.

MPBR has a profound impact on our understanding of“compliance risk”. Classic definitions of compliance riskfocus on the risk of loss to the institution from breaches oflaws or regulations, but these are of limited use in aprinciples-based environment. MPBR deliberately injectsuncertainty as to the applicable standards in order to makefirms think for themselves what specific compliancearrangements are needed in order to achieve the regulatoryoutcomes set by the FSA. This reflects the transfer, fromregulator to regulated, of responsibility for assessing therisks that firms’ businesses pose to broader regulatorygoals. This is a key feature of MPBR. This means thatcompliance risk is wider than merely the risk of regulatorybreach and attendant sanctions. The FSA’s supervision andenforcement processes can provide some very differentexpectations as to the way in which firms should managecompliance risk. In respect of initiatives such as TreatingCustomers Fairly, firms need to be able to evidence thatthey have gone through a risk-based assessment of howtheir systems interact with the FSA’s specified outcomes.

The definition of risk focussed on by MPBR is closer to ananalysis of risk that the firm poses to its customers, which isa goal external to the firm’s own business objectives.Through MPBR, the FSA has shifted the responsibility forthe management of these risks from itself to the regulatedcommunity - it appears to be trying to adjust firms’ “moralcompass”. It remains to be seen whether the FSA’sstrategic shift in policy will be effective (the FSA hasarguably also delegated the task of measuring theeffectiveness of its principles-based regime to firmsthemselves) and there may yet be areas which turn more onmatters of conscience and ethics than on the threat to theFSA’s regulatory objectives.

It is clear however, that the FSA’s emphasis on seniormanagement responsibility will force senior managers toengage more closely with legal and compliance officerscollectively to set their firm’s risk appetite (if indeed it is

permissible to have a “compliance risk appetite” of anythingother than zero).

The greatest challenge will be at the supervisory interface,which will have to becomemore open and frank andthrough which the FSA will have to be prepared to engagewith businesses and answer questions regarding the firm’sinternal approach to achieving a particular outcomespecified by the FSA. The fallout from Northern Rock givesrise to the risk that the behaviour of FSA supervisors maybecomemore conservative in practice which may itselfmake MPBR unworkable on the ground. Conversely, thefallout from Northern Rock may herald a return to moredetailed rules, notably in the area of liquidity risk.

The plethora of informal FSA guidance materials makes itincreasingly difficult for compliance officers to gauge theFSA’s regulatory expectations. The FSA will have to bemore disciplined about the issuing of new guidance and inparticular about indicating where existing guidance is nolonger relevant. Even larger firms tend not to have properprocesses in place to keep track of the guidance issued bythe FSA and the clear risk of “regulatory creep” from agrowing body of detailed informal FSA guidance (treated byfirms in practice as if it had the force of FSA rules or formalFSA guidance) is still present. The FSA’s focus on thedevelopment of policies by firms also gives rise to the riskthat those policies will be set at a detailed level, with theresult that they may become increasingly prescriptive andrequire frequent updating.

The FSA, other regulators and lawmakers (both in the UKand elsewhere) need to resist the temptation to “knee jerk”and impose ill thought out rules and laws in response torecent economic shocks (for example, the collapse ofNorthern Rock, the credit crunch and rogue trader losses).

The risk of a criticism by the regulator of a gap between afirm’s own assessment of an acceptable appetite forcompliance risk and that of the FSAmay in itself be a newbreed of compliance risk. Therefore, through MPBR, is theFSA asking firms to do the impossible?

Setting a firm’s appetite for qualitative not quantitative risks(for example, reputational risk, fraud risk) is not a newtechnique, it may be difficult to do the same in relation tothe external social evil of failing to advance the FSA’sregulatory objectives. Others suggested that thinking aboutsocial outcomes was not necessarily a new issue – firms

729 April 2008: Challenges of a changing environment

wrestle with reputational issues all the time. The problem isthat a benchmark is being set outside the firm. What is trulydifferent is the need to make the process more systematic,and more transparent. The regulator’s stress on“evidencing” the process tends to force firms to translatesoft concepts into more detailed controls that arethemselves receptive to the FSA’s apparent expectations.

Some contributors felt it would be difficult if not impossibleto measure the risk to a firm’s bottom line of unquantifiablesocial benchmarks set externally to the firm.

Some questioned the appropriateness of a regulator settingsocial benchmarks. This is the province of legislators; theregulator’s role is primarily to ensure orderly markets.However, the FSA’s statutory objectives under FSMA doallow the FSA licence to trespass into these areas, butsubject to formal restraints such as cost-benefit analysesand consultation – although these are already being by-passed through the production of informal guidance.

!

8 29 April 2008: Challenges of a changing environment

Session 3:Howare financial institutions responding?

There may be many reasons for identifying anddocumenting risk. In order of increasing utility, thesecan include:

• maintaining a record;

• satisfying regulators;

• repairing specific damage once a risk has crystallised;

• repairing the underlying process once a riskhas crystallised;

• attributing financial impact to the risk;

• allocating capital and resources to areas of the business;and

• influencing strategy and contributing value.

To achieve the latter goals, risks must be measurable,comparable, consistent and meaningful; the challenge is todesign data that will not only help the risk manager attributea value to particular events or risks, but then to use thatdata in a predictive way to inform the risk environment in thefuture. Other than credit risk and market risk data, it may bedifficult to identify types of risk management data which canbe truly predictive. Operational failures tend to produce littledata of predictive value – they tell you about stable doorsthat have been shut rather than the ones that are left open.This creates a problem because in order to attribute acapital value to data, you must believe the predictive valueis there.

Many of the risks which firms are already being required toassess under the Basel II regime are not necessarilyquantitative or measurable. Yet in order to allocate capitalto those risks firms have to act as if they are. Moreover, inSolvency II, reputational risk is included within theoperational risk category. Practitioners struggle with how tovalue reputational risk even when the methodology is there;the further challenge introduced by MPBR is that theoutcomes against which a risk evaluation must take placemay be set by wider stakeholder groups than seniormanagement at the firm.

The structuring of firms’ risk management functions may befar less relevant than the quality of the people carrying outthe risk management and the scope of the risks which areto be assessed.

One way of grappling with the scope question is to askwhether there are any compliance or legal risks which arenot in themselves due to operational failures, namely thoseinvolving people, process, systems or assets. If it isaccepted that legal and compliance risks are all caused byoperational risks, then a new definition of regulatory riskemerges which is the risk of incorrectly articulating theoutcome of operational failure to regulators. Onemethodology for doing so is to approach risk managementfrom an operational perspective rather than a top-down,classic risk management perspective: to “look through theother end of the telescope”. In other words, rather thanstarting with a list of the legal and regulatory rules to which afirm is subject and identifying what risks they pose, to listout a firm’s operational process controls and then to assesswhat legal or regulatory problems a failure in any one ofthose controls would produce. Given that it is this type ofrisk which is hard to quantify and value and which has givenrise to many of the major shocks to the sector in recenttimes, the need for a consistent method to appraise them isall the greater. Yet the expectation is that irrespective ofthese difficulties, Basel II, the CRD and Solvency IIevidence the general expectation that organisations canarticulate and value any type of important risk to which theyare subject.

An additional problem is that when firms formulate theirbusiness models, they are used to taking extremely longterm decisions on how to operate, informed by a series ofcontrols which are designed to consider the risk analysis tosupport those models. Nevertheless, this approach cannottake account of the fact that the legal and regulatory climatecan change around them. For example, the “free-if-in-credit” banking model was developed in the late 1970s, butthe OFT was only handed its powers over consumer creditin the last decade. One function of any piece of legal riskmanagement will be to look at predicting forward changesin legislation and regulation – “upstream legal riskmanagement”.

Although the object of all such analysis is to allocate capitalagainst quantifiable risks, there was no consensus as towhether the data available to managers of legal andcompliance risk will allow this kind of process to take place.The uncertainty engendered by informal FSA guidancemakes this task even more difficult, a trend that willaccelerate as a result of MPBR.

929 April 2008: Challenges of a changing environment

Parallel work on the political/regulatory environment canalso be useful if it does not become too esoteric – issuessuch as the composition of the European Commission afterthe next change of Commissioners could have a significantimpact on the legal and regulatory framework - but this stilldoes not enable businesses to make any strides towardsvalidating the predictive nature of the data which isgenerated from such an exercise.

Further problems include:

• compliance and legal professionals who are used tofocussing on details but not necessarily to identifying andquantifying risks

• cultural differences

• parties protecting their position

• the history of an institution in terms of its organisationalstructure

all of which may hinder a holistic approach to riskmanagement.

One organisation retained a consultant who attempted toreduce every potential risk to a monetary value and thenasked the owners of those risks to estimate their “realvalue” in practice – the relatively high values initiallyassigned by the businesses in the initial exercise were thensignificantly reduced to what experience suggested weremore realistic figures.

The FSA’s move to a more principles-based approachrequires a change in culture. Managers need to askthemselves how they operationalise cultural change. Theyhave been used to compliance taking the lead, and to a tickbox process, and look to push responsibility for complianceonto legal and compliance functions. This remains asignificant challenge.

In summary, the challenge faced by risk professionals ishow to provide a credible and dependable risk assessmentinput relating to legal and compliance risk in the absence ofa truly quantitative framework. The main issues such aswhat could happen, how likely is it, how bad could it be,and what risk mitigants could be employed, requiresomething of an intuitive, reasoned and/or judgmentalapproach. To a certain extent, the problem just has to belived with, and firms will be driven to certain methods or riskmatrices. Many compliance inputs are both experience-based and judgmental.

It is also relevant to ask “Whose risk is it anyway?”.Although the business itself may well be the first line ofdefence against such risks arising, and ultimatelyresponsible for dealing with them, the reality remains thatcompliance and legal professionals do carry the risk thattheir judgements may be wrong and it is in thatinterpretative/advisory context that the ultimate risk ofbeing a compliance or legal professional is to be found. Thisrisk is particularly relevant at present because the FSAwants to see how principles-based requirements aretranslated into operational policies on the ground –although they are expecting to see input from the boardlevel downwards, this is still at heart the role of thecompliance department, which must mitigate betweenregulatory and business desires.

Siting legal and regulatory risk personnel closer to thebusiness can produce significant returns. Compliance staffwho know what the deals and strategy are can be a greatrisk mitigant.

As a related point, operational risk can be defined as usingoperational failure as an umbrella term for anything whichcauses the business to fail. This includes legal andcompliance problems, ranging from poor businessdecisions, to poor documentation or computer issues.

There may be parallels to be drawn here with the evolutionof the practice of providing formal legal opinions. At theoutset, requests for legal opinions were consideredunnecessary - the adviser, with its expertise and financialbacking, would obviously not be recommending thetransaction if he believed there was an issue. Seeking legalopinions became par for the course, but with caveats andcarve-outs starting to proliferate, what began as a box-ticking exercise exposed weaknesses in the underlying law.Netting and settlement opinions in relation to foreignexchange contracts were a notable example in the 1980s.This produced pressure for reform, and eventually led tolaw reform, and in some cases to a regulatory requirementfor legal opinions to be given (for example, to obtainregulatory capital recognition of netting arrangements).What is now perceived as a tedious requirement may proveto have unexpected benefits because it will allowconsensus to be developed. If a consensus can beachieved on how best to handle the process, and thepriority to be attributed to it, then there may be willingnessto make amendments.

10 29 April 2008: Challenges of a changing environment

The commoditisation of the ISDAmaster agreementprovides a classic example of the value of consensus,particularly around transactional documentation andrelated legal opinions. This does not mean that oneagreement fits all transactions; there is still a need to ensurewhat they are doing is appropriate to the transaction, andadvice. A process is still needed, and the FSA will want toknow that there is a proper process.

However, there are other instances where process has notresulted in real regulatory change. Many commentators feelthat the value of Sarbanes-Oxley, for example, which aroseout of a crystallised risk event, has been swamped by theprocess itself, and by the activities directed towardsevidencing it. The process does not get to the heart ofthe risk.

Not all firms in London are UK incorporated – the effect ofthe FSA’s move to MPBRwill impact on the operation ofbranches overseas and in the EU. There is a risk that byelevating risk to a high level systems and controlsrequirement, the FSAmay lose the jurisdiction to look at theway the firm handles these issues as this might fall withinthe province of the home rather than the host state.

Contacts

Christa BandPartner, litigation and arbitration, LondonT: +44 20 7466 2158M: +44 7785 775004christa.band@herbertsmith.com

DavidMayhewPartner, litigation and arbitration, LondonT: +44 20 7466 2846M: +44 7795 963695david.mayhew@herbertsmith.com

Martyn HopperPartner, litigation, LondonT: +44 20 7466 2139M: +44 7050 040306martyn.hopper@herbertsmith.com

Patrick BuckinghamPartner, financial services regulatory, LondonT: +44 20 7466 2779patrick.buckingham@herbertsmith.com

LondonHerbert Smith LLPExchange HousePrimrose StreetLondon EC2A 2HST +44 20 7374 8000F +44 20 7374 0888

StibbeExchange HousePrimrose StreetLondon EC2A 2STT +44 20 7466 6300F +44 20 7466 6311

www.herbertsmith.comwww.gleisslutz.comwww.stibbe.com

1129 April 2008: Challenges of a changing environment

Chairman’s concluding remarks

• There is some variation in the extent to which differentfinancial institutions maintain a distinction between theirlegal, compliance and risk functions in terms of theirorganisational structures and definitions

• There remain concerns at the use of traditionaloperational risk management techniques for themanagement of legal and compliance risk and abouthow best to attribute quantitative value to these risks(although this is common with most operational risks)

• There is also concern that institutions lack clarity asto the expectations of regulators in relation to legaland compliance risk management policies andtechniques

• There appears to be some consensus that, despite thelimitations of a “box ticking” exercise, systematicidentification and assessment of legal when developedand used properly can be extremely valuable.

The next round table, to be held on 7 July 2008 atHerbert Smith’s offices, plans to consider in more detailthe processes actually in use at various financialinstitutions to quantify and operationalise legal andcompliance risk. Participants will be encouraged tocontribute and discuss examples of the processes theyuse, and to consider how their approach is likely todevelop or change in the current regulatoryenvironment.

© Herbert Smith LLP and the London School ofEconomics, 2008

The Law and Financial Markets Project is anacademic and practitioner based initiativeestablished by The London School ofEconomics and Political Science. Based in theLSE’s Law Department, the Project, amongstother things, aims to bridge the gap betweenlawyers in the commercial world and those inacademic institutions. It provides opportunitiesfor UK and overseas lawyers to participate inthe study and analysis of how law (includingregulation) serves and interacts with financialmarket activity. The role of law in a highlycompetitive, international market place is highon the Project’s agenda, as is its role infacilitating investment in developing countries.Areas where the law requires reform or agreater degree of harmonisation or certainty,whether in England, the EU or elsewhere, arealso a key feature.

Professor Julia BlackLondon School of Economicsj.black@lse.ac.uk

ProfessorMike PowerLondon School of Economicsm.k.power@lse.ac.uk

RogerMcCormickLondon School of Economicsr.s.mccormick@lse.ac.uk

www.lafmproject.com

Herbert Smith LLP, Gleiss Lutz and Stibbe are three independent firms which have a formal alliance. 6751/210508

AmsterdamStibbeStibbetorenStrawinskylaan 2001PO Box 756401070 AP AmsterdamT +31 20 546 06 06F +31 20 546 01 23

BangkokHerbert Smith (Thailand) Ltd1403 Abdulrahim Place990 Rama IV RoadBangkok 10500T +66 2657 3888F +66 2636 0657

BeijingHerbert Smith LLPUnits 1410-1419ChinaWorld Tower 11 Jianguomenwai AveBeijing 100004T +86 10 6505 6512F +86 10 6505 6516

BerlinGleiss LutzFriedrichstrasse 71D-10117 BerlinT +49 30 800 979-0F +49 30 800 979-979

BrusselsHerbert Smith LLPCentral Plaza, Rue de Loxum 251000 BrusselsT +32 2 511 7450F +32 2 511 7772

Gleiss LutzCentral Plaza, Rue de Loxum 251000 BrusselsT +32 2 551 1020F +32 2 551 1039

StibbeCentral Plaza, Rue de Loxum 251000 BrusselsT +32 2 533 5211F +32 2 533 5212

BudapestGleiss LutzCooperation partner:Bán, S. Szabó & PartnersJózsef nádor tér 5-6HU-1051 BudapestT +36 1 266-3522F +36 1 266-3523

DubaiHerbert Smith LLPDubai International Financial CentreGate Village 7, Level 4P.O. Box 506631Dubai UAET +971 4 428 6300F +971 4 365 3171

FrankfurtGleiss LutzMendelssohnstrasse 87D-60325 Frankfurt/MainT +49 69 95514-0F +49 69 95514-198

Hong KongHerbert Smith23rd Floor, Gloucester Tower15 Queen’s Road CentralHong KongT +852 2845 6639F +852 2845 9099

JakartaAssociated firmHiswara Bunjamin and Tandjung23rd Floor, Gedung BRI IIJl. Jend. Sudirman Kav. 44-46Jakarta, 10210T +62 21 574 4010F +62 21 574 4670

LondonHerbert Smith LLPExchange HousePrimrose StreetLondon EC2A 2HST +44 20 7374 8000F +44 20 7374 0888

StibbeExchange HousePrimrose StreetLondon EC2A 2STT +44 20 7466 6300F +44 20 7466 6311

MoscowHerbert Smith CIS LLP10 Ulitsa NikolskayaMoscow 109012T +7 495 363 6500F +7 495 363 6501

MunichGleiss LutzPrinzregentenstrasse 50D-80538 MunichT +49 89 21667-0F +49 89 21667-111

NewYorkStibbe350 Park Avenue, 28th FloorNew York, NY 10022T +1 212 972 4000F +1 212 972 4929

ParisHerbert Smith LLP66 Avenue Marceau75008 ParisT +33 1 53 57 70 70F +33 1 53 57 70 80

PragueGleiss LutzNámestí Republiky 1110 00 Prag 1Tschechische RepublikT +420 225 996-500F +420 225 996-555

ShanghaiHerbert Smith LLP38th Floor, Bund Center222 Yan An Road EastShanghai 200002T +86 21 2322 2000F +86 21 2322 2322

SingaporeHerbert Smith LLP#09-02 Chevron House30 Raffles PlaceSingapore 048622T +65 6868 8000F +65 6868 8001

StuttgartGleiss LutzMaybachstrasse 6D-70469 StuttgartT +49 711 8997-0F +49 711 855096

TokyoHerbert Smith41st Floor, Midtown Tower9-7-1 Akasaka, Minato-kuTokyo 107-62411T +81 3 5412 5412F +81 3 5412 5413

WarsawGleiss Lutzul. Złota 5900-120WarsawT +48 22 22242-00F +48 22 22242-99

www.herbertsmith.comwww.gleisslutz.comwww.stibbe.com