Asset Management – Compliance & ESG | Balancing security and privacy – how asset managers should approach background checks of individuals

The insider threat in the private sector is increasing, according to the Norwegian national security authorities. This is highlighted in the Vissim case published by NRK on June 3rd, where Russian actors allegedly were involved in the development of secure communication systems for the Norwegian Armed Forces. The risk of foreign intelligence agencies from Russia and other high-risk countries incentivising individuals to infiltrate businesses, disclose sensitive information or engage in sabotage, encourages asset managers and portfolio companies to perform background checks for new hires and key personnel. At the same time, compliance with the Working Environment Act and privacy and discrimination regulations must be secured. In this newsletter, we will provide an overview of relevant laws and how they can be effectively implemented to ensure compliance.

Background – why perform background checks on individuals

Russia, China, North Korea, Iran, and their close allies are considered high-risk countries. Individuals linked to foreign intelligence may leak information, harming a company’s competitiveness and finances, and potentially threatening national security, as the Vissim case may illustrate. These cases are rarely publicised. Some known cases include Telenor, which raised concerns about espionage in 2014 after it was found that employees with foreign backgrounds had access to sensitive infrastructure. In 2017, Vard employees were investigated for allegedly sharing technical information with Russian and Chinese entities. In 2022, a visiting researcher at the University of Tromsø was arrested and charged with espionage against Norway. He claimed to be Brazilian but was later identified as a Russian national.

Background checks is a systematic process of reviewing public and other relevant information with the aim to identify potential links to authoritarian regimes, sanctions violations, politically exposed persons (PEPs) and criminal track records. Asset managers will recognise the same issues and threats from KYC processes carried out pursuant to AML legislation with, for example, fund investors. Asset managers are typically not legally required to carry out background checks separate from ordinary AML/KYC but should nonetheless consider the need for the same from a security risk perspective and ensure that their portfolio companies do so. Risks may arise in all phases of the asset manager’s activities, from prior to making new investments and add-ons, during ownership, to preparation for exit. Asset managers must take care to adequately address such risks, to satisfy the manager’s fiduciary responsibilities towards the investors.

Background checks should be determined by a risk-based approach, considering sector and organisational vulnerabilities. While all sectors face security risks, those in energy, telecommunications, infrastructure, real estate, maritime, dual-use technologies, and their suppliers and other business partners are particularly exposed. Assessments should furthermore focus on individuals’ roles and access to sensitive information, which may include management, HR, production staff, customer service, logistics, finance, legal, IT, and security personnel.

Background checks must comply with applicable law

Labour law and privacy regulations

Background checks of individuals must be carried out within the limits of the law. For new hires, employers (e.g., portfolio companies) have more leeway to conduct background checks as part of the recruitment process, subject to compliance with data protection laws. This may include verifying previous employment, education, identity, and criminal records, within legal limits.

For existing employees, such checks raise two principal issues which can be summarised as follows: The first issue pertains to the extent of an employer’s authority to perform such reviews, alongside the corresponding duty of employees to cooperate with such measures. Background checks may be conducted pursuant to the employer’s managerial prerogative (Nw. arbeidsgivers styringsrett) if there is a legal basis and legitimate reason, and it does not impose a disproportionate burden on the employee. A legitimate reason could be a change in job responsibilities that justifies a new check (e.g., moving to a security-sensitive position). The second principal issue involves the employer’s ability to collect and utilise the data collected through background checks. This is a privacy law issue, primarily regulated by the Norwegian Personal Data Act and the General Data Protection Regulation (GDPR). In practice, companies must navigate and comply with both data protection and employment law regulations in parallel to effectively balance the ability to conduct background checks and the lawful use of the information acquired from these processes.

Generally, background checks of employees can be conducted when there is a clearly defined purpose and if it is proportionate to the risks involved. For instance, performing checks on employees moving to a CEO or HR manager role in a company that will change its business to the development of dual-use products, may be justified. In contrast, conducting similar checks on an administrative assistant responsible for general office tasks may potentially not be considered appropriate. It is also essential to document that the information sought through background checks is specifically suitable for identifying or mitigating security risks. For example, information about the CEO and HR manager’s health will generally not be relevant in this context, as it does not pertain to security risk assessment.

The more intrusive the processing of personal data becomes, the more challenging it is to justify the legitimacy of performing the check. Background checks conducted for security purposes often involve collecting potentially sensitive data, such as affiliations with high-risk countries through nationality, citizenship, societal and military background, business interests, financial assets, and family ties and historic incidents. This requires careful consideration and documentation of the legal basis for the information collected in the review.

Security and non-discrimination

The results of background checks, both of new hires and existing employees, must be used in a manner that is fair and non-discriminatory, in compliance with the Norwegian Equality and Anti-Discrimination Act. As an example, discrimination based on ethnicity is generally prohibited. Reviews that identify affiliations with high-risk countries and result in decisions such as not hiring an individual, dismissal, or alterations to their employment conditions may constitute unlawful discrimination unless specific safeguards are implemented.

A decision issued in December 2024 by the Anti-Discrimination Tribunal (Nw.: Diskrimineringsnemda) offers valuable insights into how to balance conflicting interests in this context. The case concerned a company in the Norwegian power sector that declined to hire a candidate with Russian citizenship for a position subject to stringent security requirements, although outside the framework of the Security Act’s security clearance provisions. The Tribunal concluded that the company’s decision was lawful discrimination, among other reasons, because it was based on well-substantiated assessments consistent with national threat evaluations. The necessity for well-justified risk assessments that are properly documented, and clear internal procedures, is considered key to avoid discriminatory practices.

BAHR comments

Conducting background checks on individuals can be a crucial measure for safeguarding sensitive information and protecting assets, for instance by limiting the risk of data breaches or leaks. By thoroughly vetting individuals, especially with positions of influence or access to critical systems, and key individuals at suppliers and joint venture partners etc., asset managers and portfolio companies can effectively reduce the risk of insider threats. This effectively protects and increases value at exit.

In our experience, a common concern is that the current legal basis for background checks of individuals is unclear and conflicting with other laws. This places asset managers and portfolio companies in a precarious position when performing such checks for security reasons. Norwegian security authorities, including NSM, recommended in 2023 that the legal feasibility of conducting background checks outside the security clearance framework should be explored. This has not been followed up as of yet.

Until further clarity is provided in laws and guidance material, our recommendation is that asset managers should include background checks of individuals in their existing hiring, KYC and screening process for new investments and add-ons along the recommendations in step 1-5 below. More importantly, asset managers should include concrete follow-up activities in the active ownership process to ensure that portfolio companies implement the same procedures based on risk.

BAHR has extensive experience with establishing compliance programs, risk assessments and procedures for background checks. Our contacts below will be pleased to assist asset managers in exploring the risks relevant to their firm.