In-house counsel, compliance officers and the external counsel who support them are trained to be risk averse when it comes to anti-corruption and other types of compliance, and with good reason.
Entries in Risk-Based Compliance (8)
Corrupt payments are made to achieve important objectives -- important enough to risk possible loss of reputation and criminal prosecution. The most common objectives are winning business, maintaining business, and executing transactions faster.
The U.S. Treasury Department's Financial Crimes Enforcement Network sets risk-based compliance obligations of U.S. financial institutions. FinCEN directs counter-measures against the countries with the highest risk and enhanced due diligence against others.
The Federal Deposit Insurance Corporation (FDIC) issued guidance Wednesday encouraging its insured banks to take a risk-based approach in assessing individual customer relationships.
A new survey of general counsels and compliance officers found that 30% of companies in North America, Europe, and Asia stopped doing business with a partner because of corruption risks.
By Scott Moritz
Who are your highest-risk third parties and what are you doing about them? Most FCPA enforcement actions involve payments through agents and other intermediaries. That's why the DOJ and SEC and their overseas counterparts are watching what companies do to identify high-risk third parties, and the standard of care used to manage the relationships.
Global companies -- often with tens of thousands of suppliers and other third parties to keep track of -- can and should use risk-based compliance. Here are some first steps to make it work:
1. Knowing what you don't know.
Typical vendor-information files are thin -- the company's legal name, billing address, tax ID number, and payment instructions. But to evaluate compliance risk, more is needed. Basic information can often be extracted from proprietary databases, such as the names of owners and key executives, standard industry code (SIC), and parent / subsidiary relationships. Going further may require a questionnaire covering any ties with current or former government officials; foreign government ownership; sales commission percentages (if applicable); ultimate customer names; annual sales volumes; and the like.
2. Privacy, please.
EU countries and many others now have laws protecting personal information. Before transmitting any data, consider privacy laws in each potentially relevant jurisdiction. Data should be subjected to some level of formal privacy review, scrubbing, storage, and transmission using encryption.
3. Categorization is key.
A consistent way to categorize third-party relationships, and the relative risk each category represents, is a critical success factor. Labels describing relationships should be functional -- how do they interact with your company? Creating accurate labels requires input from finance, procurement and individual business units. Common relationships include: reseller (sometimes referred to as channel partner), distributor, joint venture partner, agent (or sales agent), freight forwarder, customs broker, lobbyist, law firm, accounting firm, consultant, and so on. Once established, the categories need to be sorted by risk and assigned an appropriate point value as a precursor to final risk scoring.
4. Do some spring cleaning.
Most master-vendor files contain entries that are no longer active, are duplicates, or are other forms of clutter. Remove duplicates. Delete dormant entities -- those inactive for two years or more. Try a first round of replacing high-risk entries with less risky alternatives. And after due diligence investigations, relationships showing unresolvable red flags should be ended as well.
5. Education and accountability.
Radar detectors don't just reveal police locations. Over time, they teach you where police officers are likely to be. A well implemented third-party FCPA compliance program can do the same thing -- over time, it teaches business people to recognize the causes of risk in third-party relationships. Such awareness doesn't come easy. Most often, it's a result of driving accountability by compelling business units to make a case to retain a high-risk third party despite red flags, and forcing them to accept responsibility for any liability that follows.
Scott Moritz is an executive director with Daylight Forensic & Advisory LLC where he leads their FCPA and Investigative Due Diligence practices. He's a former FBI Special Agent with 23 years experience investigating international corruption, transnational crime and money laundering. He can be emailed here.
A couple of months ago, guest-blogger Scott Moritz talked about risk-based compliance. His post, we now see, was prophetic. Why? Because just last week, when Aon settled an enforcement action with the U.K.'s Financial Services Authority, the real star of the show was . . . risk-based compliance.
The FSA's Final Notice described how both U.K.-based Aon Ltd and its U.S. parent, Aon Corporation, have improved the way they'll deal with intermediaries -- the group apparently responsible for Aon's problems in a number of countries. The Aon companies, the Final Notice said, have "designed and implemented a new global anti-corruption programme that includes a policy limiting the use of third parties. Aon Ltd has also implemented robust risk-based procedures that control and restrict the circumstances in which staff may make payments to Overseas Third Parties, particularly in high risk jurisdictions."
Aon's new compliance policy, according to the Final Notice, generally . . .
. . . prohibits the use of third parties whose only service to Aon is to assist in the obtaining and retaining of business solely through client introductions in countries where the risk of corrupt practices is anything other than low. These jurisdictions are defined by reference to an internationally accepted corruption perceptions index. Any use of third parties not prohibited by the policy must be reviewed and approved in accordance with global anti-corruption protocols. . . . In addition, Aon Ltd has implemented an enhanced comprehensive risk-based training regime for its staff.How does risk-based compliance work? Guest-blogger Moritz said the concept is simple: certain customers, vendors, and intermediaries represent a higher compliance risk than others. Geography, nexus to government officials, business type, method of payment, dollar volume -- all are risk indicators. And he said the key to any risk-based approach is the strategic use of information technology -- tracking and sorting the critical elements, including risk-ranking, as well as enhanced due diligence and ongoing monitoring of high-risk parties proportionate to their risk profiles.
The benefits of risk-based compliance are clear. In places where risks are very low, compliance burdens can be reduced. Where risks are anything but low, compliance is stepped up one or more notches, to make sure nothing slips through. As we've often said, when there are more red flags around, the proper response is more compliance, not less. And that's what risk-based compliance is all about.
And one more thing . . .
Take a look at Don Lee's amazing story from the January 12th edition of the LA Times about Avery Dennison's FCPA compliance problems in China. Shanghai bureau chief Lee seems to have gotten everyone to talk on the record. This is one of the best articles we've read in the mainstream press or anywhere else about the Foreign Corrupt Practices Act at ground level.
In response to Halliburton’s proposed acquisition of Expro, the U.S. Department of Justice recently thrust the concept of “a risk-based approach” to the forefront of anti-bribery compliance with Opinion Procedure Release 08-02. A risk-based approach has been a regulatory expectation in anti-money laundering (AML) for years. Now, with Release 08-02, it's moving to the FCPA as well.
The concept is simple: certain customers, vendors, and intermediaries represent a higher compliance risk than others. Geography, nexus to government officials, business type, method of payment, dollar volume -- all are risk indicators. A Kazakhstan-based customs broker owned by the brother of the country’s oil minister, with million-dollar payments directed to an account in Cyprus, represents a high risk of corruption. That's clear. The hard part is making appropriate distinctions and parsing them across a global, decentralized vendor system. It's that aspect that often requires the use of sophisticated technology.
Companies looking to strengthen their FCPA compliance can learn from successful AML programs. In fact, proven AML techniques are already part of some of the more progressive FCPA programs. The key to any risk-based approach? It's the strategic use of information technology, tracking and sorting the critical elements -- including risk-ranking, as well as enhanced due diligence and ongoing monitoring of high-risk parties proportionate to their risk profiles.
To mitigate risk, the first step is knowing where it comes from. That's why the DOJ instructed Halliburton in its Opinion Procedure Release to apply a risk-based approach to due diligence. As the financial institutions have learned, deploying the right technology can be the key to making that happen.