An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. It is mandatory that not only must all red flags be cleared but there also be evidence of the decision-making process to show to a regulator if one comes knocking.

The Justice Department Evaluation of Corporate Compliance Program states under Prong 10 the following, “Real Actions and Consequences Were red flags identified from the due diligence of the third parties involved in the misconduct and how were they resolved?” There is no set formula or guideline for clearing red flags or evaluating due diligence. One approach came from two compliance practitioners at GE Oil & Gas, Flora Francis and Andrew Baird made at the 2014 SCCE Utility and Energy Conference on GE’s third party risk management, where they described the process by which GE reviews the risks around each third party with which it does business.

Some of the factors which GE considers, when evaluating a third party, include the following:

  • Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
  • In-house Capabilities: Do we already have the organization in place to handle these capabilities?
  • Overlap: Do we already have a third party in the region/country that can handle our needs?
  • Volume of Business: How much business will this third party bring to the company?
  • Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
  • Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
  • Reputation: What is the third party’s reputation in the market?

GE takes this information and then break downs the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.

But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were:

  • Country channel where the third party is located in or where it sells into;
  • Experience by the third party with the sales channel;
  • Type of third party involved; agent, reseller, distributor;
  • Commission rate, is it standard v. non-standard;
  • Will any sub-third party relationships be involved;
  • Will the third party sell to government entity or instrumentality;
  • Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
  • Was the third party mandated by customer or the end user;
  • What is the third party’s contract duration;
  • Is the third party involved in more than one project;
  • Does the third party have any historical compliance issues;
  • What is the percent of sales with products or services; and
  • What is GE’s annual revenue with the third party?

GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and a Go/NoGo decision whether the company should move forward with a proposed third party.

One approach came from Randy Corley, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. I found his questions to be very relevant when considering how far down the chain a company must go.

Step 1: How Much is Enough? Here your goal is to have a realistic process so that it can be effectively managed and still be of sufficient value for the business unit decision makers, who have the ultimate responsibility over the company’s third parties.

Step 2: How Deep Do We Dig? Here I think the question you should consider is how many tiers down you must go in managing your third parties? Clearly you should manage all direct counter-parties in the sales chain and those considered high-risk in the supply chain. Further, in the sales chain, I think you need to know directly if your business representatives are sub-contracting down your business representation, at least through one tier. On the supply chain, if a high-risk truly is a high-risk for bribery and corruption under your internal evaluation system, you should also consider digging down one tier. 

Step 3: What Do You Need To Know? While with your first-tier relationships you may scope your review depending on your internal risk assessment and attendant risk ranking, your data collection down the chain may not need to be as robust. For counter-parties further down the chain than tier 2, a list of actual and beneficial owners, coupled with commitments to follow relevant anti-corruption legislation is needed. Such commitments should be secured through each tier’s contract with its counter-parties.

Step 4: What Did We Learn? If there is any information from which Red Flags appear, they must be cleared. If additional information is needed or points clarified, now is the time to do it and not wait until later in the process. Here I would rely on Jan Farley’s proscription not to stretch your compliance program too thin. Focus your training, communication and management on your direct counter-parties and communicate to them that your company expects them to manage their relationships with their direct counter-parties, which would include the clearing of any Red Flags that may have appeared.

Step 5: Then What? After you have made your decision you still need to manage the relationship. This will entail continuing compliance communications with your direct counter-parties on an ongoing basis. Preferably your business unit sponsor will do this but as the compliance practitioner, you should also be mindful of checking in from time-to-time with your third parties. As your compliance program matures, you also reach the point where you will need to consider auditing of your third parties from the compliance perspective. Finally, do not forget the three most important things about your FCPA compliance program: “Document, Document and Document” the entire process.

In the area of third parties, consider what risks you face in both your sales and supply chain. If there is a key player several tiers down the line who creates or builds a key component or delivers a critical service, you may want to put more management around that relationship from the compliance perspective. For anything below a tier 2; you may be able to manage your risks through having your direct tier 1 counter-party take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counter-party so that if the government comes knocking you can show that not only did you contractually obligate your direct counter-party to do so but that you provided them the tools and training to do so. Finally, you will need to be able to show that your direct counter-party did so.

Three Key Takeaways

  1. There is no set formula for clearing of red flags or the evaluation of due diligence.
  2. Know when to say enough has been done.
  3. You must Document Document Document your evaluation of any red flags.

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

 

Yesterday I considered the need for due diligence in the management of third parties. Today, I want to take a deeper dive and explore the levels of due diligence. Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering, anti-bribery, sanctions lists, coupled with other financial corruption & criminal databases.  These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities.  It is also a very inexpensive first step in compliance from an investigative viewpoint. This basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company; the third party’s key executives and associated parties.  I believe that Level II should also include an in-country data base search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. According to Candice Tal, founder of Infortal, Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions.  Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in country investigation.” Further the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English.  Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players.  These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such  “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publically.”

Further you may need to engage a foreign law firm, to investigate the third party in its home country to determine the third party’s compliance with its home country’s laws, licensing requirements and regulations. Lastly and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use a Level III to determine if the third party willing to stand up with under the FCPA and are you willing to partner with the third party.

The Risk Advisory Group, created a handy chart of its Level I, II and III approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

Level Issues Addressed Scope of Investigation
One ·      That the company exists

·      Identities of directors and shareholders

·      Whether such persons are on regulators’ watch lists

·      Signs that such persons are government officials

·      Obvious signs of financial difficulty

·      Signs of involvement in litigation

·      Media reports linking the company to corruption

·      Company registration and status

·      Registered Address

·      Regulators’ watch lists

·      Credit Checks

·      Bankruptcy/Liquidation Proceedings

·      Review accounts and auditors comments

·      Litigation search

·      Negative media search

Two As above with the following additions:

·      Public Profile integrity checks

·      Signs of official investigations and/or sanctions from regulatory authorities

·      Other anti-corruption Red Flags

As above with the following additions:

·      Review and summary of all media and internet references

·      Review and summary of relevant corporate records and litigation filings, including local archives

·      Analysis and cross-referencing of all findings

Three As above with the following additions:

·      But seeking fuller answers to any questions raised by drawing on a wider range of intelligence sources and/or addressing specific issues of potential concern already identified

 

As above with the following additions:

·      Enquiries via local sources

·      Enquiries via industry experts

·      Enquiries via western agencies such as embassies or trade promotion bodies

·      Enquires via sources close to local regulatory agencies

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document Document Document all your due diligence.

Three Key Takeaways

  1. A Level I due diligence should be only used where there is a low risk of corruption.
  2. A Level II due diligence is sufficient in a high risk jurisdiction if there are no red flags to clear.
  3. Level III due diligence is deep dive, boots on the ground investigation.

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

 

Most companies fully understand the need to comply with the FCPA requirements around third parties as they represent the greatest risks for an FCPA violation. However, most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. This means they may need to bring resources to bear to comply with the FCPA while continuing operating an ongoing business. This can be particularly true in the area of performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of third party risk and thereby perform the requisite due diligence required under the FCPA.

Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. The information that you should have developed in Steps 1 & 2 of the third party management process should provide you with the initial information to determine the level of due diligence you should perform on third parties. This leads Step 3 in the five steps of the third-party management-Due Diligence.

Jay Martin, CCO at BakerHughes often emphasizes that a company needs to evaluate and address its risks regarding third parties. This means that an appropriate level of due diligence may vary depending on the risks arising from the relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Principle IV of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of Principle IV is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”

Carol Switzer, writing in Compliance Week related that you should initially set up categories for your third parties of high, moderate and low risk. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”

A three-step approach was also discussed favorably in Opinion Release 10-02. In this Opinion Release, the DOJ discussed the due diligence that the requesting entity performed. “First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources…Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.”

Three Key Takeaways

  1. You must have enough information to fully identify the owners, ultimate beneficial owners and related parties to determine if there is foreign official involvement.
  2. All commentary on best practices compliance programs require an appropriate level of due diligence.
  3. The best practice is to use a professional due diligence provider to perform due diligence level 2 and 3.

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

 

The next step in the five-step process is the Questionnaire. The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. The questionnaire should be mandatory step for any third party that desires to work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk, but run away from doing business with such a party.

In the 2011 UK Ministry of Justice’s (MOJ), discussion of Six Principals of an Adequate Procedures compliance program, they said the following, a Questionnaire, “means that both the business person who desires the relationship and the foreign business representative commit certain designated information in writing prior to beginning the due diligence process.”

One of the key requirements of any successful anti-corruption compliance program is that a company must make an initial assessment of a proposed third party. The size of a company does not matter as small businesses can face quite significant risks and will need more extensive procedures than other businesses facing limited risks. The level of risk that companies face will also vary with the type and nature of the third parties with which it may have business relationships. For example, a company that properly assesses that there is no risk of bribery on the part of one of group of its third parties will require nothing in the way of procedures to prevent bribery in the context of those relationships. By the same token the bribery risks associated with reliance on a third party agent representing a company in negotiations with foreign public officials may be assessed as significant and, accordingly, requires much more in the way of procedures to mitigate those risks.

What should you ask for in your questionnaire? Randy Corey, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. said in a presentation at Compliance Week 2012, entitled “3rd Party Due Diligence Best Practices in Establishing an Effective Anti-Corruption Program”, that his company has developed a five-step approach in evaluating and managing their third parties. In Step 3 they ask What Do You Need To Know? Initially, Corley said that the scope of review depends on risk assessment, High Risk, Medium Risk or Low Risk. This risk ranking will determine the level of information collected and due diligence performed. The key element of this step is data collection. The initial step is to have the third party complete an application which should include requests for information on background and experience, scope of services to be provided, relevant experience, list of actual and beneficial owners, references and compliance expertise.

Below are some of the areas which I think you should inquire into from a proposed third party include the following:

  • Ownership Structure: Describe whether the proposed third party is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials?
  • Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed third party. You should obtain financial records, audited for 3 to 5 years, if available. Obtain the name and contact information for their banking relationship.
  • Personnel: Determine whether the proposed agent will be providing personnel, particularly whether any of the employees are government officials. Make sure that you obtain the names and titles of those who will provide services to your company.
  • Physical Facilities: Describe what physical facilities that will be used by the third party for your work. Be sure and obtain their physical address.
  • References: Obtain names and contact information for at least three business references that can provide information on the business ethics and commercial reliability of the proposed third party.
  • PEPs: Are any of the owners, beneficial owners, officers or directors politically exposed persons (PEPs).
  • UBOs: It is imperative that you obtain the identity of the Ultimate Beneficial Owner (UBO).
  • Compliance Regime: Does the proposed third party have an anti-corruption/anti-bribery program in place? Do they have a Code of Conduct? Obtain copies of all relevant documents and training materials.
  • FCPA Training and Awareness: Has the proposed third party received FCPA training or certified by a recognizable entity?

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

The questionnaire fills several key roles in your overall management of third parties. Obviously, it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform.

Three Key Takeaways

  1. You must have enough information to fully identify the owners, ultimate beneficial owners and related parties to determine if there is foreign official involvement.
  2. All commentary on best practices compliance programs still require questionnaires.
  3. If a third party refuses to fully respond to your questionnaire, walk away from the proposed relationship.

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.

 

The Evaluation, in Prong 10, Third Part Management asks, “What was the business rationale for the use of the third party in question?” This question is one of the most basic tools to operationalize your compliance program and should form the basis of your third-party risk management process.

It is common sense that you should have a business rationale to hire or use a third party. If that third party is in the sales chain of your international business it is important to understand why you need to have that specific third party representing your company. This concept is enshrined in the 2012 FCPA Guidance, which says “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.”

The Internal Revenue Service (IRS) also considers a business rationale to be an important part of any best practices anti-corruption compliance regime. Clarissa Balmaseda, a special agent in charge of Internal Revenue Service (IRS) criminal investigation, speaking at a presentation, said that the lack of business rationale to be a Red Flag, indeed the IRS views such lack of business rationale as possible indicia of corruption. With the Department of Justice; Securities and Exchange Commission and IRS all noting the importance of a business rationale, it is clear this is something you should use to operationalize your compliance program.

But the business rationale also provides your company the opportunity to help drive compliance into the fabric of your everyday operations. This is done by requiring the employee who prepares the business rationale to be the Business Sponsor of that third party. The Business Sponsor can provide the most direct means of communication to the third party and can be the point of contact for compliance issues.

Tyco International takes this approach in its Seven Step Process for Third Party Qualification. Tyco breaks the first step into two parts, which include:

  1. Business Sponsor – Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but business unit accountability for the business relationship and puts the onus on each stakeholder to more fully operationalize this portion of your compliance program.
  2. Business Rationale – The Business Sponsor should then articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction?

What should go into your Business Rationale? At the most basic level, you should craft a document, which works for both you as the compliance practitioner and the business folks in your company. There are some basic concepts which include the following. You need the name and contact information for both the Business Sponsor and the proposed third party. You need to inquire into how the Business Sponsor came to know about the third party because it is Red Flag is a customer or government representative points you towards a specific third party. You should inquire into what services the third party will perform for your company, the length of time and compensation rate for the third party. You will also need an explanation of why this specific third party should be used as opposed to an existing or other third party, is such were considered. All this information should be written down and then signed by the Business Sponsor.

Another way to think about this issue is by considering the competence of foreign business partner to provide services to your organization. Such considerations include a review of the qualifications of the third-party candidate for subject matter expertise, the resources to perform the services for which they are being considered and the third party’s expected activities for your company.  More detailed inquiries include requiring the relevant business unit which desires to obtain the services of any third party to provide you with a business rationale including current opportunities in territory, how the candidate was identified and why no currently existing third party relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive.

Remember, the purpose of the Business Rationale is to document the satisfactoriness of the business case to retain a third party.  The Business Rationale should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. As explained by the Tom Fox Mantra for compliance, this means Document Document Document.

Three Key Takeaways

  1. You should always have a business reason for using a third party which is articulated by the business folks, not compliance.
  2. A Business Sponsor is the key relationship going forward in operationalizing your compliance program through the life of the third-party relationship with your company.
  3. Always remember to Document Document Document.

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC Accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.