Even as companies continue to agree to multi-billion-dollar settlements related to the corrupt acts of third parties, managing the risks associated with them nevertheless eludes many compliance departments.
Consider just the latest example: On Jan. 31, European plane maker Airbus reached the largest global foreign bribery resolution to date—a whopping $4 billion in penalties—arising out of a scheme to use third-party business partners to bribe government officials, as well as non-governmental airline executives, in 20 countries around the world to secure sales.
Ericsson provides another cautionary tale: In December 2019, the Swedish telecommunications company reached a $1 billion settlement with U.S. authorities to resolve a long-running investigation over violations of the Foreign Corrupt Practices Act that spanned 17 years, five countries, and involved high-level executives.
Ericsson used third-party agents and consultants to bribe government officials and to manage off-the-books slush funds. These agents often were engaged through sham contracts and paid through false invoices, which were improperly accounted for in Ericsson’s books and records.
While certain ABAC policies and procedures—such as third-party training and certifications—look good on paper, it’s all in vain when employees go out of their way to hide the misconduct.
Endemic corruption schemes like these epitomize why anti-bribery/anti-corruption (ABAC) programs fail time after time related to third-party risk—they often don’t proactively address the core of the problem: willful intent. In many high-profile, headline-grabbing corruption cases, like Airbus and Ericsson, the misconduct at issue is often done intentionally, willfully, and deceitfully.
Ericsson is just one example. As the company explained in a regulatory filing, “Certain employees in some markets, some of whom were executives in those markets, acted in bad faith and knowingly failed to implement sufficient controls. They were able to enter into transactions for illegitimate purposes and, together with people under their influence, used sophisticated schemes in order to hide their wrongdoing.”
While certain ABAC policies and procedures—such as third-party training and certifications—look good on paper, it’s all in vain when employees go out of their way to hide the misconduct. Instead, a deeper dive must be performed, as well as ongoing monitoring of third-party relationships, to help identify red flags before an issue becomes a crisis.
Findings from an upcoming ABAC Compliance Week survey, in partnership with Kroll, revealed where such compliance measures are critically lacking. For example, half of respondents reported that fewer than 25 percent of their third parties undergo enhanced due diligence, including those in high-risk jurisdictions. This is concerning because identifying the level of third-party risk through enhanced due diligence—whether through public documents, sanctions-party watch lists, adverse media, country risk scores, or other sources of data—can help narrow the scope of an audit.
Even more concerning, according to the survey findings, is that many respondents don’t feel as though their company’s ABAC compliance program is effective. This was particularly the case among respondents who did not feel they had enough resources. Resources are an essential part of an ABAC program, however, especially if the compliance department has the budget to integrate sophisticated analytic tools into third-party risk management processes to better identify high-risk transactions and engagements. It’s also a good idea to reduce, where possible, the number of third parties with which the company does business.
Assembling the right team to conduct an audit is also essential, including an internal audit expert who can test the adequacy of financial controls against reporting processes; and a compliance expert who can properly assess gifts, travel, and entertainment expenses, for example. A forensic accounting expert or someone in legal with investigative skills is also useful. An FCPA audit conducted outside the United States should further include a local accounting team in that country to assess other potential areas that may need to be audited.
Effectively evaluating, onboarding, and monitoring third parties takes time, effort, and the appropriate resources. But with the right team in place, and with the help of sophisticated data analytics, third parties can be an asset in helping the company grow, while giving the compliance department the assurance it needs that transactions are being done in an ethical and compliant manner.