Third-Party Corruption Risk: What You Should Know

Want to know one of the surest ways to strengthen your organization's anti-corruption capabilities? Start by discovering what you do not understand about the third-parties who help you do business abroad.

The prevailing Foreign Corrupt Practices Act and U.K. Bribery Act storylines focus on intensifying enforcement activity, but fail to drive home the fact that third-party agents—suppliers, joint venture partners, service providers, facilitators, and others are the main characters in the story.

As a recent Bloomberg Law Report indicates; 10 of the 11 corporate FCPA investigations initiated during the first 11 months of 2009 involved payments made by third parties. Not much has changed.

If your company fails to expand its knowledge about the activities of your business partners, the Department of Justice (DoJ) or the U.K. Serious Fraud Office (SFO) may define your “knowledge” for you in stark, legal terms. These results often sound like a cruel twist from a novel: companies find themselves stained with criminal liability, forced to pay hefty fines, and with their reputation in tatters because—unbeknownst to them—a third-party agent bribed an official.  

Unfortunately, this isn't fiction. The reality is that success in today's global marketplace hinges on acting upon what you know while continually striving to learn what you should know.  Failure to do so is “willful ignorance,” a condition that pervades the failed defenses of numerous regulatory and criminal cases inside and outside the realm of corruption.  And yet, taking the necessary steps to avoid a finding of willful ignorance and liability is too often neglected.

Just ask companies that have endured disruptive investigations and costly penalties as a result of their lack of third-party agent knowledge. In 2010, more than a half-dozen oil service companies paid more than $230 million combined related to bribes in Nigeria and elsewhere in a group of cases commonly referred to as “CustomsGate.” Many of these bribes stemmed from a third-party logistics firm the oil services companies used, Switzerland-based freight-forwarder Panalpina.

Panalpina acknowledged that it bypassed customs, paid bribes and submitted fake customer documentation from 2002 through 2007 as part of its “culture of corruption.” The well-known global companies that used Panalpina paid tens of millions of dollars in criminal fines as well SEC-mandated disgorgements because, in some cases, the court found that they should have known what was being done on their behalf, despite their ignorance of their third-party agent's bribes.

Avoiding CustomsGate situations has grown increasingly difficult as more companies rely on more third parties to operate abroad. The sheer volume of data required to conduct sufficient due diligence on foreign partners can be staggering.

The reality is that success in today's global marketplace hinges on acting upon what you know while continually striving to learn what you should know.

Fortunately, there have never been more tools available to support anti-corruption due diligence. For example, Transparency International's 2011 Bribe Payers Index (http://bpi.transparency.org/results/), released in November, ranks 28 leading international and regional exporting countries by the likelihood of their companies to bribe abroad. Companies from Russia and China are seen as most likely to pay bribes abroad; those from the Netherlands and Switzerland are least likely to bribe; and U.S.-based organizations figure as the 10th least likely to bribe among the 28 countries.

The index is only one tool. Many consulting, legal and software firms have developed information solutions for  anti-corruption analytics to transform raw data related to third-party agents into actionable information.

By collecting and analyzing such data, following a rigorous risk assessment and third-party selection process, and establishing ongoing third-party controls and monitoring; compliance and risk managers can tame the due diligence data deluge. By doing so, these managers can also help ensure that their companies continually understand what they should know.

Preventing Corruption Through Third-Party Due Diligence: An OCEG Roundtable

Switzer: Many companies that operate globally have thousands of agents, suppliers, and other partners. You can't do even minimal due diligence on all of them, or can you? How do you determine the level of due diligence for each one?

Walden: Filtering the population of vendors and business partners is a critical step before determining due diligence procedures. We meet with clients to understand their current efforts, specific challenges within their industry, geographic areas of operation, and business strategy. We then build a filtering model that separates the third parties into risk-based categories and proceed with different levels of due diligence: Level 1 is an open source background check; Level 2 adds an “in-country” focus with respect to local court records or business filings; and Level 3 is a deep dive into the company which may include interviews, site visits and financial analysis. Typical risk factors used in the filtering process include type of relationship with the vendor, industry sector, services provided, geographic location, nature of the contract, existence of government links, and response to monitoring controls. By using this approach, only entities considered high and medium risk undergo a deeper level of scrutiny, which results in lower costs and maximized results for the client.

Rost: Another filtering factor is the criticality of the partner to the continued business operations. For example, high risk partners may include those who handle your intellectual property, have access to your IT systems or provide unique products or services to your company. After filtering, the next step is to rigorously screen each business partner commensurate with the risk category to which each is assigned. Where screening raises red flags, a more thorough, detailed, assessment is required, focusing not only on the company, its owners and its operating and litigation history but also on management and key decisions makers. Include an assessment of their backgrounds, track records, real competencies, potential conflicts of interest and political and criminal links. And don't forget that a lot can happen in six months, so adequate procedures require that higher risk business relationships should be screened at least twice a year and a full rescreening should be applied annually.

Hauserman: Thousands of third parties is certainly considered by most compliance professionals an almost impossible number to be able to research and risk forecast accurately. But there are significant lessons in the reaction of financial institutions over a decade ago, to the then new anti-money laundering regulatory obligations. At its core, be it AML or third-party due diligence, poor information management is the biggest impediment to doing due diligence right. Today, modern information management technology coupled with sophisticated analytics to prioritize third-party risk mitigation activities is available and affordable to solve the problem the right way. But risk is in the eyes of the beholder and the first place a company has to start is to review its own risk tolerances.

Switzer: There is a phenomenal amount of data to be considered in third-party due diligence, and it is constantly changing. How can you collect and keep track of it all and be sure it is fed into your approval system?

Hauserman: This is actually a quite straightforward information management problem that has been solved many times. That is not to say it is easy, but there are plenty of examples for how information can be captured and maintained in a continuously accurate state. Organizations can make third-party due diligence effective by connecting all the systems and people who have the necessary information. For instance, third-party business sponsors should be required to monitor and maintain accurate data for their third parties. Likewise a third-party primary contact should be accountable for maintaining the third-party records. But it takes good information management systems to make all of this possible.

Rost: Many organizations struggle to cope with overwhelming levels of data that need to be screened and rescreened. Some organizations have the resources to hire a large and competent compliance department. For others, the answer is to outsource to experts who can absorb the complexity of the requirements and deliver results at a reasonable cost. Dedicated providers leverage professional research teams located in strategic hotspots around the world and have the capacity to do on-the-ground research in local languages, and physically check paperwork and tangible assets. These teams know what to look for and how to recognize a potential red flag, perhaps the kind of detail that a less experienced, distantly located, compliance staff member would overlook. Even a partial outsourcing of compliance processes can greatly enhance a program and provide peace of mind, while keeping costs low.

OCEG ROUNDTABLE PANELISTS

Carole Switzer,Moderator

President,

OCEG

Bill Hauserman,

SVP, Bribery and Corruption Risk,

Management, SAI Global

Mike Rost,

Vice President,

Thomson Reuters GRC

Vince Walden,

Partner,

Fraud Investigation and Dispute Services,

Ernst & Young

Source: OCEG.

Walden: The role of individual owners of data sources, who are responsible for monitoring changes, can't be underestimated. Data management systems are critical, but they are only as good as the information that goes into them, and getting that right takes some human judgment.

Switzer: How do you manage change in partner relationships that may raise concerns (including change in ownership, new suppliers to your supplier, and new customers to your distributor)?

Walden: Given the constant changes of the business world and mounting pressure from regulators, compliance programs need to undergo periodic reviews to make sure they remain current, effective, and reasonable. As new information becomes available, it is important to occasionally re-run past searches at random to verify that the information is accurate and up-to-date. In addition, compliance officers must work with their business partners to stay appraised of any significant development on the vendors' end. Periodic requests for information, random testing, and independent due diligence reviews are also recommended to test the effectiveness of the compliance programs.

Hauserman: First you have to have a mechanism to monitor for such changes. And realize that your information will never cover everything, so start with obviously risky items. These are typically monitored by an external database provider such as World-Check, Dow Jones, or RDC, which track millions of companies and individuals for sanctions and PEP (“politically exponsed person”) exposure, criminal conduct, and financial irregularities. Good providers can actually monitor a third-party continuously for changes that increase risk and inform you about issues. While this monitoring is for higher risk type changes, these are exactly the ones a regulator would question how you could possibly miss, given the regulatory requirements.

Switzer: Even if an entity passes due diligence, corruption can still occur. How can companies prevent or detect this? And are there established criteria for the frequency and extent of ongoing due diligence?

Walden: Third-party due diligence is a continuing effort that requires collaboration between the company and its business partners. To monitor significant changes on the vendor's end, establish vendor reporting obligations for any changes in activities conducted on the company's behalf, or to the vendor's business model and strategy. This includes any new contracts, entrance in new markets, or the establishment of links to government entities or officials. Companies are also requiring annual certifications and disclosure statements of key vendors or third parties, some of which require a right to audit records clause. And this voluntarily provided information should be complemented with periodic checkpoint reviews and independent due diligence research to verify that the information is reliable, current, and complete.

Rost: Regardless of the strength of controls, those looking to break the rules will continue to exploit any potential weakness in a system that they are familiar with. A reasonably designed and effectively implemented risk based approach will provide an appropriate control structure to manage these risks. Simply asking a partner to fill in a form that includes the question “are you corrupt” is naive in the extreme. In today's environment, it is reasonable to expect that the partner has a robust anti-corruption program. However, not all partners have the resources to construct an adequate compliance response, so it may be necessary to assist in the building of expertise in partner organizations. This can be done through on-site training , e-learning , , and by providing professional advice and resources to support the partner compliance processes. Without this institutional support, partners may overestimate risk, thus wasting a lot of time and money during remediation, or even miss the risk altogether, which can be disastrous for all involved in the relationship.

Hauserman: Some would say that the half-life of a successful due diligence that clears a third party for use is measured in minutes. That is the speed of economic activity and information flow. The not so simple fact is that you have to find a proportionate balance for all third parties to earn regulator relief. It doesn't have to be full-proof and stop all bribery; the regulators don't expect that. But they do insist an organization be serious and consistent in applying due diligence around the globe. The regulatory term is “continuous due diligence to the balance of probability”. An organization based on budgets and risk tolerances must define continuous. The one thing that can be assured is that the regulators will define it more precisely if organizations are too lax.