What’s tougher: Organizing the 2016 Olympic Games in Brazil, or navigating today’s regulatory business landscape? Many would argue it’s the latter. While it’s not easy to bring together 28 competitive sports, thousands of athletes or hundreds of thousands of visitors, there are fewer hurdles to overcome (excuse the pun) than safeguarding your business against compliance mishaps. Especially when it comes to anti-bribery/anti-corruption (ABAC).
In this global digital marketplace, the laws governing ABAC mean you must know who the third-parties are that you work with—and what they are up to. “Know your Third Party” and “Know Your Customer” are two sides of the same coin.
There’s a tidal wave of ABAC regulations governing how and with whom your organization transacts. And it’s growing almost by the day. There’s the Foreign Corrupt Practices Act (FCPA), for example, The UK Bribery Act, Canada’s Corruption of Foreign Public Officials Act and the OECD Anti-Bribery Convention. Plus you need to weave your way through sanctions and export controls.
You can run from this ABAC compliance enforcement, but you can’t hide. The Department of Justice, the Securities Exchange Commission (SEC) in the U.S. and the Serious Fraud Office in the U.K. (among others) are bringing a record number of prosecutions and enforcement actions to bear on ABAC. There are unprecedented resources being pumped into proactive enforcement, international cooperation, compliance monitors – even sting operations and whistleblower rewards. Who can forget Michael Woodford, the Olympus CEO who blew the whistle on widespread fraud at the Japanese electronics giant?
ABAC enforcement actions are resulting in record fines. Alstom received the largest FCPA-related criminal fine in history: $772 million. HP paid $108 million to settle a bribery case. Commodity trading firm Marubeni pleaded guilty to bribery charges and paid an $88 million fine. Indeed, during 2015, total corporate penalties reached $1.5 billion. Several resolutions have resulted in jail time for executives, monitorships, large external legal bills and debarment.
Many companies erroneously still rely on a “check the box” mentality for third-party due diligence. That won’t wash in the eyes of the SEC. Announcing penalties against a pharmaceutical company, the SEC commented, “[The company]…can’t simply rely on paper-thin assurances by employees, distributors, or customers. They need to look at the surrounding circumstances of any payment to adequately assess whether it could wind up in a government official’s pocket.”
Create a compliance perimeter
So how does your organization achieve effective ABAC compliance for third parties, manage third-party due diligence and protect the corporation? The answer lies in the adoption of a compliance perimeter – a protective technology and diligence zone around your company to guard against compliance mishaps. This perimeter needs to be dynamic, risk-based, systematic and scalable.
Below are four steps you can take toward building such a program for third-party due diligence.
Step 1: Where are you now?
Begin by examining the process used to onboard third-parties, including how closely the process is followed, how fully it evaluates risk and how it varies between departments, divisions and countries. Ask yourself: What is needed to generate payment to a third-party? Can due diligence be bypassed? What information do we have on third parties already?
A useful way of framing a risk-based/proportionate approach to ABAC mirrors the acceptance and life cycle of a third party: onboarding, identification and verification, screening and risk assessment. Documenting each of these stages demands effort, but is vital to understanding what works, what doesn’t and what gaps need to be filled.
Step 2: Where do you want to be?
Think about the nature of your business. Are you growing in countries with a high incidence of corruption? Do you sell to governments? Do you rely on agents?
Each third-party will represent a different level of risk – doing business with an agent in Canada is less risky than with one in China, for example. By evaluating this risk, you can determine appropriate levels of diligence and create a policy that is scalable and removes subjectivity from the decision of what level of diligence is required.
In terms of geography, for instance, the Transparency International’s Corruption Perceptions Index is a useful source for gauging geographic levels of corruption. And in case you want to know, Denmark scored highest for safety in the 2014 index, while Somalia scored lowest.
Step 3: How deep is your diligence?
Once a set of criteria for measuring the risk is established, you can map diligence methods and requirements to that risk, progressing from a light touch automated process for lower risk third-parties, to robust local “boots on the ground” investigations for the highest risks.
Acquisitions, for example, require a significant depth of scrutiny, potentially using specialized investigative, legal and accounting firms, interviews with key employees of the target and reviews of books and records.
Step 4: Ongoing monitoring
An ongoing review for changes in third-party status or risk is essential. The third party’s presence on sanctions lists, criminal activity or relationships with government entities should be checked regularly. Changes in ownership or status, or the appointment of a new CEO should also be detected. And payments to third parties need to be tracked and only authorized within the approved scope.
Drawing it all together
Risk management and ABAC compliance have never been more crucial, yet budgetary pressures have never been greater. By establishing a compliance perimeter around your organization – one that is systematic and scalable – you can achieve third-party due diligence and combat the fallout from malevolent bribery and corruption practices.