Keeping in mind that approximately 97% of FCPA violations involve third party corruption, only a rigorous and meticulous third party due diligence program should be just good enough for companies to shield themselves from criminal and civil liability. Recently I heard that a rather large and fairly well known multi-national firm was having an anti-bribery risk assessment conducted and there was a glaring deficiency discovered. The case most probably also applies to several other companies: Due diligence was limited to watchlist and Politically Exposed Party (PEP) screenings while risk assessments determining which third parties should be reviewed more deeply on a predetermined risk basis were neglected altogether.
As I was reminded at the 2016 FCPA Conference that just concluded on December 2nd: Every company has a different risk profile so there is no blue print for all. But when you look at the US Sentencing Guidelines and the Foreign Corrupt Practices Act (FCPA), it is clear that there is a need for companies to have clear guidelines on how to conduct due diligence for anti-bribery and corruption on low, mid and high-level risk third parties. So while there may be no blue print, it’s clear that to remain compliant with the FCPA, you must know your third party. And that means rolling up your sleeves and gathering information from the third parties and from independent resources. And how deep you dive, depends on the risk. The greater the risk, the more frequent and deep the due diligence should be.
And since this was not the first time I had heard about fortune 1000 companies struggling with employing a firm methodology for managing third party risk; I thought it might be useful to share what we have in place at CPA Global, in relation to the third party due diligence portion of our know your third party program. And the reason I am so emboldened to share our program is not only because our customers rely on it, but also because it has been given labels such as a “gold standard,” and “scientific and sophisticated,” by at least 3 customers, experts in this space, as well as our outside regulatory trade counsel, partner Larry Lasoff, at Kelley Drye, Warren based out of New York. So what I share below is not meant to be gospel or preachy; it’s merely our company Compliance group approach and process to ensure that CPA Global is not engaging in high risk relationships that will have a future negative impact on the company from a regulatory and or reputational standpoint.
At its core, Third Party due diligence is independent investigative work conducted either by using primary and secondary resources remotely or by conducting more investigatory assurance locally. In both cases the goal is to gather vital information that either sheds light on new red flags that require risk assessment or comfort that your third party is reputable.
Let’s start by mapping due diligence in relation to all other key third party risk management activities.
Note that after the initial risk assessment that subsequent activities continue to form an ever-changing profile that may or may not increase or decrease an entity’s risk levels.
At CPA Global we have three levels of due diligence we employ based on risk. I will introduce all three phases but will focus on desktop level II, often a missing component, which can be described as your Ronald Reagan “trust but verify” phase. These level II activities should be conducted at various intervals, depending on risk factors on your third parties in relation to your company’s risk appetite. Although some companies use different delineations for which activities constitute a tier of work, ours is broken down as follows:
- Gather new or revised third party information for purposes of bribery and corruption (among other areas) risk.
- Ensure third parties and their key associated parties are clear from inclusion on global watchlists.
- Determine the level of risk and appropriate actions to take should a third party be included on a watchlist.
- Research-based on risk, beneficial owners, shareholders, and executive management for inclusion in watchlist screening.
- Disseminating Third Party questionnaires and risk scoring based on results (using GAN Integrity) of responses and support provided
- Comparing all third parties to relevant watchlists.
- Identifying high-risk entities for extended screening
- Automated continuous Watchlist screening (Amber Road)
- Manual False-positive identification and clear with reasons codes
- Difficult to resolve potential matches requiring escalated Compliance Officer and likely Level II Due Diligence
- Extended Party (beneficial owners, corp. family, directors, C-level Execs) identification and watchlist screening
Although some companies categorize restricted party or watchlist screening as monitoring, we consider monitoring in context to the business and due diligence to consist of external information gathering to ensure no red flags exist; and when possible from independent resources. Since watchlists are created by both government and non-government organizations that are related to bribery and corruption, drug and human trafficking, money laundering, terrorist activity and other legal violations; any match is essentially based on external research.
Because the matching exercise is automated and use of analyst is necessary to determine if matches are legitimate or not, we consider this to be a basic level of due diligence.
Objective: Ensure third parties do not present a risk of bribery and corruption (FCPA and UK Bribery most notably), other regulatory (i.e. modern slavery), or reputational risk through independent research
How: Engaging in Desktop Due Diligence using open source and subscription services (Lexis Diligence and Avention OneSource) to conduct reasonable independent research and analysis on third parties on the basis of risk.
Level II due diligence, is analyst driven using technology across a wider spectrum. This second level is designed to look wider and dig deeper to gather enough information to provide reasonable assurance that there are no red flags or issues that can or may lead to regulatory or reputational risk for your company. In this instance a formal report is issued to the compliance team and business for review.
Effectively performing this research requires skilled researchers, analysts, or paralegals who will utilize expert search software by firms such as Lexis, Thomson Reuters, Bureau Van Dijk (BvD) or Dow Jones for instance to interrogate a vast global database of free available and subscription based public records. The goal is to conduct thorough but not necessarily exhaustive research for relationship assurance purposes. The beauty in conducting this level of research on an entity is that you are employing available resources to widen your investigative parameters, and the capability of leveraging these activities for non FCPA and UK Bribery purposes; covering data protection, modern slavery, export control and commercial risk detection for instance. This is not to be substituted for enhanced due diligence, when the risk calls for it.
So how much is enough and what should we be looking at?
This is what our Level II research consists of:
- Company Profile: Company name and known trade names are researched. What business the target entity engages in and how it relates to CPA Global. Locations, employee base, and industries, among others, of target, factor in to the over-all risk assessment that is being built.
- Corporate Structure: subsidiaries which may include acquisitions. For instance, several years ago a CPA Global vendor in the domain name space out of Australia was acquired by a US company, thus changing how CPA Global would be able to manage work for its non US customers going forward given the US sanctions difference from the UK and EU. Although not a FCPA issue, it was a sanction compliance matter that was picked up and raised to the business for action.
- Beneficiary Ownership: Often a critical element when looking at smaller private firms in that an undisclosed beneficiary owner could be a money launderer or involved in other corrupt activities. This can require looking at corporate registration in the jurisdictions where the third party conducts business. This can sometimes be performed remotely via desktop, but could depending on which country, require feet on the ground walking into a government office. This is what we classify as a level III Enhanced Due Diligence activity.
- Corporate Registry: Can be a key to the kingdom in a sense that, information required for filing in a jurisdiction may be contradictory to what a third party is telling you. It can also reveal ownership percentages and how corporation is organized. Some countries like China and Singapore are on line, Hong Kong requires online payment and Indian sole proprietorships have no registration requirements.
- Enforcement actions, and Litigation: These clearly let you know whether your target is officially involved in either of these two legal actions; the latter could be criminal but also civil involving claims by the target or against them. We once had a company on a level III on-site audit tell our auditor they had no litigation over the past 3 years, but research determined there had been a settled case. We of course had to include this as an integrity concern on the report.
- Watchlist and PEP screening: Formal results are included in the report for assurance purposes. This screen though will include extended parties identified in steps 1 and 2 above.
- Negative Media and Social Media: Anything formally published in all print publications that have been digitized or web-based reports are screened for any red flags of corruption. Because in some countries the available media is in another language, you may have to use a source to translate. Some services do this for you. Doing this level of research is necessary if there already is a red flag of some sort, the entity is small and the only available media is in the local language. Depending on risk level, 1 to 5 years of media reports is required. This can be the most time-consuming exercise, especially in the UK, EU, and US public companies where there is a wealth of information available. Social Media can be useful but you must consider the source of the information provided. Usually, patterns of negative chatter may be worth noting and can either lead to increased monitoring and more frequent level II reports.
- Location: Corruption Perception Index: This can just as easily be included in the company profile section. We elected to look at location risk in relation to the Corruption Perception Index published by Transparency International separately because it’s a risk not related to the company itself and centered on the location(s) the firm is based or operating in. Although the location element often drives the initial overall risk rating higher; the results of a due diligence report could be used to reassess the overall level going forward.
The finished product is memorialized in a Due Diligence Report, whether it be on a person or any sized company, which demonstrates that a thorough review has been carried out using the best resources to capture available public data that will either give assurance that there are no needs for concern or that raises red flags that require compliance and or business action.
CPA Global Level II Due Diligence reports are designed for easy digestion of facts which begin with an executive summary and risk assessment using the company’s 5x5 risk grid. All reports are reviewed by a supervisor who is a Regulatory Compliance Officer and if the risk is greater than moderate, the Chief Compliance Officer will determine a course of action. A good recent example occurred when a larger customer was being investigated for bribery by the US government. Because this party was a customer, the action I recommended was to remain abreast of news on a weekly basis and inform our sales group to take caution in terms of meals and entertainment making very sure we were conservative and mindful of their policies and recording ours. Had the entity been one of our 700+ agents the response would have been much different and brought to senior or executive management for review.
Speaking of our agents, often because these intermediaries are small to mid-sized Intellectual Property (IP) law firms headquartered or operating in every country you can imagine, including high-risk locations such as Bahrain, Uzbekistan, Nigeria, Zimbabwe, Kuwait, it is often difficult to find much if any information at all on these parties. It’s not unusual outside of the US and EU, to have difficulty at least finding evidence of a private entities’ existence, outside of their own website; and sometimes even that is not in place.
Identifying that the target entity has a web site that has addresses and names of partners and personnel that coincide with the company records is useful, independent data sources are more desirable. At the very least an analyst expects to find business registration, articles of incorporation, profile, ownership information, or local news, or commentary of a target third party outside of the company web site.
If lacking foundational or any information at all; a decision then needs to be made in the absence of any other internal red flags whether to obtain assurance conducting a local visit to the third party’s headquartered or satellite location to gather the foundational information through enhanced due diligence. Thus leading us to level III of the program.
Objective: Ensure third parties do not present a risk of bribery and corruption, other regulatory (i.e. modern slavery), or reputational risk through local research, interview and or on-premises audit
How: Conduct enhanced due diligence consisting of local or onsite validations of third party integrity, reputation, corporate registration, and compliance with anti-bribery requirements.
Although the areas reviewed are essentially the same; Enhanced Due Diligence is the gathering greater primary evidence on the ground locally consisting of:
- Verification of local business registrations
- Obtaining references via related party interviews
- Obtaining information from the Chamber of Commerce
- Obtaining and reviewing local legal records: Identifying local litigation or law enforcement issues
- Searching and reviewing local open-source records
- On-site Audit of the third party
Because CPA Global has other mitigating controls in place with its IP agents, including agents having to take customized anti-bribery training; and participate in annual group and one on one meetings held by our agent management team; we seldom conduct these assignments in the absence of red flags. But when we have, we have been fortunate enough to engage an internal auditor who is skilled and experienced in conducting local research and while on-site to conduct a bribery and corruption audit to ensure integrity in what has been presented to our firm from the point the relationship was developed.
However, as most companies do not have the trained resources available to conduct such specialized investigations, there are a number of outsourcers that conduct Level III Enhanced Due Diligence, including Blue Umbrella, PSA, Kroll, Steele, Thomson Reuters, Trace International, and Red Flag. These firms have relationships in most countries, some with interesting specialized differentiators, that will enable a thorough professional investigation that should provide the necessary assurance required.
Although most of these providers will also provide level II desktop research on entities, it can be pricey ranging from north of $600 depending on a number of variables relating to what type of entity is being researched in what country, and how many beneficiary owners are also being investigated.
Ultimately the goal is to create a defensible record that in the case the regulators, or even angry customers, come knocking on your door accusing your company and compliance team of turning a blind eye to what may prove to be relationships with corrupt parties, you can demonstrate you took due care in taking more than reasonable steps to detect any visible red flags in your third party relationships. And although a portion of the program does sometimes act as a check the box exercise; coupled with the other internal activities companies should undertake (see chart above), your program can prevent bribery or association with corrupt parties. I know we have avoided potential pitfalls in the past, proving bribery is certainly easier to prevent if a risk-based process like this is in place. So certainly level I and II Due Diligence is effective lynchpin activities along with an internal whistleblowing mechanism in ensuring the company is dealing with reputable organizations and not those that may take unilateral risks that will come back to haunt their business associates.
Mark Speck is the Chief Compliance Officer and Head of Audit at CPA Global and globally recognized expert on anti-corruption compliance. He’s a guest contributor to the GAN Compliance Connection Blog. Learn more about Mark and CPA Global at: www.cpaglobal.com.
Developing meaningful stakeholder engagement to successfully manage risk
Integrating third-party data into your third-party risk management (TPRM) program - Integrating with third party systems
Interacting with high-risk parties and government officials in the life sciences and extractive industries sectors