Efforts to stamp out bribery and corruption continue to grab business headlines and send a clear message to multinationals that ensuring compliance with Anti-Bribery and Anti-Corruption (ABAC) regulations is no longer optional – it is a necessity. To illustrate the importance of compliance, in 2013 US regulators imposed an average penalty of $74 million on companies they determined had violated ABAC regulations.
Foreign regulators have also shown a willingness to work with their UK and US counterparts. As an example, Britain’s Serious Fraud Office (SFO), the agency responsible for enforcing the UK Bribery Act, recently announced that it is cooperating with Chinese authorities regarding the SFO’s investigation of GlaxoSmithKline’s payment of bribes in China. As another example, the US Department of Justice (DOJ) routinely enlists the support of overseas regulators.
Given the extraterritorial nature of leading ABAC regulations and the increasingly complex and onerous regulatory environment relating to data privacy, in cases where acts committed outside of a country’s territory may fall under the authority of one or more regulators, companies must take steps to comply with relevant laws, regardless of the country in which they are operating.
“Companies can guard against the consequences of running afoul of regulatory laws by conducting risk-based due diligence of intermediaries”
The Case For Third-Party Due Diligence
“DOJ’s and SEC’s FCPA (Foreign Corrupt Practices Act) enforcement actions demonstrate that third parties, including agents, consultants and distributors, are commonly used to conceal the payment of bribes to foreign officials in international business transactions. Risk-based due diligence is particularly important with third parties and will also be considered by DOJ and SEC in assessing the effectiveness of a company’s compliance program.” A Resource Guide to the US Foreign Corrupt Practices Act, November 2012
From experience, the US government knows that third parties often play an instrumental role in facilitating corrupt payments. In fact, a cursory review of press releases and news articles relating to ABAC investigations shows that regulators often focus their investigations on third parties.
Companies can guard against the consequences of running afoul of regulatory laws by conducting risk-based due diligence of intermediaries. This involves gathering and analysing data about a number of factors relating to each third party and the corresponding compliance risk they represent. This analysis helps companies quantify the level of risk each third party poses and, therefore, the appropriate level of due diligence to perform.
Qualifying A Due Diligence Firm
Given the specialised nature of third-party due diligence and the number and complexity of regulations governing the vetting process – which includes a patchwork of data privacy laws that few understand – multinationals often turn to a professional services firm for assistance.
While many firms claim to provide third-party due diligence services, few possess the expertise to deliver actionable intelligence that helps companies implement an effective risk-based approach to screening intermediaries.
The first step in the selection process involves developing quantitative and qualitative criteria to evaluate each third-party due diligence provider. Quantitative measures might focus on the provider’s ability to scale their operations in order to meet large volume requests, the cost of services, and the number of clients, etc. Qualitative measures might include the number of languages covered, the types of due diligence offered, the number of investigators, the size of operating footprint, years in business, and industry experience, etc.
The following list of attributes and capabilities provides multinationals with additional criteria to include in their process to screen third-party due diligence providers:
■ Local knowledge and insight: Each market presents unique challenges. Therefore, combating bribery and corruption requires local, in-depth knowledge. For example, in China an assortment of laws applies directly or indirectly to the gathering, storage, and dissemination of personal data. Without local knowledge and the ability to interpret and apply the law to the due diligence process, a professional services firm can easily violate Chinese laws and expose their multinational client to government scrutiny.
■ Global investigative resources: If a company is to withstand regulatory scrutiny, they must deploy a compliance program that is credible and defensible in the eyes of regulators. Regardless of the country in which the third party resides, a multinational’s risk-based approach should allocate the appropriate compliance resources to the intermediaries that present the highest level of compliance risk. From a regulator’s perspective, a robust compliance program involves the application of a rigorous third-party due diligence program that screens and monitors intermediaries for compliance with ABAC regulations in a consistent manner. Engaging a professional services firm with the ability to conduct third-party due diligence around the globe minimises variation in the due diligence process.
■ Experience automating the third-party compliance process: Automating the compliance process helps companies demonstrate a credible and defensible ABAC compliance program. Automation removes manual processes as well as subjectivity while increasing transparency. For multinationals with a large pool of third parties, this is particularly important because variation in the compliance process may create considerable compliance risk and erode the company’s ability to defend their program if regulators ask them to do so. A professional services firm’s role includes interfacing with a multinational’s third-party compliance management solution, which ideally is purpose-built to support the process.
■ Access to a purpose-built third-party compliance solution: Third-party compliance involves four distinct phases: onboarding, management, monitoring, and auditing. A purpose-built compliance solution focuses exclusively on third-party management and includes robust functionality to manage all aspects of the process. Such a platform allows companies to centralise their third-party data, streamline onboarding and renewal, optimise their workflow, and ensure ongoing monitoring of third parties through a robust audit trail. A purpose-built solution may include the functionality to assign a request for due diligence to a professional services firm. Once completed, the platform may also allow the third-party due diligence provider to populate the results within the compliance solution. For the reasons noted above, a dedicated platform supports consistency because it contains workflows to systematically guide the compliance team through each phase of the third-party process. Consequently, retaining a third-party due diligence provider with experience in leveraging a purpose-built solution helps strengthen a company’s ABAC-related compliance efforts.
■ Database providers versus third-party due diligence firms: Some companies simply screen their third parties against regulatory databases. While such an approach plays a role in third-party due diligence for low-risk intermediaries, sole reliance on this method will not meet regulatory expectations. As mentioned previously, regulators repeatedly stress the importance of deploying a risk-based approach to third-party vetting. Using a professional services firm that can provide varied levels of due diligence can help a multinational develop and deploy a truly risk-based due diligence approach.
■ Supporting the business: While a professional services firm can help a multinational attain compliance, they should not impede the business’s ability to operate. As part of their role, the professional services firm should help the compliance function become an accepted part of the company’s processes versus a perceived barrier to the business.
The Importance Of A Trial Run
The final stage of the screening process should include a trial run. During this phase, the multinational requests that two or three professional services firms conduct due diligence on a subset of its third-party population. This is a collaborative effort designed to test each firm’s ability to deliver timely, accurate, and complete analysis.
While third-party due diligence presents multinationals with a host of complex issues, professional services firms that specialise in the vetting of intermediaries can simplify the process and help minimise compliance risk. Not surprisingly, selecting an unqualified or inexperienced third-party due diligence provider increases a multinational’s ABAC compliance risk as well as its exposure to complex and ever-changing data privacy regulations.
In turn, this is why the selection of an appropriately qualified third-party due diligence firm plays such a vital role in a multinational’s efforts to minimise their exposure to eye-popping fines and penalties.
About The Author:
Tony Charles joined STEELE in 2010 to lead the company’s Investigative Analyst Group. In 2012, he was selected to lead the commercial organization at STEELE, a compliance intelligence and advisory firm with engagements in more than 170 countries. Prior to his tenure with STEELE, Mr. Charles held numerous leadership roles during his thirteen years at Procter & Gamble Healthcare and Warner Chilcott Pharmaceuticals.
Mr. Charles regularly advises Chief Compliance Officers and commercial organizations at Fortune 1000 companies on benchmarking analytics and implementation strategies for third party management programs. Providing predictive analytics allows companies to anticipate program outcomes and business needs even before implementing their program. He successfully led a ground breaking Analytics initiative at STEELE to mine regulatory findings and adjudication practices from hundreds of thousands of due diligence reports and more than 130 multinational companies in order to help clients benchmark their third party programs against like companies in their own industry