FCPA COMPLIANCE: THE BENEFITS OF AUTOMATING THIRD-PARTY DUE DILIGENCE

Transcription

1 MED 2 Brand Profile Integrated M Event Offerin Editorial Cale Media Specs FCPA COMPLIANCE: THE BENEFITS OF AUTOMATING THIRD-PARTY DUE DILIGENCE

2 EXECUTIVE SUMMARY In today s global business climate, organizations increasingly rely on overseas third parties to supply critical business processes. Although these relationships offer numerous rewards, they also create a minefield of compliance risks, especially in an era of heightened regulatory enforcement. For example, regulatory agencies are strictly policing the Anti-Bribery and Anti-Corruption (ABAC) laws, including the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and other laws enacted by countries that have adopted the Organization for Economic Cooperation and Development Convention on Bribery. These laws prohibit organizations from paying, whether directly or indirectly through affiliated third parties, bribes to foreign officials for the purpose of obtaining business, retaining business, or directing business to any person. Regulators remain focused on matters in which foreign officials receive improper payments through third-party intermediaries. At the 30th International Conference on the Foreign Corrupt Practices Act in November 2013, the Securities and Exchange Commission s FCPA Unit Chief, Kara Brockmeyer, noted that two-thirds or more of her team s cases have fact patterns involving the use of intermediaries and that several of last year s notable settlements featured such allegations. Organizations that breach these laws are subject to various penalties. Violating the bribery provision of the FCPA can result in criminal fines up to $2 million per violation, exclusion from government contracts, the loss of export licenses, the assignment of an on-site monitor (at a steep cost that can reach $1 million per month), as well as imprisonment and fines for individual officers, directors, employees, and stockholders. Stepped-up enforcement means that organizations must devote reasonable resources to protect themselves against potential claims. The best defense against a violation of the ABAC laws is a strong offense and the foundation of a strong offense is a rigorous compliance program. 2 FCPA COMPLIANCE: THE BENEFITS OF AUTOMATING THIRD-PARTY DUE DILIGENCE

3 THE HALLMARKS OF EFFECTIVE COMPLIANCE In 2012, the DOJ and SEC affirmed in A Resource Guide to the U.S. Foreign Corrupt Practices Act that they would consider an organization s compliance program in assessing penalties under the FCPA. Indeed, in several recent cases, the U.S. government has declined to pursue actions against companies that have had effective compliance programs in place; in others, the existence of an effective program has minimized the penalties the agencies imposed. According to the Resource Guide, the hallmarks of an effective compliance program include the following measures: Setting a strong tone at the top with executives that reinforces a culture of compliance throughout the organization. Implementing clear policies that prohibit bribery and corruption. Assessing risks and focusing attention on the most significant risks. Designating a senior officer who reports directly to the board to lead the compliance program. Conducting regular training on ABAC policies. Policing violations of the program and incentivizing compliance through rewards such as paying bonuses for compliance with internal controls. Extending the program and policies to third parties, who are responsible for an estimated 80 to 90 percent of FCPA violations. Creating an internal confidential reporting mechanism and procedure for investigating allegations. Instituting a program of continuous improvement that includes regular testing and review of the company s controls. Including FCPA risks in the company s due diligence procedures for mergers and acquisitions. As the Resource Guide explains, there is no one-size-fits-all solution for FCPA compliance: off-the-shelf compliance programs are ineffective and ill-conceived, if not customized. Ensuring compliance requires a multifaceted approach that aligns an organization s processes and technology to prevent and detect violations. In other words, an organization should tailor its program based on its risk appetite and profile. The Resource Guide also makes clear statements about third-party due diligence programs, indicating that: performing identical due diligence on all third-party agents, irrespective of risk factors, is often counterproductive, diverting attention and resources away from those third parties that pose the most significant risk. the doj and sec will give meaningful credit to a company that implements in good faith a STEELE COMPLIANCE & INVESTIGATION SERVICES 3

4 comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area. (emphasis added). The Resource Guide goes on to endorse the development of a risk model that prescribes the level of resources and attention a company should apply to its FCPA risk areas: as a company s risk for fcpa violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic audits. the degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. when assessing a company s compliance program, doj and sec take into account whether and to what degree a company analyzes and addresses the particular risks it faces. (emphasis added). The most effective programs include systematic methods that allow organizations to monitor, audit, and report on compliance. Manual processes may suffice if there are a limited number of types and categories of third parties and a relatively simple risk model, but even then, they require significant time, manpower, and resources to implement and will be subject to error and inherently lack a credible audit trail. For companies with significant numbers (hundreds or greater) of third parties of different types and categories representing different inherent fcpa risks (e.g., agents, joint venture partners, distributors, logistics and customs companies, consultants, etc.), automating the compliance process yields more consistent, repeatable, and cost-effective results. automation can also be used to address the requirements of data-protection laws when conducting due diligence on individual principals of third parties by automating the notice and consent required for the processing of personal information during due diligence. 4 FCPA COMPLIANCE: THE BENEFITS OF AUTOMATING THIRD-PARTY DUE DILIGENCE

5 USING TECHNOLOGY TO GATHER BUSINESS INTELLIGENCE FOR SMART, STRATEGIC DECISIONS In the past, compliance professionals collected information about potential third-party threats through labor-intensive, manual processes, such as logging information in Excel spreadsheets. But as businesses expand globally and increase their reliance on third parties, it has become impossible to manually sort through every transaction. Today, the advent of third-party management software has automated the collection of data and the review of thousands of transactions, allowing compliance professionals to focus on their core job responsibility: mitigating enterprise risk. Organizations that employ a robust technology platform can establish a defensible, end-to-end process that captures relevant data throughout the entire due diligence effort. They can also push the key aspects of third-party due diligence and onboarding out to remote business units while maintaining headquarters oversight of the process and the results of due diligence, including the resolution of red flags that are identified. In addition, a robust third-party management software will have multiple language capability so that third parties are able to submit due diligence questionnaires in their native language. Structuring this process through a risk-based approach involves multiple steps: taking an inventory of third-party relationships, gathering additional information about any risks posed by those third parties, assessing those risks and creating risk profiles, conducting the appropriate level of due diligence, monitoring continuously, creating an audit trail, and complying with data-privacy regulations. INVENTORYING THIRD-PARTY RISK Because the vast majority of anti-bribery investigations involve foreign third parties, organizations should thoroughly vet third parties representing FCPA risk, such as agents, joint venture partners, distributors, resellers, consultants, logistics and customs brokers, sales representatives, lawyers, and accountants who have contact with foreign officials. Many organizations do not maintain a central, enterprise-wide repository where they collect information about their third-party relationships. So the first step is to aggregate this information from all IT systems, including accounts payable, point-of-sale data, enterprise resource planning (ERP) systems, customer relationship management (CRM) systems, and the like. Organizations should also set up a process for capturing this information going forward. Using a third-party compliance management solution can provide a single, comprehensive view of the entire population of third-party relationships, which organizations can use to set global standards and workflows for compliance. GATHERING ADDITIONAL INFORMATION, ASSIGNING RISK SCORES, AND WEIGHTING RISK FACTORS Next, organizations need to gather the information necessary to assess the risks associated with these third parties. If an organization does not have access to sufficient information to make this assessment, it may need to disseminate questionnaires that capture data about the third party, such as its country of operation, its industry, the nature of its business with the organization and how the third party is compensated, the length of the business relationship with the organization, the average transaction size and annual volume of business with STEELE COMPLIANCE & INVESTIGATION SERVICES 5

6 the third party, the nature of the third party s contact with or its relationship with the local government, its owners and shareholders, its corporate structure, its tax status, and the like. Organizations should also assess the level of FCPA training and awareness among their third parties. Once third party types and categories are determined, organizations can objectively evaluate the risks represented by the third-party relationship, assign risk scores, and decide the weight to be applied to the third party type and category in the risk model. Key factors that may increase the risk score of a particular type or category of third party will be the closeness of the relationship with the third party, the degree of interdependency between the organization and the third party, the degree of control the organization has over the third party and, generally, the extent to which the relationship resembles a principalagent relationship. Organizations can also assign a weight to this factor of the risk model. Many organizations weight this factor as 40 to 50 percent of the overall risk score, with the geographic location of the third party also receiving a similarly high weighting. Automated solutions simplify the deployment of questionnaires and the collection of data. The solutions can then track receipt of data and follow up as necessary. A robust system will send a notice to third parties to complete a due diligence questionnaire in their native language, provide notice and obtain consent to the processing of personal data on individual principals, and notify the appropriate person when the questionnaire has been completed and is ready for review. technology has lowered the costs of implementing a proactive, sustainable, risk-based abac program far below the potential financial, reputational, and other losses that would result from the legal fees and civil and criminal penalties involved in an investigation. ASSESSING RISKS Once the requisite information is compiled, organizations can use a software solution to customize their risk model, test it, and adjust it as necessary. As new third parties enter the system, the risk model will calculate a weighted risk score, taking into account the third party type and category, corruption risk by geography, and other designated factors. The software can classify the potential threats associated with each third party as high, medium, or low based on the third party s final risk score, taking into account an organization s compliance strategy and risk appetite. Ranges of risk scores (e.g., 0 45 = low risk, = medium risk, and > 85 = high risk) create a tiered due diligence review that can ultimately reduce the costs of compliance and meet the expectations of the DOJ and SEC by applying the greatest resources and highest degree of scrutiny to the highest-risk third parties. 6 FCPA COMPLIANCE: THE BENEFITS OF AUTOMATING THIRD-PARTY DUE DILIGENCE

7 CONDUCTING DUE DILIGENCE Based upon where a given third party s risk score places it in the risk tier, the company can prescribe the proper scope of due diligence: Low: A basic step is to perform a global database check for all third parties, which incorporates a review of all available sanctions, embargo, and government watch lists, as well as a database of politically exposed persons individuals who currently or recently held public positions or who perform important public functions, such as government officials, members of royal families, diplomats, leaders of religious and political organizations, military leaders, and judges. Some organizations also perform basic web searches internally for adverse media reports in English. Medium: A more in-depth review often incorporates an open source investigation, which includes thorough online research to evaluate companies that pose a moderate risk. Here, highly educated and trained multilingual investigators research and analyze data from more than 20,000 online media and millions of publicly available online resources in English and native languages. High: An international team of highly trained investigators who understand the local business and cultural landscape and data-privacy regulations can legally obtain information from on-the-ground sources and in-person vetting. For instance, this review can include an on-site visit to validate the legitimacy of the third party s business operations, criminal background checks, a review of local press, and an analysis of existing or prior regulatory concerns. The company should prioritize third parties in the high-risk category, devoting the greatest time and resources to their evaluation. During the investigation, organizations should watch for certain red flags identified by the SEC and DOJ in the Resource Guide, including the following: Excessive commissions to third-party agents or consultants. Unreasonably large discounts to third-party distributors. Third-party consulting agreements that include only vaguely described services. The third-party consultant is in a different line of business than that for which it has been engaged. The third party is related to or closely associated with the foreign official. The third party became part of the transaction at the express request or insistence of the foreign official. The third party is merely a shell company incorporated in an offshore jurisdiction. The third party requests payments to offshore bank accounts. If they uncover any red flags, organizations must thoughtfully determine the risk in establishing or continuing a business relationship with the third party under review. STEELE COMPLIANCE & INVESTIGATION SERVICES 7

8 ENGAGING IN ONGOING MONITORING OF THIRD-PARTY RELATIONSHIPS After completing due diligence, a technology platform can monitor and facilitate the training of third-party employees on the importance of complying with ABAC laws. For instance, software can track the completion of computer-based learning on ethics and compliance issues, require third parties to indicate their understanding of and adherence to corporate policies, and track third parties confirmation that they will abide by ABAC laws. That way, organizations can report on these representations and warranties for compliance purposes and ensure that all third parties renew them on a periodic basis. This systematization can serve as compelling evidence of a commitment to upholding ABAC laws. CREATING AN AUDIT TRAIL AND COMPLYING WITH DATA-PROTECTION REGULATIONS Automating compliance is necessary for creating reliable, credible documentation that a company took steps to detect and address potential violations. The rationale for every decision must be fully documented and every step of the compliance program should be represented in the system. Third-party management software can also provide a chain of custody for investigative records, including date and time stamps. The most effective software platforms create a secure archive for all due diligence documents, which organizations can mine to create informative reports that can educate their leadership, provide evidence of compliance to regulatory officials, or spotlight unforeseen trends in caseloads and investigative activity. With the increased focus on privacy and data protection, third-party management software can also be used to satisfy data-protection regulators requirements to have in place and maintain industry standard physical, organizational, and technical processes and procedures to protect against any unauthorized access, processing, loss, destruction, alteration, theft, use, or disclosure of personal information. Companies should verify that a third-party management software vendor is Safe Harbor certified for the transfer of personal data from the European Union member states. CONCLUSION As government agencies apply heightened scrutiny to overseas transactions to pinpoint corruption and bribery, organizations must take steps to identify potential violations. Limited budgets make compliance challenging in today s global economy but, fortunately, technology has lowered the costs of implementing a proactive, sustainable, risk-based ABAC program far below the potential financial, reputational, and other losses that would result from the legal fees and civil and criminal penalties involved in an investigation. Using a reliable, Software-as-a-Service (SaaS) third-party management tool that is intuitive and that can be customized to an organization s needs can reduce the more overwhelming aspects of compliance-driven due diligence. With such a tool, a multinational organization can provide access to its business units throughout the world without installing any applications and establish and track budgets for third party due diligence activity. Once organizations complete an initial third-party inventory and risk assessment, strategic implementation flows from case initiation through documentation to the routine auditing of third-party relationships with consistency and quality assurance across the enterprise as well as worldwide business markets. 8 FCPA COMPLIANCE: THE BENEFITS OF AUTOMATING THIRD-PARTY DUE DILIGENCE

9 AUTHOR DENNIS HAIST, GENERAL COUNSEL & COMPLIANCE ADVISOR, STEELE CIS Dennis Haist is general counsel and compliance advisor for STEELE (CIS) and its affiliated companies. He has developed corporate compliance programs and conducted internal investigations in the areas of antitrust, FCPA and false claims. His thought-leadership contributions have been published in leading compliance-industry publications, including the Association of Corporate Counsel s Docket, Society of Corporate Compliance and Ethics, National Law Journal, and Chief Financial Officer Magazine. dhaist@steelecis.com ABOUT STEELE CIS STEELE Compliance and Investigation Services (CIS) is a global business advisory and compliance intelligence firm offering comprehensive third-party due diligence solutions that help organizations comply with regulatory requirements and align with current best practices. With more than 20 years of experience, STEELE CIS provides Fortune 1000 companies and mid-sized businesses with pragmatic solutions including Regulatory Due Diligence, Third-Party Program Advisory Services, Program Management Services, and Compliance Analytics and Benchmarking Services. With engagements in more than 170 countries, STEELE CIS delivers local and regional expertise with on-the-ground resources. For additional information regarding risk-based third-party management, please contact a STEELE CIS third-party compliance expert directly, call , info@steelecis.com, or visit Reprinted with permission from The National Law Journal, All Rights Reserved. STEELE COMPLIANCE & INVESTIGATION SERVICES 9

10 STEELE CIS Inc. Worldwide Headquarters One Sansome Street Suite 3500 San Francisco, CA USA +1 (415) CIS