Managing Third Party Risks in a Global Supply Chain The Companies You Keep William Marshall, Hong Kong Ross Denton, London Jasper Helder, Amsterdam Baker & McKenzie Amsterdam N.V. is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm.
2013 Global Supply Chain Survey: How to manage thirdparty risk? 2
Why focus on third-party risk? Historically, companies have rarely been held accountable for the actions of their business partners: The majority performed many of the processes they now outsource; Concerns associated with terrorist funding and human rights were less significant; Governments around the world have been passing and enforcing an ever-expanding list of laws forcing companies to scrutinize and police those acting on their behalves. Third-party relationships are not only a source of cost-savings and greater efficiency, but also a major stress. 3
High-level findings Corruption, product quality and general compliance among the top risks. Insolvency of third parties and data/cyber security also identified as significant areas of risk. Companies are more concerned than ever about the reputations of the vendors with whom they partner. Reputational risk placed above cost when assessing a potential third-party supplier or service provider. 80% of the respondents confirmed that the risks of using third-party suppliers or parties are higher in emerging markets, due to increased concerns with corruption and political and legal instability. Third-party risk is highest in China, followed by India, Africa, Russia, South America and the Middle East. Training identified as the best strategy for reducing third-party risk, followed by having better processes for monitoring their compliance with contractual terms and having better protocols for screening suppliers/partners. Ultimate responsibility for managing third-party risk is increasingly shifting to board room level. 4
High-level findings 5
End-to-end framework to help assess and address third-party risk Vetting & Selecting Structuring & Documenting Education & Training Monitoring & Evaluating Reacting & Remedying 6
Customs 7
Customs Incorrect entries can result in additional duties, penalties and delays Customs brokers File im/export entries (on your behalf) Are your liason with Customs in countries you may not be familiar with Are in a volume business & rely on unilateral T&C Can not verify correctness of data provided Vendors, suppliers: provide you with key data Origin Value 8
Getting Customs Declarations Right Import declarations Responsibility for complete and accurate information Tariff classification, valuation, origin etc. Export declarations required for Export compliance verification VAT refund claims Trade statistical purposes Relationships with, and allocation of responsibility between, importers and Customs brokers Recordkeeping and reporting requirements
Issues raised by Incoterms According to Incoterms, who is responsible for customs declaration On import? On export? Who is responsible for physical shipment of the goods and will file declaration on importer/ exporter s behalf? (e.g. Ex-Works) Who owns the goods at the time of export? For valuation purposes on import, what is included in the price? Customs Value is Price paid or payable (invoice) with certain additions (e.g. transport/ insurance costs to the EU) with certain deductions if shown separately on invoice (e.g. import duties) Who is legally responsible for filing customs declaration? Legal position will override Incoterms (or other contractual provisions)
Dealing with your Customs Broker Outsourcing customs clearance to a broker Direct 3rd party makes customs entry in the name of Co. and on its behalf (Co. liable for customs debt) Indirect representation 3rd party makes entry in its own name (broker is jointly & severally liable with Co. for customs debt) Problems with reliance upon freight forwarders and Customs brokers Recordkeeping Accuracy of information submitted to Customs Providing clear instructions/delegation of responsibilities and accurate data to customer broker is vital
Dealing with your Customs Broker (2) What is your current position? No agreement are services governed by 3rd party s standard terms? Many 3rd parties are freight-forwarders, and use standard terms Standard terms drafted for logistics and freightforwarding not necessarily appropriate for customs work
Customer Nominated Customs Broker What controls can you put in place to check accuracy of declaration, compliance with recordkeeping obligations etc? Contractual protection Most Customs Brokers will apply unilateral standard terms & conditions Review declarations for accuracy and request amendments where required Audit performance?
Information given & received Is the information you receive or give complete? Key risk area: country of origin information Certificates or invoice statements Relevant also for product marking Challenge with changes in supply chain Similar risks equally apply in other areas Classification Valuation What information do you generate yourself, what is obtained from third parties? Do not forget risks re information you provide to your customers Introduce disclaimer?
Export Controls & Sanctions 15
Export Controls & Sanctions Distributors & resellers: Who and where do they sell to? Are you and they aware of export controls/restrictions for your products in their country? Vendors, suppliers, consultants: Do they tell you what the control status of their products is? Is that information correct? Did they obtain the appropriate licenses? Do they put your controlled data in the cloud? 16
Risk Assessment What are you supplying? Who is responsible for export compliance? Who is the exporter? For the purposes of sanctions, who is selling, supplying, transferring the items? Which party is responsible for obtaining a licence? Which is the competent licensing/enforcement authority? Item included on a control list (dual-use, military, sanctions)? Any US content? What will the item be used for? Controlled activity or end-use? Suspicion/red flags? Where are you supplying to (directly or indirectly)? Country subject to sanctions or embargo (or diversion risk)? Which other countries are involved in the supply route? Who are you transacting with? Counterparty or related party subject to sanctions? Method of payment/funds flow? Blocking or freezing of funds?
Who is the exporter? For example: defined in EU Dual-use Regulation: person who holds the contract with the consignee in the third country and has the power for determining the sending of the item person who has the power for determining the sending of the item the contracting party established in the Community. Sanctions product controls apply to the sale, supply, transfer or export of prohibited items thus wider than the issue of exporter for the purposes of export controls Is there a clear understanding between seller, buyer, carrier, customs broker etc? Do all parties have the information they need? Incoterms can not overrule statutory obligation or responsibilities
Key Risks: What is your product and what is it used for? Regulatory: Dual-use controls (which laws apply to items? US origin/technology?) Military controls (including specially designed or modified ) End-use controls (WMD, military, human rights, US AT) Product controls under specific sanctions regimes Supply Chain: Do you know what the intended use is? Does the tech profile of the end user match the item? Commissioning/technical support needed and asked for?
Key Risks: Where are you supplying to? What destination & shipping information has been provided to you? (forwarders addesses, logical shipping routes, FTZ?) Who is responsible for organising shipment? Up to where? What country is the customer/end user based in? What intermediary countries are involved? Does this raise diversion concerns?
Key Risks: Who are you transacting with? Designated Persons/Specially Designated National EU Freeze on funds and economic resources belonging to, owned, held or controlled by DPs EU Prohibitions on making funds or economic resources available, directly or indirectly, to or for the benefit of DPs US prohibitions to transact with SDN DPs/SDNs can include wide range of parties (e.g. entities, banks, individuals) so they can be everywhere in your supply chain Due Diligence: to exclude DP/SDN involvement to prove no reason to suspect DP/SDN involvement
Third Party Screening End-use/end-user restrictions require customer screening Military or weapons proliferation activities Restricted and prohibited end-users Screening of multiple parties customers agents, distributors freight forwarders and other service providers Screening at multiple moments Order intake/customer registration Prior to shipment 22
Anti-Corruption 23
UK Bribery Act 2010 Liability for Third Party s Actions Introduction of new corporate offence as of July 2011: Quasi-strict liability offence of failure to prevent bribery; no intent, knowledge or suspicion required by corporate Offence can be committed by corporate where an associated person bribes another person intending To obtain or retain business for the corporate; or To obtain or retain a business advantage in the conduct of business for the corporate No limitation on meaning of associated person ; may included employees, agents, and distributors Subject to adequate procedures defence
FCPA Liability for Third Party s Actions FCPA covers payments made to any person, while knowing that all or a portion of such money or thing of value will be offered, given, or promised, directly or indirectly to a foreign official A person acts knowingly with regard to conduct/a circumstance/ a result if (a) aware that he is engaging in such conduct, that such circumstance exists, or that such result is substantially certain to occur or (b) has a firm belief that such circumstance exists or that such result is substantially certain to occur Conscious avoidance doctrine: Management officials [can] not take refuge from the [FCPA s] prohibitions by their unwarranted obliviousness to any action (or inaction), language or other signaling device that should reasonably alert them to high probability of an FCPA violation 2013 Baker & McKenzie LLP 25
FCPA Accounting Provisions Books and records Issuers are required to make and keep detailed books, records, and accounts that fairly and accurately reflect transactions and dispositions of assets Note: this extends to majority-owned foreign and domestic entities including joint ventures Internal accounting controls Issuers must devise and maintain internal accounting controls to ensure that financial records and accounts are accurate for external reporting, that access to assets is permitted only in accordance with management instructions, and that the books are audited at reasonable intervals 2013 Baker & McKenzie LLP26
Third Parties Red Flags Excessive commissions to third-party agents or consultants Unreasonably large discounts to third-party distributors Third party consulting agreements that include only vaguely described services The third party consultant is in a different line of business than that for which it has been engaged The third party is related to or closely affiliated with a foreign official The third party became part of the transaction at the request or insistence of a foreign official The third party is merely a shell incorporated in an offshore jurisdiction The third party requests payments to offshore bank accounts 27
Risk Ranking Higher Risk Medium Risk Lower Risk Nature of Relationship Sales (and marketing) agents Introducers, representatives, consultants Lobbyists, government affairs consultants Agents, representatives, consultants that assist in obtaining required governmental, regulatory or other mandated permits or licences JV or other partners that Company formally collaborates with Distributors appointed by Company to make sales in their own name Freight forwarders, customs agents Outsourcing providers, sub-contractors or other suppliers that provide manufacturing or other services (such as IT, communications, security, cleaning, catering, warehousing etc.) Suppliers of goods on standard commercial terms Lawyers, accountants and other providers of professional services (unless operating in a capacity, such as an introducer, described elsewhere in the table)
Third Party Process 29
Delivering an Effective Third Party Process Process must be clearly defined Consider who needs to input, ownership and structure of the process Business Legal / Compliance Finance Ensure consistent application of standards (e.g. third party rejected by one part of the business must not be approved by another part) Defined process for monitoring and reviewing/auditing third party relationships Thorough documentation of process; adequate procedures Effective verification of payments to third parties through back-end financial controls Support through training and periodic evaluation
Risk Based Due Diligence 1. Risk Classification 2. Due Diligence Higher Medium All Third Parties Lower Classification of Third Party Due Diligence lower risk Due Diligence medium risk Due Diligence higher risk 2012 Baker & McKenzie 31
Example Due Diligence Higher Risk Higher - Compliance clauses included in agreement - External questionnaire completed by Third Party - Internal questionnaire provided by responsible company employee - External sources (number of sources and depth/scope of review to be defined) - References Medium Due Diligence Medium Risk - Compliance clauses included in agreement - External questionnaire completed by Third Party (optional) - Internal questionnaire provided by responsible company employee - External sources (number of sources and depth/scope of review to be defined) Lower Due Diligence Lower Risk Compliance clauses included in agreement
Issues for Third Party Screening Necessity Do we need the third party? Qualification Is the third party qualified? Is the third party competent / experienced? Reasonableness of the compensation Is the compensation in line with the services provided? How does the compensation compare to other benchmarks, such as industry practice or our practice in comparable situations? Integrity Who is the third party? What does the third party request?
Third Party Agreements Discussion Points Content of compliance clause: Address: behaviour; compliance with laws; record keeping; audit rights; rights of termination and indemnification Reference to compliance with the Company s Policy or Code of Conduct? When should a compliance clause be included: For all relationships? Short form vs. long form? When is the Company willing to negotiate the content of the compliance clause? What procedure should be followed in respect of variation requests? What if a third party outright rejects the inclusion of an anti-bribery clause? What is the Company s stance regarding an obligation to comply with a third party s policy? What should the standard response be? Is it ever acceptable to contractually commit the Company to adherence to a third party s policy?
Questions? William Marhsall Hong Kong william.marshall@bakermckenzie.com Ross Denton London ross.denton@bakermckenzie.com Jasper Helder Amsterdam jasper.helder@bakermckenzie.com 35