Preventing corruption while protecting personal data
July 2013 | 10QUESTIONS | RISK MANAGEMENT
FW speaks with EY’s Sanjay Bhandari, Miles Ripley and Kevin O’Connor about preventing corruption while protecting personal data.
FW: What has been the impact of new anti-corruption legislation such as the UK Bribery Act, and increased enforcement of the US FCPA, on corporate anti-corruption practices? How are firms faring in today’s anti-corruption landscape?
EY: Since 2001, enforcement of the FCPA has increased significantly. Prior to that, only eight enforcement actions were taken by the SEC. Since 2006, more than eight enforcement actions have been taken annually. That message, coupled with increased regulation around the globe such as the UK Bribery Act, has resulted in the proliferation of anti-bribery and corruption compliance programs at companies both in the Fortune 1000 and also companies that are mid-market and those that are privately held. As an indicator, EY’s 2013 EMEIA Fraud Survey indicates that 57 percent of the over 3,000 entities surveyed have implemented an anti-bribery or anti-corruption policy. Companies with mature anti-bribery programs that have a good understanding of how to manage bribery risk are now seeking advice to make their anti-bribery programs more efficient and sustainable without increasing risk. Companies just beginning to grapple with managing bribery risk should seek to benefit from the lessons learned by others who have gone along this journey.
FW: How important is anti-corruption due diligence at the outset of a business relationship or transaction process?
EY: Due diligence is critical. Once the third party has acted on behalf of an entity, the relationship has been established and the entity accepts potential risk that goes along with that action; therefore, the entity must perform their diligence prior to empowering the third party to act on its behalf. Typically, the prospective third party provides the entity with a significant amount of information, such as ultimate beneficial ownership, state of registration, taxpayer identification numbers, physical address, and so on. Each element of information should be carefully scrutinised for red flags to ensure that the third party is not only capable of providing the relevant service but also is free of any reason for concern. Any indication of prior corruption, regulatory issues, bankruptcy, state ownership or political exposure will warrant serious consideration from the company before proceeding with the proposed relationship.
FW: The use of third parties, such as consultants, agents and distributers, exposes firms to unique corruption and data protection risks. What are some of common risks that arise and what steps can be taken to mitigate them?
EY: The risks of utilising third parties worldwide can be daunting. Geographic risks are inherent to global growth and, depending on where an entity does business, increased risk may follow. Not only is bribery commonplace in some countries around the world, in some places it’s required. Bribery and corruption risks can generally be grouped into three categories. The first is the sales channel or route to market – for example, paying bribes to regulators to obtain trading and product licenses, or paying bribes to customers to win or retain business or sales contracts. The second category is in operations and production – paying bribes to government agencies that regulate manufacturing or production operations, and also applying to construction and other capital projects that require specific licenses and permits. Finally, the third category is the movement of products – paying bribes to customs officials to assist in facilitating the movement of products across border or movement of product within an area that is known for corruption. These risks can be mitigated by thorough due diligence of a third party’s credentials and their reputation via sources in the public domain. Ongoing monitoring of these third parties is key to ensuring risks related to these third parties is minimised.
FW: Would you advise companies to periodically refresh and expand their diligence programs to include third parties? To what extent are companies failing to keep their programs up to date with changing regulations and enforcement activities?
EY: Ongoing monitoring of the third parties is key for compliance with anti-bribery and corruption regulations. Once the population is identified and a risk-based approach used to identify what the entity may perceive as moderate and higher risk third parties, the entity should perform enhanced due diligence to mitigate any elevated risk. Once this baseline vetting has been performed, the third party onboarding process must encompass diligence components to ensure that any new third parties added to the vendor master file are free of any unwanted risk. Revisiting the larger group on a periodic basis ensures that those third parties who have passed the litmus test in previous iterations of the diligence process have not encountered any issues which the entity would consider to be red flags.
FW: Given that a company may be associated with tens of thousands, if not hundreds of thousands, of third party entities and individuals, how important is it to filter this number down to a more manageable population before embarking on enhanced third party due diligence?
EY: Because enhanced due diligence requires skilled resources and is driven by proprietary information, performing such analysis on a large group of third parties can be a very time-consuming and costly endeavour. Adopting a risk-based approach to identify higher risk third parties is key to categorising third parties into more manageable subsets of risk to identify those which will be subjected to enhanced due diligence. In some cases, companies have hundreds of different vendor and customer master files around the world, each containing thousands and thousands of third parties. Data mining for duplicates and inactive third parties will alleviate some of the volume; however, it’s the filtering process of these third parties by risk factors such as vendor activities, geography, annual spend and relationship that allows for more manageable analysis of those third parties deemed moderate and higher risk.
FW: In what ways can due diligence procedures identify aspects of a third party that may threaten or compromise its compliance with anti-corruption laws?
EY: Findings from due diligence may not necessarily compromise a third party’s compliance with anti-corruption laws; however, it can certainly threaten its ability to do business with the company. A high volume of legal matters, adverse media reports and unsavoury associations may attract unwanted attention can be significant deterrents for an entity to retain a third party.
FW: Privacy laws often aim to protect the very information that due diligence process is trying to uncover. What restrictions can firms expect to come up against when attempting to uncover sensitive information?
EY: The practical implications of privacy law differ from country to country. We always work very closely with a company’s in-house or external privacy law attorneys to resolve such challenges. In our experience, these laws typically seek to protect ‘personal data’ and ‘sensitive personal data’. Personal data is generally information that relates to a living person. Sensitive personal data relates to more intimate characteristics of that person, for example: religious affiliation, sexual orientation, disability, medical conditions, and so on. In general, privacy laws restrict the processing and transfer of such data with greater restrictions on sensitive personal data. The general principle is that such data must be processed fairly and there are generally no absolute bars to processing or transfer. Processing is broadly defined to include the copying of such data – for example, when being produced to provide to a prospective purchaser in due diligence. A major problem can be that the concepts of ‘personal data’ and ‘sensitive personal data’ are interpreted differently in each country. For example, some attorneys interpret certain local laws in a way that even the mention of someone's name can constitute personal data. In other countries, the same attorney may take the view that significantly more information would be required to be considered personal data. In our experience, there can often be significantly different views of a jurisdiction’s privacy laws from different attorneys and firms. The area of data privacy is a relatively new field and the interpretation and position a company takes can have a significant impact on the effectiveness of due diligence. The complexity is compounded when there is a need to transfer or review the data outside the local jurisdiction.
FW: Firms conducting anti-corruption due diligence may need to provide notice to individuals whose personal data is collected as part of the process. What details should such notice contain? And what rights do individuals have regarding the access and correction of this information?
EY: The precise requirements for the consent notice and any right to access or correct information vary from country to country. Again, we work closely with local law attorneys to jointly articulate practical solutions to these challenges. In our experience working with them, attorneys generally take the position that such notices should be sufficiently clear and specific to constitute informed consent. As a practical matter, setting out in the consent notice a clear articulation of what will be done with the data, in as much detail as is appropriate, can be helpful. The notice could very carefully articulate the point at which a pair of human eyes will actually review the document to distinguish from the application of automated machine processes which can alleviate some concerns. To the extent that individuals exercise the right to access or correct information, these are taken seriously and need to be handled carefully and sensitively with local management to address specific concerns on an individual basis.
FW: Anti-corruption and data privacy legislation can differ from jurisdiction to jurisdiction. What steps can multinational firms take to ensure they are compliant across each region in which they operate?
EY: Anti-corruption and privacy laws do indeed vary greatly from jurisdiction to jurisdiction. Privacy law, in particular, is a minefield. For example, in the EU, the relevant legislation guiding privacy law is a directive rather than a regulation. A directive has no direct effect in the member states. The effect of this is that the directive creates a minimum standard which each member state has to implement but it may set its own higher standards. This creates many idiosyncratic differences between member states of the EU. Many multinationals have privacy officers and routine data privacy policies dealing with the processing of data in the usual course of business to comply with competing privacy obligations; however, such policies may not cover processing of data outside of business as usual purposes – for example, privacy principles may have to be considered where there is a dispute or transaction that requires data to be processed. For some businesses, disputes and transactions are a routine occupational hazard. Rather than reinventing the privacy compliance process in each new dispute or transaction, some businesses are scenario-planning for reasonably foreseeable events, considering likely locations and sources of data applicable to such scenarios and articulating outline policies for such scenarios, preferred privacy compliance protocols and agreed-upon legal advisors on-call for each jurisdiction. In any event, articulating a written privacy compliance protocol is a sensible step for any transaction where data is processed as this may be used in evidence in any subsequent challenge to the fairness of the processing or transfer of data.
FW: Going forward, do you expect any areas of anti-corruption, or privacy and data protection, to be subject to further legislative or regulatory change? What general form might future developments take?
EY: In the EU, there are substantial proposals to change the guiding EU legislation. A new EU Privacy regulation is being discussed. This contains many proposals and it is likely to take a number of years of discussion before it is implemented. If implemented, one significant advantage is that the regulation would create one set of rules across all EU member states. Even if adopted, it still would not preclude EU members from interpreting these rules in different ways. In its current form, the proposal trends toward the more stringent and restrictive member states – such as Germany – and would raise the bar across the EU. It also contains a number of new proposals such as providing a ‘right to be forgotten’. This has caused a degree of controversy because of the difficulty in implementing such a concept. While the new regulation may be more restrictive, the consistency of rules across the whole EU may present some further advantages. At present, the law is so disparate around the EU that it is very difficult to create technological solutions and the costs of legal advice to comply can be heavy. A truly harmonised law presents an opportunity to create technical solutions to compliance problems and, in the long term, improve effectiveness and reduce the legal costs of compliance.
Sanjay Bhandari is a partner in Ernst & Young LLP’s Fraud Investigation & Dispute Services (FIDS) practice in London. He is a qualified litigation solicitor with over 22 years' experience managing cross-border disputes including many disputes and investigations involving large scale document production. He has advised businesses in a wide variety of sectors and also advises clients on records risk management strategies, an area of increasing concern to businesses dealing with the risks associated with quickly expanding electronic records.Mr. Bhandari can be contacted on +44 (0) 207 951 8370 or by email: email@example.com.
Miles Ripley is a partner in Ernst & Young LLP’s FIDS practice in Chicago. He has more than 15 years of forensic accounting investigation and compliance experience, specializing in fraud, bribery and corruption, business intelligence and multi-jurisdiction asset tracing and recovery investigations. A number of these investigations have been conducted during criminal and insolvency proceedings. In addition, Miles has significant experience in assisting clients with the design, implementation and monitoring of anti-fraud and anti-corruption compliance programs, including conducting business intelligence, risk assessments and anti-corruption monitoring. Mr. Ripley can be contacted on +1 (312) 879 3851 or by email: firstname.lastname@example.org.
Kevin O’Connor is a senior manager in Ernst & Young LLP’s FIDS practice in New York. He has more than 20 years of complex investigative, forensic accounting, internal audit and public accounting experience. He is an expert on anti-corruption, occupational fraud and investigative due diligence. Mr O’Connor performs asset theft, risk management, Foreign Corrupt Practices Act investigations, anti-money laundering and other international assignments. He has led complex fraud and corruption investigations both domestically and abroad on behalf of Fortune 500 companies, global banks and other financial services firms, not-for-profit organizations and healthcare companies. Mr. O’Connor can be contacted on +1 (212) 773 6647 or by email: email@example.com.
© Financier Worldwide