FORUM: Managing third-party fraud and corruption risks
February 2014 | SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION
Financier Worldwide Magazine
FW moderates a discussion on third-party fraud and corruption risks between Peter S. Spivack at Hogan Lovells, Neil Swift at Peters & Peters Solicitors, and Alexander J. Willscher at Sullivan & Cromwell.
FW: Could you outline the main fraud and corruption risks that can emerge from third party and counterparty relationships?
Spivack: The main risks to emerge from third-party relationships include the bribery of government officials to obtain or retain business; interference with public tenders through conduct such as bid rigging; diversion of business assets and business opportunities; and reputational risk and harm.
Swift: Over the last decade, we have seen a tightening of anti-corruption laws coupled with increased enforcement action, often in multiple jurisdictions. With the introduction of the Bribery Act 2010 in the UK, which came into force in July 2011, one of the greatest risks UK companies now face are the corrupt acts of third parties for which the company could now be held liable regardless of knowledge. This category is broadly drawn and potentially encompasses all third-party relationships, from joint ventures and subsidiaries, to sponsors, intermediaries and local agents. Whilst the Bribery Act has been deliberately fashioned to punish companies for failing to take adequate measures to prevent bribery by third parties, it does allow for a defence that an organisation had ‘adequate procedures’. In the absence of any case law on the interpretation of what would constitute such a defence, a watertight due diligence and compliance program is essential.
Willscher: The most significant risk remains corruption and bribery. The US government has continued its aggressive enforcement of the Foreign Corrupt Practices Act. In doing so, it routinely has pursued an expansive view of the elements of the claims, including jurisdiction, and of principles of vicarious liability-holding companies, which are otherwise in compliance with fraud and corruption laws, to be responsible for the business conduct of related third parties. In addition, regulators in the UK and several others countries have passed strict anti-corruption legislation and intensified their enforcement efforts. Additionally, in the case of financial institutions, regulators in the US and elsewhere have aggressively prosecuted cases stemming from risks presented by banks’ customers and other counterparties. Many of these enforcement actions have involved transactions – processed by banks on behalf of their counterparties – that allegedly were somehow connected to money laundering or violated various sanctions regimes. A final significant risk I see is fraud in connection with the financial statements of joint venture partners.
FW: In your experience, what types of third parties – such as suppliers, agents, intermediaries, advisers, consultants – pose the greatest risks?
Swift: The level of risk posed by a third party will depend on a variety of factors, including, for example, the sector and country in which the company operates. The risks for each business will differ, which is why businesses must start with a risk assessment and take a risk-based approach. If a third party is being used as a conduit for the payment of bribes, a mechanism for the movement of money will exist. There are a variety of methods by which this can be done, such as inflated fees, false invoices for services not actually provided, expenses billed but not incurred or inflated contract prices with kickbacks. It is for this reason that the process of appointing and managing a third party must be underpinned by robust due diligence, risk assessment and monitoring. The type of third party is less significant than what they actually do. In high risk jurisdictions and high risk sectors the payment of large sums to third parties by way of commission carries with it a substantial risk that funds will be used unlawfully.
Willscher: Any and all of those types of third parties have the potential to present significant risk. Most of the cases with which I have been involved have focused on consultants who were retained – at least in part – as a result of their personal connections to local government officials. But even consultants without connections to public sector officials can be a source of significant fraud risk to a company. A common example I have seen are cases in which consulting contracts are awarded to senior executives of a company or their family or friends in order to perform additional services on behalf of the company. In many of these instances, the work that the consultants will perform is vaguely defined and the consultants’ performances under the contracts are not closely monitored. In my experience, even companies that conduct due diligence in connection with their retention of agents and intermediaries do not often closely monitor those entities’ compliance with law following their retention. Oversight of this nature is essential to implementation of a robust program of compliance with anti-bribery legislation.
Spivack: Rather than basing the answer on a categorical approach, I would point to any third party that has a role interacting with customers or government entities; has the discretion or authority to act on the principal’s behalf; engages its own third parties to assist in the transaction; operates in a geography that has a less-developed legislative or enforcement regime; and does not allow the principal – or a delegate – to review its compliance systems and accounting records.
FW: What advice can you offer to companies when it comes to implementing and maintaining robust monitoring systems for third-party risk? To what extent can this be customised for the type of third parties that the company deals with?
Willscher: Avoid adopting a one-size-fits-all compliance program. Regulators expect companies to design their fraud and anti-corruption efforts based on the particular risks posed by their business and the third parties with whom they operate. For example, the US Department of Justice’s recent FCPA settlement agreements have required the offending companies to institute risk-based due diligence and compliance requirements in connection with the retention and oversight of third parties. Likewise, in October 2013, the Office of the Comptroller of the Currency issued specific guidance on managing risks from third party relationships, which emphasised the necessity of having – and implementing effectively – compliance processes that are commensurate with the level of risk presented by their third-party relationships. Other key parts of a robust system for monitoring third-party risk include: proper due diligence; written contracts that outline the rights and responsibilities of all parties; ongoing monitoring; clear responsibilities within the company for overseeing the relationship and risk management process; documentation of the process; and independent reviews or audits of the third-party relationship.
Spivack: Monitoring systems should be customised for the types of third parties that the company deals with. For the most significant third parties, such as those that are interacting with customers or government entities in high risk areas, the monitoring systems should include periodic audits of the third party compliance systems and internal controls at the transaction level. Because third parties may object to such reviews when they handle business for multiple parties, a company can propose a delegate, such as a forensic auditing firm, that can engage in a review without disclosing sensitive business information to the company. Companies should also review compensation arrangements with third parties, such as commissions, to ensure that they are commercially reasonable within the geographic context and in view of the duties performed by the third party. Where such duties are undertaken by the third party, the company should collect and maintain the evidence that the third party fulfilled its contractual duties.
Swift: Unless a company effectively implements and enforces its compliance procedures, its inherent value – to reduce the risks of bribery with the use of adequate procedures, and provide a defence if required – will be lost. In other words a compliance procedure must have teeth. It is essential that all layers of management buy into the implementation and monitoring process, from board level to operational management. Compliance should be a key performance indicator. The systems should include continued monitoring of the performance of the third party, with regular contact, reviews, and visits supported by audits, with up-to-date due diligence, and a continued review of the business need against the potential risks. It will also be necessary for the contractual arrangements to oblige third party cooperation, with an appropriate termination clause in the event of default. Of course there is no reason why the monitoring system should not be flexible: the cornerstone of an effective program is an assessment and appreciation of risk. The issue will be ensuring that any flexibility is exercised properly, with appropriate independent oversight.
FW: In your opinion, do firms pay sufficient attention to due diligence at the outset of a new business relationship? What should third party due diligence cover?
Swift: A key component of reducing a company’s risk is through effective due diligence. It allows a company to assess the technical and professional capabilities of a third party, and discover any concerns or ‘red flags’, before even entering into a contractual relationship. It is also an opportunity to ensure that the third party’s anti-corruption policy is adequate and for it to assess whether it appears the third party will abide by its policy. Failing to take proper due diligence, in deference to other commercial priorities, would be a mistake. The third party should, at a minimum, be required to provide information about its shareholders, directors, any involvement with public officials and its resources and capabilities to perform the required service. If a prospective intermediary refuses to provide information, is offended by such a request, or is unwilling to meet the requirements of the company, then this in itself would constitute a red flag. It is important that due diligence does not simply comprise a box that is ticked at the outset and then put away; it should be continually monitored and reviewed. In doing this, a company is more likely to ensure that the third party behaves in a manner consistent with the company’s own anti-corruption policy, and thereby reduce its own ongoing risk.
Willscher: Most companies recognise that today’s active enforcement culture requires a robust compliance program. Due diligence of third party relationships is expected by regulators and, in my experience, such due diligence is typically the norm. As already indicated, however, what is less common is active oversight of the activities of agents and intermediaries on behalf of a company following their retention. Any due diligence should be tailored to the particular business and the third party involved. Among other things, due diligence should determine the reputation for corruption in the country in which the business activities will take place; determine the integrity of the third party through available sources; identify any connection between the third party and local government officials; evaluate the retention arrangements, including the fee structure, for any incentive for inappropriate conduct; and include ongoing monitoring of the third party to determine, among other things, the propriety and reasonableness of compensation payments and payments made by the third party on the company’s behalf.
FW: What factors should companies consider when assessing the level of due diligence to conduct on a particular third party? What red flags should firms seek to identify during their analysis?
Spivack: There are a number of factors that can and should be considered. Geographic risk should involve an understanding of where the country is ranked on objective indices, such as the Transparency International Corruption Perception Index. Sectoral risk concerns the specific industry or sector involved – for example, there have been numerous anti-bribery issues in the extractive industries. Transaction risk should consider the risks posed by the nature of the transaction at issue, such as whether the third party is representing the company in a public tender, and whether the public tender process provides an opportunity to influence decision-making officials. Business partnership risk is an issue if the company is entering a joint venture or other business partnership, and it is important to know what controls exist over the other party’s actions. Further considerations include the degree of interaction with public officials in the business or transaction; whether the business or transaction requires permission or clearance from a government entity and whether a third party handles that permit or licence for the company; and discretionary authority such as what types of discretionary authority the third party exercises on the company’s behalf, such as whether it conducts marketing activities or customer recruitment on the company’s behalf. Companies should also consider the scale of the contacts, including whether the company is seeking contracts with significant value or whether the business model is reliant on many small sales; how much experience the firm has in the region and the industry, and its knowledge of the local market; and finally, its compliance history.
Willscher: One critical factor is the nature of the business. The level of due diligence required of a third party that will provide IT services is likely to be significantly less robust than that required of a third party that will be soliciting to government contracts. Other factors include the general risk of corruption and fraud in the markets in which the third party operates; the volume of business; whether the third party is operating in an industry where corrupt payments occur more frequently; the extent of the third party’s involvement with public sector employees; whether the third party relies on entertainment or sponsorship to develop business; whether the third party’s role, responsibilities and services, and the means by which they are to be carried out, are clearly defined; and whether the third party is located in a country in which the government owns or controls a majority of businesses. Potential red flags include a third party that is reluctant to provide information or to sign agreements adhering to a company’s anti-bribery policy; has a history of past violations or present investigations; is compensated primarily based on its ability to obtain regulatory approvals; or requests large, upfront payments or indirect or otherwise atypical payment arrangements.
Swift: Third parties serve different purposes and therefore pose different levels of risk. A consultant providing services in a country ranked high on Transparency International’s Corruption Perception Index will draw more attention than a consultant operating in a country lower down the Index. If, however, the latter has connections to public officials he may pose a much higher risk than the former. The level of due diligence will therefore be dictated by the company’s own risk assessment. Likewise, the nature of any red flags will vary. A red flag is simply an indication of increased risk. At the very least, a company should bear in mind risks associated with the country in which the services are to be provided; high risk sectors and industries; failure to cooperate or fully comply with a company’s due diligence process; close relationships with, or recommendations by, government officials or customers; and third parties located outside the country where the services are to be provided and that have no significant business presence there. Firms should also be diligent of third party’s accounts – ‘letter box’ or ‘shell’ companies; opaque ownership structures; requests for commissions to be paid in a third country, to a third party, or in cash or untraceable funds; requests to keep the third party relationship secret; and advance payments.
FW: What unique difficulties and risks face companies doing business with third parties in developing nations? How common is corruption risk in such countries?
Swift: In its latest Human Development Report, the United Nations Development Programme projects that by 2020, “the combined economic output of three leading developing countries alone – Brazil, China and India – will surpass the aggregate production of Canada, France, Germany, Italy, the United Kingdom and the United States”. Traditionally, developing countries have scored worse on anti-corruption indexes, requiring extra vigilance for those operating within them; there are, however, signs that they are beginning to tackle the issue of corruption. Certainly, in the leading three developing nations, anti-corruption is high on the political agenda. On 1 August 2013, Brazil enacted new anti-corruption legislation, which is due to come into force on 28 January 2014. It will introduce a more comprehensive system of corporate and individual liability for acts of corruption against Brazilian and foreign public officials or governmental bodies. In December 2013, India’s parliament approved a landmark anti-corruption bill, which would empower an independent ombudsman to investigate and prosecute cases of corruption by public officials. And, finally, China recently hailed that its crackdown on corruption had led to a 13.3 percent increase in the number of people punished last year. However, the essential requirement of appropriate due diligence remains.
Willscher: Corruption risks can be particularly prevalent in certain emerging markets, where corruption may be a practical business reality in a variety of contexts. Companies accordingly should treat potential transactions in such jurisdictions with additional care. In addition, companies should bear in mind that in some countries, local data privacy, labour laws and other regulations have the potential to limit the company’s ability to conduct sufficient due diligence on third parties.
Spivack: The greatest difficulty that companies face in doing business in any new market is the paucity of public source information that is easily accessible. Each country is different, so it is impossible to generalise about whether corruption risk is higher in a developing nation than a developed nation. Indeed, certain developed nations have a long history of corruption issues. Instead, the risks can be analysed by looking at how developed the country’s legal system is, whether there is a history of anti-corruption enforcement, whether the government operates in an open and transparent manner, and whether there is a concentration of wealth in the hands of a few.
FW: Given the current regulatory environment, what further advice can you offer firms on the most effective methods of managing and monitoring ongoing relationships with third parties?
Willscher: Companies should design their compliance programs around particularised risk posed by specific business. Additionally, they should ensure that the appropriate employees are adequately trained on applicable laws and corporate policies, and are conducting business in accordance with those laws and policies. Likewise, companies that perform a substantial amount of business through third parties should provide training to those third parties about the applicable laws and company policies. Companies should also take appropriate steps to monitor closely the ways in which third parties undertake activities on their behalf. Finally, they should document steps taken to mitigate risk, including through contracts with third parties.
Swift: Sadly, no compliance procedure will ever be bulletproof. Notwithstanding this, a company must send a clear message to its employees and third parties that it operates a zero tolerance policy to bribery, fraud and corruption. The best way in which this can be done is with a clear and explicit compliance program against bribery and corruption, including training, audits and continued monitoring.
Spivack: Third parties are a continuing area of risk for companies, and they will remain so. A well organised and adequately resourced third party life cycle management team is critical to mitigating that risk. Relationships with third parties need to be carefully vetted and reviewed at each stage – formation, performance and termination. Experience shows that a risk-based approach to stratifying and managing third parties can be the most effective management tool.
Peter Spivack is co-leader of the Investigations, White Collar and Fraud Practice Area. His experience in the criminal arena includes antitrust, environmental, Foreign Corrupt Practices Act (FCPA), government contract and healthcare matters. Mr Spivack has worked with numerous companies and organisations in defending grand jury investigations, as well as conducting compliance audits and internal investigations and monitoring and improving compliance programs. He has also handled a wide array of civil matters.
Neil Swift is a partner with significant experience in business crime. He specialises in advising corporate and individual clients in corruption investigations, criminal cartel matters, mutual legal assistance requests, FCA inquiries and tax delinquency. He has advised corporate and individual clients in respect of investigations brought by all major UK law enforcement agencies and has played a key role in advising in respect of investigations conducted by foreign agencies, including the US Department of Justice.
Mr Willscher’s practice focuses on white-collar criminal defence, regulatory enforcement proceedings and internal investigations. He has represented companies and individuals under investigation by the US Department of Justice, the Securities and Exchange Commission, the US Commodity Futures Trading Commission, the US Senate Permanent Subcommittee on Investigations, the US Treasury, and state and local prosecutors’ offices. From 2004 to 2010, Mr Willscher served as an Assistant United States Attorney in the Southern District of New York.
© Financier Worldwide
Peter S. Spivack
Peters & Peters Solicitors
Alexander J. Willscher
Sullivan & Cromwell