FORUM: Third party corruption and fraud
July 2015 | SPECIAL REPORT: WHITE-COLLAR CRIME
Financier Worldwide Magazine
FW moderates a discussion on third party corruption and fraud between John C. Auerbach at EY, Nathan Lankford at Miller & Chevalier Chartered, and Andrew Hayward at Subsea 7.
FW: Could you provide an overview of the main corruption and fraud risks potentially arising from third party and counterparty relationships? What lessons can we learn from recent high profile cases?
Auerbach: The corruption and fraud risks related to third parties are essentially one and the same – they both involve the use of an external intermediary to hide the identity of whoever ultimately receives the third party payment. In a fraud scenario, the risk is usually some form of embezzlement. The third party is controlled by or colluding with someone within the company, and then secretly passes some portion of the funds they receive back to that employee. The corruption scenario is the same, just with a different ultimate recipient: the bribery target. Often the fraud and corruption happens in the same transaction, with the funds divvied up between the bribe taker and the employee involved.
Hayward: Third parties may present a risk of bribery or fraud against you or your organisation. In order to win work, influence a tender specification or pre-qualification criteria or have their work certified or paid, a supplier, consultant or sub-contractor may pay a bribe to your procurement manager or some other manager able to influence the award of a contract. A bribe from such a third party could take many forms, be it cash, extravagant gifts or hospitality, some other benefit such as free use of a holiday villa, a car, or a work placement for a family member of the manager bribed, or some form of kickback, such as a percentage of the excess profit made by the third party circumventing your procurement controls. Alternatively, one of those third parties may submit false or inflated claims for payment – for example, for work not done, costs not incurred, delays or extensions of time that are the third party’s responsibility, or variations that should be within the original contract scope. More serious corruption risks are those for which you or your organisation could be liable, rather than those of which you are the victim. This could include bribery by a third party directly or indirectly on your behalf or from which you benefit.
Lankford: Hidden ownership and potential willingness to engage in misconduct are the main risks in such relationships. FCPA risks arise where a government official may have a concealed interest in the third party, such that payments to the third party could be viewed as a bribe, and where there are signs that a third party may make improper payments to officials on a company’s behalf. Recent FCPA cases show that the types of third parties involved in corruption schemes, and their role in improper payments, vary greatly depending on the unique set of pressure points faced by companies in particular industries and locations. For example, customs brokers may be a primary risk for an oil and gas company that needs to quickly move equipment in and out of Nigeria, whereas lawyers assisting with regulatory approvals may be a primary risk for a retailer seeking zoning approvals for store locations in Mexico. In short, recent cases teach us the lesson that you can’t predict your third party risks without doing some homework.
FW: What types of third parties – be it JV partners, distributors, suppliers, agents, intermediaries, advisers, consultants – pose the greatest risks, in your opinion? How should a firm limit fraud and corruption risks when working with third parties?
Lankford: To quote Romeo and Juliet, “What’s in a name?” We could ask the same question about ‘sales agents’ or other third parties – by any other name, they’d present as much corruption risk. This is to say that it’s best to focus on the substance of the third party relationship – what the third party is actually doing – not labels. The activities that present the greatest risk are interactions with government officials, particularly related to sales, because they involve obvious incentives to pay bribes, and because law enforcement authorities expect companies engaging such third parties to take strong steps to manage these risks. We’ve seen circumstances where ‘sales agents’, ‘distributors’, ‘consultants’, ‘JV partners’ and other types of third parties fall into this category. To limit these risks, companies should understand the actual services to be provided by third parties, and where they involve government interactions or other high-risk activities, companies should carefully vet and monitor those third parties.
Auerbach: A corrupt JV partner is the greatest risk you could face, since there may be widespread, systemic problems on a larger scale than a single vendor would pose. Even with a minority interest, you may be held liable for serious corrupt activity at the JV over which you had limited control and visibility. Distributors are a close second, because their marketing practices in your name may be improper and you are again faced with similar transparency issues. As for individual vendors, the highest risk tends to be posed by service vendors where payments are large and performance is hard to verify – sales agents being the classic example.
Hayward: Third parties that pose the greatest corruption risk fall into two categories. First, agents and any other intermediaries or consultants, in each case if they are remunerated by way of a generous contingency or success fee that significantly exceeds the fair market value for services rendered; and second, joint venture partners who could pay a bribe to win work for the joint venture. The best way to mitigate the risk in the first category is to minimise the use of success fees and to limit the compensation to the fair market value for the necessary services. In the second category, you should seek to ensure, firstly, that the work for which the joint venture bids is awarded pursuant to robust procurement procedures that your partner would struggle to circumvent, and secondly, that you retain full visibility, if not control, of the JV’s pre-qualification and bidding process. A third significant corruption risk is where a partner, or a supplier, consultant or sub-contractor to which you award work of significant value is legally or beneficially owned by, or paying some form of kickback to, a public official or a representative of your client – also known as a ‘relevant person’ – or a personal associate of a relevant person.
FW: How should companies go about assembling a robust third party and counterparty compliance programme which effectively monitors risk? To what extent can this be customised for particular types of third parties?
Hayward: Procedures for assessing and managing third party risks can and should be customised to particular types of risk. There is a lot to say about due diligence and audit rights, but often the most effective protections are, firstly, a process for ascertaining and memorialising the legitimate business justification for the proposed relationship and any corruption ‘red flags’, and secondly, the use of robust procurement procedures – so you do not award work at the suggestion of a relevant person and, as far as possible, only award work pursuant to a competitive tender process designed to secure the best price that you can.
Auerbach: The first step is to establish clear lines of authority and accountability in the process. There are multiple stakeholders in third party risk management (3PRM), compliance, legal, finance, purchasing, but without an empowered coordinating function the program tends to bog down. The second step is to deploy process workflow tools to manage the third party onboarding and monitoring process electronically. This helps to manage the high volume of entities and create consistent procedures and recordkeeping. The last is to create a risk stratification model that routes third parties to different levels of diligence based on their inherent risk, be it geographic location or service type. All of these elements need to work together effectively to make a successful program.
Lankford: As a first step, make sure you have a solid grasp of your existing relationships – the number of third parties you’re dealing with, what they respectively do and how they’re currently managed. Even a basic, informal risk assessment at the outset of designing third party controls is immensely valuable in achieving a program that effectively fits your risks, resources and culture. Risk assessments can also present valuable opportunities to talk with the people who will actually carry out the controls, which can help ensure the necessary buy-in throughout your organisation. After all, effective controls require more than an elegant policy and dedicated oversight from lawyers. Active support from management and business personnel is equally important.
FW: Do companies pay enough attention to due diligence procedures and background checks when initiating new business relationships? Who within an organisation should have the responsibility for assessing the risk levels of each party, identifying red flags and monitoring the relationship going forward? Who should have the final approval of a business relationship – the legal department or operations?
Lankford: We’ve all seen shining examples of effective controls, but looking at companies that struggle in this area can be more instructive. The main problems I’ve seen are companies that approach third party due diligence as a check-the-box exercise, without focusing on the substance of relationships or not knowing how to spot and follow up on red flags, and companies that make good faith efforts but don’t sufficiently document their process and results, and are therefore unable to demonstrate effective controls when law enforcement authorities ask questions. As far as assigning responsibility for third party controls, it is often most effective for the legal and compliance function to work in partnership with other functions, with lawyers providing program oversight, training, and hands-on help with particularly high-risk relationships, and with well-trained local business, finance and procurement personnel, among others, serving as the frontline for spotting red flags and ensuring the controls are properly applied in practice.
Hayward: Many organisations are constantly asking “How much is enough?”, which is the wrong question. You should take the most appropriate, risk-based steps that are designed to assess the risk accurately and manage it most effectively. Many organisations place too much reliance on due diligence and audit rights rather than asking themselves what is really relevant and effective. Some risks are not addressed by due diligence at all. With other risks and in many geographies and sectors, due diligence is important, but the heightened risks and limited availability of reliable information may mean that you have to assume your due diligence is inaccurate, or that your assessment of the third party’s ethics and trustworthiness is misplaced. In these circumstances, if you are not confident that you can still manage the risks, you should not proceed just on the basis of apparently ‘clean’ due diligence. Compliance professionals need to be closely involved in reviewing proposed arrangements with third parties, as well as in the design of clear procedures to manage the third party risks. However, it is very important that compliance remains a management responsibility and is not sub-contracted to compliance.
Auerbach: For the most part, companies tend to do better with the extremes on the risk spectrum. For the low risk entities, a basic background screen is usually adequate. For the high risk ones, such as M&A targets or strategic partners, there is more sustained executive attention. The moderate risk parties require more experienced judgement, tend to be under reviewed and can add up to serious exposure. As for who should have responsibility for assessing risk levels, this tends to fall within the legal or compliance function since they are usually tasked with measuring regulatory risk across the business. That said, all stakeholders, the front line business and the governance functions, need to have input. The best programs tend to encourage the operations side to take an active role, since they are closest to the third parties themselves. The legal or compliance department should ideally have ‘veto power’, final approval authority for those third parties with identified risks.
FW: What specific challenges face companies doing business with third parties in developing economies? How common is the risk of fraud and corruption in these countries?
Auerbach: Regardless of the region, developing economies tend to pose similar challenges: limited background information available on companies and individuals, a less negative view regarding conflicts of interest between vendors and employees, and frequent customer side insistence on nominated third parties as a requirement of winning business.
Hayward: Corruption is a universal vice that can be found in every country, if the incentives and opportunities are there and the governance and scrutiny are not sufficiently strong. For these reasons, it is more prevalent in developing economies, especially those with weak rule of law and public officials who are poorly paid or are part of a government or department that is systemically corrupt from the top down. Third party risks are elevated in countries that require the appointment of local partners or suppliers based other than on objective criteria and merit – even though such local content requirements may exist for very good reasons.
Lankford: Limited choices and limited information are frequent challenges in selecting third parties in developing economies. In such contexts, there are often very few companies that are qualified to provide particular services, and the people who own and run those companies are often part of a small group with access to higher education and financial resources. Unsurprisingly, those groups also tend to include government officials and their families, so companies must take special care to avoid relationships that could be perceived as improper. In addition, in developing economies that don’t have an active or free press, there is often a lack of reliable public information on local companies – including their reputation and affiliations – which can present obstacles for effective due diligence. And anyone familiar with Transparency International’s Corruption Perceptions Index knows that there’s some correlation between developing economies and high levels of corruption.
FW: How do you effectively include country specific regulations as part of the compliance program? What jurisdictions have had new regulations of which companies should be particularly aware?
Lankford: Local content regulations are common in many developing economies. For example, many countries require foreign companies to form partnerships with locally owned entities to participate in certain sectors, and they may require companies to retain certain local third parties to carry out projects to benefit local communities. Companies operating in such countries should have in place a clear strategy for dealing with these ‘forced partnerships’ to ensure that complying with local content regulations does not conflict with the company’s ethical standards or other laws that may apply to the company.
Hayward: Many countries are ramping up anti-corruption enforcement, and new or tighter laws are frequently announced. It is extremely hard to keep track of changes in national laws and regulations, and it is not realistic to keep amending your policies and then reissuing them and training your staff on them. The key is to have policies that set the bar high enough to ensure compliance with the strictest anti-corruption laws and that are expressed in non-legalistic terms, so that you are not attempting to make your staff legal experts. There may be stricter laws than the US FCPA and UK Bribery Act, but policies that are designed to ensure compliance with those laws stand a pretty good chance of complying with other laws. Moreover, if your policies are ethics-based, meaning they do not permit your staff or third parties to behave dishonestly or without integrity just because there may be not a law specifically prohibiting such behaviour, this will increase your chances of complying with new or local laws and regulations.
Auerbach: Country specific requirements are best integrated using either a local legal and compliance function, or local external counsel. They are best placed to monitor and interpret the regulatory requirements in their home market.
FW: In what ways has international focus on anti-corruption programs and coordination between the US and other agencies impacted compliance programs?
Hayward: Obviously, such focus and coordination have significantly increased the risk of corrupt behaviour by companies being detected and of anti-corruption laws being enforced against them. This has increased the importance of effective compliance programmes. At the same time, there is an ever-clearer international consensus about how to design and implement a best practice anti-corruption compliance programme. This consensus can be seen in guidance issued by Transparency International, the OECD, the UN, the International Chamber of Commerce, and by lawmakers and prosecutors in the UK and US, and in the British Anti-Bribery Standard and the anticipated International Standard.
Auerbach: Over the past decade, anti-corruption legislation such as the FCPA has evolved from something seen as more of a US-centric mandate to a fundamental part of any national legal and regulatory regime. The primary difference to compliance programs has been an easier time in communicating the need for compliance to employees in high risk markets, since enforcement authority is in your own backyard instead of a distant foreign government. That said, local enforcement activity doubles the risk and complexity of compliance in high growth markets.
Lankford: We’re starting to speak the same language. As international enforcement has increased, best practices for compliance programs have become more consistent among multinationals. This dynamic is making third party due diligence and monitoring easier, as third parties have become more familiar with the process, and recognise that it is motivated by government and other stakeholder expectations for effective controls – not a lack of trust.
FW: What advice would you give to companies looking to terminate third party and counterparty relationship risks without causing major disruption to their business?
Hayward: A company will suffer far greater disruption if it fails to prevent bribery by third parties on its behalf or for its benefit. It risks significant fines, investigation and remediation costs that may be even higher, potential criminal liability for officers and other individuals concerned, and debarment or disqualification from working in certain sectors or for certain clients.
Lankford: Companies should aim for perfection on the front end, but recognise it won’t be perfect. Building compliance processes on solid support from management and business personnel, and seamlessly incorporating anti-corruption due diligence and monitoring into business processes, will help position third party controls and your compliance function as an ally in running a sound business, rather than a disruption. Recognising that one can’t always achieve perfection, it’s also important to periodically reassess your third party relationships and controls, through audits or other reviews, to identify areas for improvement and continually refine your processes to fit business realities. If you’re dealing with a third party suspected of misconduct, it is of course very important to have secured – at the front end – strong contract provisions such as audit and termination rights, that give you the ability to determine whether misconduct has occurred, and the right to promptly exit without incurring unnecessary financial costs or compliance risks.
Auerbach: Companies need to anticipate that they will have problems with fraud and corruption among third parties. Include clear ethical behaviour clauses in third party contracts and provide ethical training. This approach reduces disputes and litigation when you have to terminate. If feasible from an investigative standpoint, also engage the relevant front line business stakeholders as early as possible in the inquiry, so that they can begin work on a contingency plan prior to the termination.
FW: At a time of increasing regulation, what final piece of advice would you give to companies in terms of identifying the most effective strategy for managing their ongoing relationships with third parties?
Auerbach: The traditional decentralised, inconsistent, paper driven approach to a 3PRM program is not robust enough to confront the heightened regulatory risk. Effective strategies need to commit from the C-suite on down, formalise the 3PRM function with clear lines of authority and responsibility, establish consistent risk rating standards linked to varying levels of diligence, and apply technology tools to help manage the diligence workflow in a consistent manner, and monitor for unusual payment activity.
Lankford: Never underestimate the value of communication. It takes relatively little resources to train your front line business personnel to identify basic third party risks, and talking with your third parties about your commitment to integrity can go far in establishing mutual understanding on compliance expectations. These need not be formal training sessions – even informal discussions conducted by local managers and third party relationship managers can raise awareness and reinforce a culture in which effective controls can flourish. But be sure to keep good records of such communications so you can demonstrate your efforts – in the eyes of some law enforcement authorities, if it’s not documented, it’s not done.
Hayward: Companies should focus more on what is effective, not merely on what they perceive to be defensible in the eyes of the prosecutor or regulator. How much reliance can you place on a right to audit your partner or agent, if the bribe is not likely to be apparent on the face of the books or accounts to which you have access? Why spend $3000 on due diligence if it is not relevant to the risk posed by that third party? More broadly, the single most important piece of advice is clear: culture eats strategy for breakfast, as someone said, and culture, generally, and incentives, specifically, will trump compliance every time. Some sectors have tested to destruction the theory that you can ensure compliance through more and more policies and procedures. Unfortunately, much of the accepted compliance doctrine is based on this false assumption. In fact, effective compliance programmes need to be firmly rooted in the company’s culture. This means they must be based on ethics and values, clear accountabilities, and incentives and rewards that are aligned with the organisation’s stated anti-corruption goals.
John C. Auerbach is a principal in EY’s Fraud Investigation & Dispute Services (FIDS) practice specialising in fraud investigations and risk management. He can be contacted on +1 (212) 773 3181 or by email: firstname.lastname@example.org.
Nate Lankford’s practice focuses on matters involving the Foreign Corrupt Practices Act (FCPA), business and human rights, and other areas of international corporate compliance. He has created compliance programmes for US and international companies and advised on all areas of compliance programme implementation. He has also conducted internal investigations, compliance audits, third party due diligence, and due diligence in the context of mergers and acquisitions. He can be contacted on +1 (202) 626 5978 or by email: email@example.com.
Andrew Hayward is responsible for the global anti-corruption compliance and ethics programme at Subsea 7. From 1999 to 2009, Mr Hayward worked for AstraZeneca PLC, where he became chief counsel, global compliance. From 2009 to 2013 he was head of ethics and compliance at Balfour Beatty plc and worked closely with the independent monitor appointed following the company’s 2008 civil settlement with the UK Serious Fraud Office. He can be contacted on +44 (0)20 8210 5555 or by email: firstname.lastname@example.org.
© Financier Worldwide