FORUM: Third-party corruption and fraud risk management
March 2019 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
March 2019 Issue
FW moderates a discussion on third-party corruption and fraud risk management between Hannah Musgrave at Bell Gully, Anupreet Amole at Brown Rudnick LLP, and Hannah Laming at Peters & Peters Solicitors.
FW: Could you provide an overview of the main corruption and fraud risks potentially arising from third-party and counterparty relationships? What lessons can we learn from recent high profile cases?
Musgrave: I see the main corruption and fraud risks arising when there is insufficient transparency in procedures and processes. This enables third parties and counterparties to take improper steps to influence others and outcomes, and go undetected. Left unchecked, such behaviour can escalate to become frequent and even expected, fostering a culture of bribery and fraud. One recent case in New Zealand is a public official who received undisclosed payments purporting to be for consulting services that were never undertaken. The court found that the payments constituted bribes and sentenced the official to five years’ imprisonment. This could have been avoided, or the extent of the bribery mitigated, if there were appropriate policies and procedures in place. Organisations are highly recommended to assess their corruption risks and put in place anti-bribery and corruption policies to prevent third-party and counterparty corruption.
Laming: It is difficult to provide an overview of the main corruption and fraud risks potentially arising from third-party and counterparty relationships. The risks vary by sector, geographical location, transaction type and other factors. They can relate to a third party or counterparty’s direct involvement in all types of business crime, for example money laundering, tax evasion, bribery and unlawful breaches of sanctions. Recent high-profile cases have shown that, even where comparatively small levels of corruption have been committed by a third party, relative to a company’s legitimate business activities, this can serve to seriously damage a business. For example, in April 2018, it was reported that the London-listed defence contractor, Ultra Electronics, had made a voluntary self-report to the UK’s Serious Fraud Office (SFO), in relation to corruption allegedly committed by the company through a third party in Algeria. The company now faces a criminal investigation, in circumstances where the contracts involved accounted for less than £400,000 in sales out of total revenue of £775m.
Amole: Commercial third parties come in many forms, including sales agents or intermediaries, consultants and advisers. Each commercial relationship will be governed by its own contractual terms of engagement, and each third party will present a range of fraud risks specific to its own provision of services for or on behalf of the contracting entity. Broadly speaking, third parties are often instrumental to fraud and corruption offences, either committed by a company, for example paying bribes through intermediaries, or targeted against a company, for example through false or inflated invoices by the third party, with a kickback paid to a conspirator within the company. In the corruption context, most large bribery prosecutions in the UK and US have turned upon bribes paid through, or planned with the involvement of, commercial intermediaries – agents, consultants and the like. It is difficult to overstate the significance of third parties as a source of corporate risk for companies. In the particular context of UK corporate criminal liability, the risk is now focused on the ‘associated person’ model that underpins each of the Bribery Act 2010 and the Criminal Finances Act 2017. That risk will increase if the UK actually expands that ‘failure to prevent’ model to other forms of financial crime, as has been debated for some time now.
FW: What types of third parties – be it suppliers, agents, intermediaries, advisers or consultants – pose the greatest risks in your opinion? How should a firm limit fraud and corruption risks when working with third parties?
Laming: In the UK currently, given the introduction of ‘failure to prevent’ offences which extend corporate liability where ‘associated persons’ commit bribery or facilitate tax evasion on behalf of the company, I would say that third parties providing services on behalf of an entity pose the greatest risk. This term includes employees, agents and subsidiary companies, and arguably, suppliers on a case-specific basis. The first successful prosecution secured under this provision, against British refurbishment company Skansen Interiors Ltd, involved refurbishment tenders worth £6m facilitated through a corrupt project manager. In that case, the jury was not convinced that Skansen’s controls, for example its ‘ethos’ of acting with honesty, were robust enough procedures to prevent bribery. This case demonstrates that corruption risks are only truly minimised when a company adopts vigorous anti-corruption procedures.
Amole: As the risk profile for each company, and each of its third-party relationships, is different, it is impossible to prescribe which particular type of third party is the most or least risky. Instead, each business must carefully consider its intended relationship and, essentially, be prepared to ask itself some relatively difficult questions around the purpose, nature and necessity of any engagement with the third party, and then conduct appropriate due diligence on that same person. In any event, the formal title of the third party, whether an ‘agent’, ‘adviser’ or ‘consultant’, will be irrelevant to whether its actions create serious corporate criminal risk for its commercial customer. Rather, the nature of the services it provides is essential to the risk exposure it creates for its commercial client. In very broad terms, however, and simply to illustrate the point, it would be reasonable to regard a third-party ‘sales adviser’ or ‘market entry consultant’ as a high-risk entity; that risk could be exacerbated by the jurisdiction and the sector in which it operates. The further removed a third party is from any meaningful oversight and control by the company, the bigger the risk it would present. Conversely, a simple supplier of goods to a company would, without more, present a relatively low risk in this context.
Musgrave: Intermediaries, especially intermediaries engaged as consultants for establishing businesses in foreign countries, pose the greatest risks for bribery or corruption. Companies that wish to establish businesses in foreign markets often require local individuals or organisations to navigate through legal, cultural and language issues. However, these intermediaries, without proper oversight, carry the highest risks of fraud and corruption. Potential red flags indicating risk of corruption include intermediaries who demand an unusually high fee or unusual payment terms, an intermediary located in a country in which corruption and bribery are commonplace, or an intermediary who has close relations with public officials. It is therefore critical to perform proper due diligence before engaging with foreign intermediaries and oversee those intermediaries’ conduct.
FW: How should companies go about assembling a robust third-party and counterparty compliance programme which effectively monitors risk? To what extent can this be customised for particular types of third parties?
Musgrave: Developing an anti-bribery and corruption programme generally involves identifying inherent risks of bribery, fraud or corruption, assessing the likelihood and significance of the risks and developing a programme to respond to those risks. It is important to design fraud detection procedures that a perpetrator may not expect. This may require a sceptical mindset posing questions such as: How might a perpetrator exploit weakness in the system of controls? How could a perpetrator override or circumvent controls? And what could a perpetrator do to conceal the fraud? It is important for third-party and counterparty compliance programmes to be tailored to respond to risks specific to each company. Companies should also learn from the experiences of other companies in similar industries.
Amole: When preparing a compliance programme, the company’s board-level commitment, or ‘tone from the top’, is key both at the outset and throughout implementation. Businesses, especially those in regulated sectors, have to worry about many rules and regulations. So, it can be difficult for employees to understand the particular importance of fraud and corruption risk to the company. An emphatic tone from the top of the company and clear policies and procedures help employees to separate the proverbial wheat from the chaff, or the signal from the noise. Ownership for third-party risk management should be centralised, rather than dispersed among multiple individuals or departments. It should also provide for ongoing risk measurement and monitoring. This is important for determining when, whether and how to renegotiate or terminate relationships with third parties. In practical terms, some companies use a risk management software solution to manage their current and potential relationships. An automated solution enables a company to centralise its data collection, to score relative risks, to view all third parties through a single dashboard, to plan and execute onboarding and to conduct ongoing reputational monitoring.
Laming: At the very outset of a business relationship, a company should carry out effective due diligence for potential bribery and corruption risks. The due diligence programme should be mindful of the company’s business operations and factors relevant to determining risk, for example different customer or transaction types and global location. Due diligence should enable a third party to be categorised in terms of the level of risk it poses. It should also have a clear ‘red flag’ system, to ensure that risk issues are identified appropriately during due diligence. It is imperative that those involved in due diligence, both within business units and in legal, risk and compliance functions, are properly trained in conducting due diligence and identifying potential red flags. While technology can assist in the process, human insight and assessment are often vital. Due diligence can be customised for particular types of third parties and may be helpful. For example, charities and politically exposed persons (PEPs), or their related entities, often require a tailored approach.
FW: Do companies pay enough attention to due diligence procedures and background checks when initiating new business relationships? Who within an organisation should have the responsibility for assessing the risk levels of each party, identifying red flags and monitoring the relationship going forward?
Amole: The old legal principle of caveat emptor comes to mind. That need for caution is doubly important where the intended relationship is one that brings potential criminal risk through the third party’s conduct. So, performing appropriate due diligence before entering a business relationship is crucial. The degree of awareness and good practice does, of course, vary between companies and across industry sectors. The company’s compliance and risk, or legal, departments should issue clear guidelines as to what constitutes a ‘high risk’, a ‘medium risk’ and a ‘low risk’ third-party arrangement. Time spent on first calibrating the appropriate degrees of risk will allow for effective and efficient due diligence processes in practice. It is also important for the company to invest in training its staff to follow clear procedures and identify, act upon and report internally any red flags. The business relationship should be reviewed periodically. Such continued oversight might prove tiresome or taxing for some companies but it is just as essential as the initial background checks. Companies that approach due diligence as an ongoing, and not a one-time onboarding, priority are better placed to mitigate corruption risks.
Laming: It is important for the business to own the risk. Risk and compliance functions perform an important role in devising and managing due diligence and risk assessment processes. They should also have the authority to refuse to allow relationships to progress if they pose too high a risk. However, the business sets the risk appetite. Those individuals who are dealing with the third party on a day-to-day basis should be involved in undertaking due diligence, assessing and articulating business drivers for the relationship, identifying red flags and monitoring the relationship going forward. The business will be driven by commercial imperatives when determining whether they want to deal with a third party. The level of risk posed must be taken into account. If a high-risk third party is likely to generate significant revenue, the business may consider it justified to conduct more extensive, and costly, due diligence to satisfy itself that the risk is manageable. Alternatively, it may introduce additional systems and controls to monitor the relationship.
Musgrave: We are finding that businesses are becoming more vigilant to fraud and corruption risks given the increasingly global business environment, and therefore that due diligence procedures and background checks are becoming increasingly thorough. This is particularly so in New Zealand for businesses captured by the Anti-Money Laundering and Countering Financing of Terrorism (AMLCFT) regime. New Zealand’s regulatory landscape under the AMLCFT regime has recently expanded in scope so that a larger number of businesses are required to conduct comprehensive background checks on clients. Under the AMLCFT regime, the member of the organisation with the direct relationship with the client is responsible for verifying the client’s identity and source of funds being paid by that client. To me, that makes sense. Those who deal directly with the client will have the most intimate knowledge of the client’s affairs and will be better-placed to identify the risks associated with a particular client. On the other hand, there should be some company-wide processes and checks to ensure these procedures are being conducted in a uniform way.
FW: What specific challenges face companies doing business with third parties in developing economies? How common is the risk of fraud and corruption in these countries?
Laming: It is no surprise that developing countries crowd the bottom of various international indices tracking corruption. Many also pose an increased risk of fraud. Businesses entering into third-party relationships in developing economies face a number of challenges. In many of these countries, bribery and facilitation payments may be viewed as part of the ordinary course of business. Companies need to educate their own employees in these jurisdictions, as well as the third parties they deal with, to deliver a clear message that they will not pay bribes. This can be difficult, and there can be a perception that this undermines the company’s ability to do business. Undertaking due diligence on third parties can be challenging in developing countries where accurate information may not be publicly available. The challenges that companies face can be exacerbated by weak law enforcement in the area of business crime, combined with ineffectual regulatory and judicial intervention.
Musgrave: The greatest risk facing companies doing business in developing economies is the lack of the rule of law and the administration of justice in those countries. This, where it is coupled with cultural norms involving bribery and risks associated with poverty, significantly increases the likelihood of bribery and corruption by third parties. Bribery and corruption are most rampant in countries that are not diligent in prosecuting the crime and enforcing the law. Companies need to be particularly vigilant about protecting against fraud and corruption in developing economies with cultural norms that facilitate such conduct. In New Zealand, the law recognises that bribery is commonplace in some countries, and has made a statutory defence to allow companies to pay small benefits to foreign public officials if the sole or primary purpose is to ensure or expedite the performance of a routine government action. Where a payment is made to an official as part of the ordinary courtesies of life, the common law also says that this also does not constitute corruption. In this context, the typical example is the gift of a rugby jersey when a member of parliament opens a new clubhouse for the rugby club. The World Bank publishes annually a Corruption Perceptions Index that sets out the most and least corrupt countries. Before a company decides to do business overseas, it is prudent to carry out the necessary due diligence and understand the extent to which corruption occurs in that country. If a business decides to conduct business in a country despite significant risks of fraud and corruption, it should develop highly-tailored processes and procedures to mitigate that risk.
Amole: Many developing economies suffer from weaker governance environments than other jurisdictions. This raises the perception, at least, that companies operating in those markets will face, or actively engage in, bribery to advance their commercial interests. More specifically, our experience indicates that the particular challenges for companies when using third parties in such markets are structural weaknesses in the rule of law, the role of the state and politically exposed persons (PEPs) in the economy, limited corporate transparency and specific difficulties in conducting due diligence, for example the use of privacy or national security laws to deter, or actively prosecute, private investigators in Russia and China. Many higher risk markets present significant underlying challenges for appropriate risk management, and exacerbate those difficulties by complicating the diligence and monitoring process. Accordingly, companies should carefully assess the particular circumstances and sensitivities of each market, both before and during their contracting with third parties locally.
FW: What advice would you give to companies looking to terminate third-party and counterparty relationship risks without causing major disruption to their business?
Amole: First, the company would, ideally, have proactively reviewed its contracts with third parties to ensure that they contain effective provisions for audit and termination rights. Generally speaking, those clauses should give the company the express right to investigate misconduct and exit the business relationship rapidly. Secondly, there may be issues around money laundering. The company should carefully consider whether the third party’s actions have already ‘tainted’ its related revenue streams, and whether that creates money laundering exposure for the company. Thirdly, the company should assess whether and how to replace the third party. As a practical point, it may not have any other viable routes to market in that particular jurisdiction, and the company should therefore be prepared to consider exiting that market instead of using a third-party intermediary it knows or suspects of criminality.
Musgrave: Plan carefully and allow enough lead time to ensure that there can be a smooth transition from one third party or counterparty to another. If terminating these kinds of business relationships have the potential to cause major disruption, it is likely to be crucial to the business and therefore that a replacement third party or counterparty will be required. Businesses should secure this alternate relationship in advance of terminating the third-party and counterparty relationship and, ideally, allow a period of overlap to minimise disruption to the business. Of course, there will be instances where it is necessary to terminate a third-party or counterparty relationship in short order. In these circumstances or where some business disruption is anticipated in any event, this can be mitigated through communication with clients, suppliers and third parties. If a company is terminating a relationship to address instances of bribery and corruption, I would expect a level of understanding from those clients, suppliers and third parties.
Laming: It is important to ensure that contractual terms with third parties are sufficiently robust to enable termination in the event that the third party is engaging in fraudulent or corrupt practices. They should enable the company to stop any payments due under the contract and to seek damages or remedies for any loss. If misconduct is identified, companies should institute a contingency plan, which allows for the termination of a third-party and counterparty relationship in an effective and timely manner. One of the major issues a company faces is ancillary liability arising from termination with the third party, for example if it is unable to deliver its contractual obligations to another third party, unrelated to the one involved in the misconduct. Wherever possible, contracts should be drafted with these scenarios in mind.
FW: At a time of increasing regulation, what final piece of advice would you give to companies in terms of identifying the most effective strategy for managing their ongoing relationships with third parties?
Musgrave: Stay abreast of domestic and international trends in terms of risk assessment and developing appropriate policies and processes. The developing regulatory landscape will obviously provide some assistance, but practices from other businesses in similar industries will also assist companies to identify the most effective strategy. It is also important to remain alive to the risks of bribery and corruption, which can be accomplished through appropriate risk-identification tools. We are seeing more and more businesses with internal advisers on risk assessment and management, which allows a company to respond to the particular anti-corruption landscape in which it operates.
Laming: Companies should embed risk assessment and monitoring into every area of their business which deals with third parties, have a centralised risk and compliance function which works with the business to help it understand and assess risk, drive risk culture from the top, by involvement in setting the company’s risk appetite and providing effective oversight to ensure that the business knows and understands its own risks, and invest in appropriate resources, both in terms of manpower and technology, automating processes where possible. Third parties are essential to doing business but they can also pose significant risk. Appropriate due diligence and monitoring can help companies manage the risk effectively, and should not be seen as business blockers.
Amole: In many respects, corporate anti-corruption measures can be both simple and effective. The company must assess the particular risks arising from its business sectors, geographic markets, and third-party relationships. The company’s systems and controls should then be carefully calibrated in response to that risk assessment. The tone from the top must be clear and emphatic throughout. There must be a regular review of ongoing relationships with third parties. The company should appoint a risk committee which can support and educate the process and staff. The risk committee should be in charge of approving high-risk engagements and receive regular training on bribery and corruption legislation, as well as access to up-to-date information on high-risk jurisdictions and individual third parties. Key to this all is the initial, and ongoing, risk assessment and clear communication internally and, where appropriate, externally to third-party contractors.
Hannah Musgrave is a senior associate in Bell Gully’s litigation team. Her areas of specialisation include regulatory investigations and prosecution, including white-collar crime. She studied computer crime as part of her Master of Laws at the University of Chicago, and has advised a range of multinational companies on the development of anti-bribery and corruption policies. She can be contacted on +64 9 916 8724 or by email: email@example.com.
Anupreet Amole is a partner in Brown Rudnick’s white-collar crime group. He advises companies and individuals on business crime and corporate compliance issues. He handles sensitive investigations in a range of multijurisdictional matters, focusing upon allegations of bribery and corruption, fraud, tax evasion and money laundering. He has particular experience of advising companies on financial crime compliance and risk management, including due diligence in M&A deals. He is also co-leader of the firm’s cyber security group, advising companies both before and after a data incident. He can be contacted on +44 (0)20 7851 6118 or by email: firstname.lastname@example.org.
Hannah Laming is a partner in the business crime department at Peters & Peters Solicitors. Her expertise includes matters relating to serious fraud, corruption, private prosecutions, internal investigations, FCA enforcement issues, money laundering and economic sanctions. Her clients include global financial institutions, hedge funds and multinational corporate entities as well as executives and individuals. Most of her practice involves international investigations with significant cross-border issues. She can be contacted on +44 (0)20 7822 7752 or by email: email@example.com.
© Financier Worldwide