Tips for a third party anti-corruption due diligence database
May 2014 | PROFESSIONAL INSIGHT | FRAUD & CORRUPTION
Financier Worldwide Magazine
Third party anti-corruption due diligence programs can succeed or fail on the quality of the database that records the raw data and the results.
Recent fines levied by regulators on global firms for poor due diligence systems have either criticised the databases or identified shortcomings in the processes that could have been easily avoided by using an intelligently designed database.
Many companies will by now have adopted third party due diligence policies. A number of decisions by the Financial Conduct Authority in the UK have highlighted that policies will not be regarded as satisfactory unless they are implemented rigorously. Examples of poor implementation that were cited in the decisions included occasional failures to run checks consistently (particularly with respect to directors) and failure to escalate higher risk third parties to senior management. The FCA has stated that due diligence ought to be conducted on third parties for each new customer a third party introduces due to the possible links between the third party and the customer. No doubt all these issues could be overcome through extensive training of the business and compliance staff, but a well-designed and effectively implemented IT solution would make the job simpler and enable efficient reports of non-compliance.
Some tips for developing and implementing a database are outlined below.
First, integrate the due diligence system with the procurement system so that it is impossible for payments to be made to third parties without the compliance processes being first completed. Institute an automatic freeze on payments after a period of time (e.g., a year) for new customers if the due diligence has not been reviewed.
Second, the database should contain separate fields for the country where: (i) the third party is incorporated; (ii) the third party operates; (iii) the customer is located; (iv) the business entity engaging the third party is located; and (v) any other relevant events occur. These are necessary in order to answer the question “Which of our high-risk third parties are connected to [for example] the US, India, or China?” This question can be very important when considering exposure in key regulatory regimes. Some systems may only record some of the above but not others, which would lead to an incomplete picture of a company’s geographical risks.
Third, list each owner and director of third parties in separate fields. This allows you to search whether the owner/director is an owner/director of a third party that you have already blacklisted. You can upload the background search report for each one and prevent payments unless this is done.
Fourth, implement an automated red flag alarm system so that, where a third party raises more than one red flag (e.g., the third party is a customs broker in China), the database requires a senior person to log on and approve the third party.
Fifth, record in separate fields who in the business and in the compliance team has responsibility for the due diligence of a third party. This is in order to monitor individual compliance with your third-party management policy.
Sixth, record in a separate, standalone text box a summary of the reasons for the due diligence decision. This should reflect the mind of the decision maker. Clear rationale will provide an audit trail explaining the decision.
Seventh, ensure that electronic rather than paper forms are the norm. This should apply both to the forms completed by the business person who proposed the third party and to the third party itself. This will make your system more efficient and audit-ready.
Eighth, restrict access to the database. The information is highly confidential and in some cases may be subject to legal privilege (depending on local legal requirements). Privilege could be lost if the wrong person in the business were to access the data.
Ninth, remember that the database is there to record the due diligence and provide information to management. The software should never perform the due diligence itself, for example by analysing the information and suggesting whether the third party should be approved. It is wrong to delegate compliance judgment calls to an automated system. Remember that third-party risk is legal work.
Finally, obtain data protection advice in each relevant jurisdiction. There are often significant differences between countries in how personal data is treated and even what is classified as personal data. Particularly within the EEA, which has particularly strong data protection laws, regulations may restrict or prohibit the movement of data outside the country or region unless the importing country has ‘adequate’ data protection laws in place (note that the US, for example, is not deemed by the EEA to have adequate data protection laws).
Ultimately, a successful compliance program is built on knowledge of the business and appreciation of legal and other risks. For that reason, meaningful business-integrated procedures and educated personnel are keystones to mitigating corruption risk within an organisation. IT solutions are crucial to ensure consistency, preserving institutional knowledge and maintaining an auditable record and they ought to play a key role on a mature compliance framework so long as they are not relied upon as a substitute for keen judgement and intelligent risk assessment.
Jason Hungerford is a senior associate and James Thomas is an associate at Norton Rose Fulbright. Mr Hungerford can be contacted on +44 (0)20 7444 2474 or by email: firstname.lastname@example.org. Mr Thomas can be contacted on +44 (0)20 7444 2470 or by email: email@example.com.
© Financier Worldwide
Jason Hungerford and James Thomas
Norton Rose Fulbright