Integrity in third-party due diligence
August 2018 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
August 2018 Issue
Understanding exactly who you are doing business with is not only good business practice, increasingly it is a legal necessity. Enforcement standards are changing and companies are being held responsible for the actions of their business partners and vendors more so today than ever before. Legislation such as the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, the Dodd-Frank Act and others, as well as the role of the Office of the Comptroller of the Currency (OCC) in the US, have increased the focus on third-party governance, pressuring companies to more effectively manage their third-party relationships. In the wake of the financial crisis, there has been a rising tide of regulatory activity, particularly in the financial services sector, which has begun to hold organisations responsible for the actions of their vendors and suppliers.
With the US Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), as well the Serious Fraud Office (SFO) in the UK, all paying close attention, it is vital that companies are aware of the actions and motivations of third parties and are able to hold them accountable. Companies must be clear about partners with which they have working relationships. They must understand their third parties’ reputations, both locally and globally. To achieve this, more companies are auditing their third parties, providing regular training sessions and setting forth the standards they will be required to maintain.
Third parties are a key component of many companies’ operations. They perform countless functions, from providing cloud data storage to sub-contracting construction projects. They can help to mitigate risks, drive down costs and provide gateways into new markets. Companies can be freed to refocus labour and resources on their core operations. As a result, third parties have become critical to many organisations’ success. However, employing any third party creates operational risks for an organisation, particularly in emerging and frontier markets where there is an increased likelihood that companies could encounter legal, ethical and reputational challenges stemming from their use of third parties. Issues including business integrity, product safety, intellectual property, licensing and human rights violations can all jeopardise a company’s reputation and profitability.
In light of these hazards, companies must put measures in place to protect themselves. By understanding the methods and ethics of their third parties, companies may avoid potential regulatory enforcement and reduce reputational risk.
Building a third-party due diligence programme is key. Honesty and integrity are needed to identify and mitigate corruption risks. Due diligence should clarify the identity of the company, its business background and activities, its ownership structure, its existing relationships with other organisations and individuals and the integrity of its owners and senior management, among other considerations.
However, many organisations are leaving themselves exposed to risk, including bribery, corruption and modern day slavery, by failing to conduct due diligence on their third parties. According to Thomson Reuters’ 2016 Global Third Party Risk Survey, just 62 percent of suppliers, distributors and third parties are being subjected to due diligence, and only 36 percent of companies are fully monitoring ongoing risks. Sixty-one percent of companies do not know the extent to which third parties are outsourcing their work.
As corporate criminal liability can be triggered when a bribe, for example, is paid by or through a third party, companies are also looking into the details of transactions and their related third parties. Agents, consultants and distributors are frequently used to conceal the payment of bribes to foreign officials in international business transactions, according to the DOJ and SEC. In excess of 90 percent of reported FCPA cases involve third-party intermediaries. Holding third and fourth parties to higher standards is a major purpose of due diligence.
Banks and other financial institutions (FIs) tend to have a much higher exposure to third parties than other sectors and, as a result, are leading the way in third-party regulation and monitoring. However, managing the process is still a challenge. Accounting for how third parties use and protect their data and manage sustainable operations, especially for critical services, can pose many problems. As a result, senior managers in the financial services industry are seeking the best strategies, procedures and policies to mitigate risks posed by third parties. According to Deloitte, in 2017, 94 percent of executives who responded to the firm’s third-party governance and risk management survey were not confident in the tools and processes at their disposal to manage third-party risk.
One of the best methods is to perform integrity due diligence on a third party’s compliance programme. The extent of research conducted into a particular firm should be commensurate to the level of risk a potential partnership may represent, be it low, medium or high risk. Integrity due diligence includes identifying critical ‘red flags’ attached to an individual or a company in relation to money laundering, fraud or corruption. Organisations are only now starting to take a holistic and proactive approach to risk, covering all categories of third parties and all areas of risk, including operational, reputational, financial, legal and regulatory. Previously, approaches to third-party risk have been reactive, decentralised and inadequate.
Public record research is an integral part of integrity due diligence. This enables companies to examine a third party and its associates using a wide range of secondary sources, including corporate registries, regulatory filings and media sources, among others. From such data, as well as the third party’s public reputation and commercial interests, companies should be able to establish a risk profile which will inform the decision to enter into a business relationship.
Once a decision has been reached and a relationship established, the ‘onboarding’ process should form a part of a third-party risk management strategy. This is important as managing third-party risk does not stop once the due diligence has ended. Companies must remain engaged and continue to monitor third-party activities. While initial due diligence may expose flaws or troublesome practices present at the time, it cannot guard against or identify any future behaviour. As such, compliance with regulations and legislation must be frequently monitored. Financial and compliance audits are essential. When a third party’s contract approaches renewal, the relationship should be reviewed with fresh due diligence.
It is imperative, however, that companies conduct due diligence in a coordinated manner. Too often, third-party due diligence is done in an ad hoc, piecemeal fashion. Companies may focus too intently on performance management and less on risk management and compliance; as a result, they may fail to identify potential ethical problems, security breaches, bribery, money laundering and regulatory violations, for example.
Technology has a key role to play. It can automate and standardise due diligence, and many tools have been developed to address this demand. Data aggregators, data analytics and process workflow management can relieve some of the administrative burden felt by organisations that have to manage compliance and third-party management on a global scale. But technology is not infallible; the process still requires human oversight within a wider framework.
Regulators and enforcement agencies are increasingly calling for companies to strengthen internal controls, perform audits and investigate both internal and third-party malfeasance to identify ‘red flags’. However, this is often a difficult task. As such, companies must make every effort to improve their due diligence. According to MetricStream’s ‘5 Best Practices to Enhance Third-party Due Diligence’ report, one of the most important steps a company can take is to assimilate and centralise third-party data. “Information including business details, financial status, certifications, contracts, location, associated business units, roles and responsibilities will help with searching third-party agreements, assessment results, background checks and other details. Centralised third-party information improves the accessibility of information globally, as well as details about negotiations and risk mitigation activities,” said the report.
Assimilating data must be conducted within the framework of a third-party management process, however. Having a clear and well-defined process of screening and assessing potential third parties is vital.
One of the most important and evolving areas of third-party risk, particularly in emerging markets, relates to human rights issues. Human rights due diligence is an entirely different proposition from ‘know your client’ due diligence or business partner screening; however, it should not be overlooked.
The UN Guiding Principles on Business and Human Rights set out the components of human rights due diligence for companies. It is imperative that organisations understand these principles, are able to recognise the importance of human rights due diligence and are able to identify and manage any potential human rights violations which may be associated with a business’ operations, supply chain or value chain. This helps businesses become aware of any actual or potential human rights impacts on people associated with their business, and to take appropriate action to prevent and address those impacts. Furthermore, legislation such as the UK Modern Slavery Act means that companies are required to take action. Those with a turnover above £36m must report on steps they are taking to eradicate slavery and human trafficking in their supply chain. Different groups must be considered, including local communities, indigenous people, consumers and others. Until now, not enough has been done to evaluate these groups. Human resources and corporate social responsibility teams, as well as compliance and legal, need to liaise with third parties and ensure that human rights due diligence is adequately performed.
Assessing the trustworthiness and reliability of a third party allows companies to fulfil compliance obligations, as well as satisfy internal risk management requirements. It also helps them mitigate reputational damage. Given the increased regulatory burden on companies today, the financial and reputational cost of being associated with a third party that breaches trade sanctions, commits corruption, takes part in human trafficking, launders money or violates other laws internationally, can be enormous.
Addressing such risks can be complex, but conducting third-party integrity due diligence can make a difference. It can be critical to ensuring the success of a business venture. An integrated approach to integrity due diligence can reveal risks which might otherwise go undetected.
Each company is different and will have different risk profiles and appetites. As such, there is no blueprint for handling third-party risks. Enforcement action and sentencing guidelines surrounding the FCPA, however, make it clear that companies must know who their third parties are and who they do business with. Equally, in an age where customers expect companies to be transparent and compliant, it is no longer possible for organisations to turn a blind eye to the actions of their business partners. Furthermore, third-party due diligence cannot be a box-ticking exercise. Companies must take a holistic view if they are to truly understand the spectrum of risks their third parties present.
© Financier Worldwide
BY
Richard Summerfield