Tuesday 7 July 2015

Sam Gibbins, General Manager, AsiaGRC Solutions

THIRD PARTY DUE DILIGENCE

2

Increasing complexity of compliance

EY Asia Pacific Fraud Survey 2015

8 out of 10 respondents say they would be

unwilling to work for companies involved in

bribery and corruption.

3

Increasing complexity of compliance

AlixPartners Annual Global Anti-Corruption

Survey, 2014 Respondents said the biggest obstacles to their companies' anti-corruption efforts and ability to mitigate risk areas were staffing constraints (65 percent); variations in local country regulations covering, for instance, data privacy (65 percent); and pressure to deliver operating results (58 percent).

In another survey, fewer than half (43 percent) of respondents said they regularly conduct due diligence on third-party agents.

4

Increasing complexity of compliance

AlixPartners Annual Global Anti-Corruption

Survey, 2014

One in five respondents at European companies said their industries are exposed to significant corruption risk, compared with 40 percent of respondents from U.S. companies. 

Twenty-nine percent of European respondents  performed due diligence on prospective employment candidates on a regular basis, compared with 63 percent of U.S. respondents, according to the survey.

5

Trends In The Use Of Third Parties

Internal Auditors Research Foundation,Crowe Horwath LLP

6

Trends In The Use Of Third PartiesInternal Auditors Research Foundation,Crowe Horwath LLP

7

Third Party Risk

EY Asia Pacific Fraud Survey 2013

8

Tullow Oil declared force majeure on its offshore exploration block in Guinea following the disclosure that its partner, U.S.-based Hyperdynamics Corporation, is under investigation by the DOJ and SEC for possible violations of the Foreign Corrupt Practices Act.

The investigation is focused on whether its "activities in obtaining and retaining the Concession rights and [its] relationships with charitable organizations potentially violate the FCPA and anti-money laundering statutes," Hyperdynamics said.

Charitable contributions can violate the FCPA if they benefit foreign officials personally and are intended to obtain or retain business or gain an unfair advantage.

Tullow Oil had been planning to start drilling off Guinea together with its partners in the second quarter of 2014, “Tullow has decided that it cannot proceed with activities on the [exploration] license until these issues are resolved.’’

Petro Global News, 13 March 2014

UK Oil Firm Declares "Corruption Force Majeure" in Guinea Because of FCPA Probe

9

Fined a record £7m fine by the Financial Services Authority (FSA)for failing to put in place robust anti-bribery systems, after an investigation unearthed suspicious payments in Russia and Egypt.

For failing sufficiently to monitor £27m of payments to overseas third parties who had helped the company win new business.

The FSA said that Willis failed to take appropriate steps to ensure that payments were not being used for corrupt purposes, despite repeated warnings about potential corruption in the industry.

www.theguardian.com, 21 July 2011

Case study – Insurance broker Willis fined £7m by FSA (2011)

10

The UK's Financial Conduct Authority (FCA) fined Besso Limited £315,000 for its failure to take reasonable care to establish and maintain effective systems designed to prevent and detect bribery and corruption risks.

The company, a general insurance broker, maintained weak controls that "gave rise to an unacceptable risk that payments made by Besso to third parties could be used for corrupt practices, including paying bribes to persons connected with the insured or public officials," the FCA said in its published findings.

Besso issued a statement to clarify that the FCA "has not said that Besso permitted any illicit payments or inducement to any such third party," the Financial Times reported.

FCA Final Notice 2014: Besso Limited, 17 March 2014

Failure to Take Reasonable Care – Besso

11

Besso's breaches occurred between 2005 and 2011. They included the following:

The company had limited bribery and corruption policies and procedures in place until written ones were created in November 2009.

The 2009 policies weren't adequate in their content or implementation. Besso failed to conduct adequate risk assessments of third parties before entering into

business relationships with them. It didn't carry out adequate due diligence of third parties to evaluate the risks involved in doing

business with them. It failed to establish and record an adequate commercial rationale to support payments to third

parties. It didn't maintain adequate records of the anti-bribery and corruption measures taken on its

third-party account files.

FCA Final Notice 2014: Besso Limited, 17 March 2014

Failure to Take Reasonable Care – Besso

12

The U.K.'s Financial Services Authority said that it has fined Aon Ltd £5.25 million ($8.05 million) for failing to recognize and control the risks of overseas payments being used as bribes. The fine is the largest the FSA has levied for financial crimes.

The regulator concluded that Aon had failed to properly assess the risks involved in its dealings with overseas firms and individuals who helped it win business and failed to implement effective controls to mitigate those risks.

www.theguardian.com, 8 January 2009

Case Study - AON

13

Aon Corporation disclosed in November 2007 an internal investigation into possible violations of the Foreign Corrupt Practices Act and non-U.S. anti-corruption laws. Aon said then in its Form 10-Q that it had self-reported the investigation to the Department of Justice, the Securities and Exchange Commission and others, and that it had already agreed with U.S. prosecutors to toll any applicable statute of limitations. The U.S. investigations are still pending.

The FSA's action came three months after the SFO announced a landmark deal under which Balfour Beatty, the construction company, agreed to pay £2.25m over suspected bribery in its work on an £85m project in Egypt.

www.theguardian.com, 8 January 2009

Case Study - AON

14

Parker Drilling Company, a worldwide drilling services and project management firm, with violating the Foreign Corrupt Practices Act (FCPA) by authorizing improper payments to a third-party intermediary retained to assist the company in resolving customs disputes.

in 2004 Parker Drilling authorized payments to a Nigerian agent totaling $1.25 million. The company did so despite former senior executives knowing that the agent intended to use the funds to "entertain" Nigerian officials involved in resolving Parker Drilling's ongoing customs problems.

Following the Nigerian agent's work, the company received an unexplained $3,050,000 reduction of a previously assessed customs fine, and the company was permitted to nationalize and sell its Nigerian rigs.

http://www.sec.gov/litigation/litreleases/2013/lr22672.htm, April 16 2013

Case study – SEC Charges Parker Drilling

15

A new survey of general counsels and compliance officers found that 30% of companies in North America, Europe, and Asia stopped doing business with a partner because of corruption risks.

30% of companies stopped doing business with a partner because of corruption risks.

AlixPartners Annual Global Anti-Corruption

Survey, 2014

16

Designing Trustworthy Organizations

MITSloan Management Review

17

Rebuilding Trust

18

Rebuilding Trust

19

The Adequate Procedures Guidance to the UK Bribery Act provides that “general training could be mandatory for new employees or for agents (on a weighted risk basis) as part of an induction process” and adds that “it may be appropriate to require associated persons to undergo training. This will be particularly relevant for high-risk associated persons.

In any event, organisations may wish to encourage associated persons to adopt bribery prevention training”. An “associated person” is defined as an individual or entity that “perform services for or on behalf” of an organization.

Our Responsibilities - Adequate Procedures Guidance to the UK Bribery Act

World Economic Forum, Partnering Against Corruption Initiative (PACI)

20

The US Federal Sentencing Guidelines for Organizations, which apply to criminal violations of federal statutes such as the US Foreign Corrupt Practices Act, mandate that an organization “shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to [“members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents”] by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities”.

Our Responsibilities - US Federal Sentencing Guidelines

World Economic Forum Partnering Against Corruption Initiative (PACI)

21

1. Communicate with your third parties2. Perform a compliance audit3. Review your standard contract terms4. Manage policy dissemination and

attestation5. Provide or source appropriate training 6. Benchmark your program and review

regularly

6 Steps for An Effective Third Party Compliance Program

22

Four things third parties should know about due diligence:

1. We are not questioning your integrity

2. We know this is a burden on you

3. Resisting slows things down and may make it seem like you have something to hide

4. There is a business advantage to handling compliance well

Alexandra Wrage - Trace International

www.corpcounsel.com, 7 March 2014

Communicate With Your Third Parties

23

There seems to be significant disagreement over who owns third-party risks. This conflict in itself is a risk.

• To identify compliance risks to an organisation that arise from third-party relationships, and assist in risk ranking.

• To evaluate management’s understanding of how third parties comply with regulations or policies that should be in place.

• Evaluate third-party compliance activities such as policy management and training effectiveness.

• Perform testing for compliance with agreements and regulations or policies.• Confirm that contract terms and service-level agreements are being met.• To identify process improvements for third-party interactions.

Compliance Audit

24

Contractor represents and warrants that, in connection with this Agreement or the business resulting therefrom:

(a) It is knowledgeable about Anti-Bribery Laws applicable to the performance of this Agreement and will comply with all such laws; and

(b) Neither is nor a Related Party have made, offered or authorised or will make, offer or authorise any payment, gift promise or other advantage, including a facilitation payment.

Contractor will impose the requirements in this Clause XX on any subcontractor, or other Party from which Goods or Services are procured in connection with the Agreement.

Contract Clauses

25

Company may terminate this Agreement immediately by written notice to Contractor, if Contractor or any of its Related Parties performing work in connection with this Agreement:

(a) No longer meet the requirements of the Company's HSE systems or Contractor fails to observe Company's provisional accreditation requirements where Contractor has previously been wholly or provisionally accredited by Company under the Company's HSE systems;

(b) Commits any or causes Company or any Related Parties to be in breach of applicable Anti-Bribery Laws;

(c) Commits any or causes Company or any Related Parties to be in breach of applicable competition laws;

(d) Commits any or causes Company or any Related Parties to be in breach of applicable Trade Control Laws;

(e) Commits a material breach of applicable laws not mentioned in paragraphs (a), (b), (c) and (d)

Contract Clauses – Not just Bribery & Corruption

26

• To meet regulatory requirements insurance companies must be able to provide documentary evidence that policies and procedures are in place and are adhered to.

• It is used not only as a communications channel to employees and the wider broker network but provides essential information to Senior Management and Auditors that statutory compliance and internal operating procedures, together with best practices, are accurately communicated and understood.

• The compliance manager can clearly see within the administrators view not only who has accepted but who has truly understood, then request a retest where a satisfactory result was not delivered.

Policy Case Study - Allianz

27

Training

28

Risk Mitigation

‘Trying to conduct due diligence on a large number of third parties with whom you are doing business on a regular basis is like trying to change out the engine of a moving car.’

David Holley, Senior Managing Director, Kroll

29

Risk Mitigation

‘How frequently do you train your third parties on anti bribery and corruption?’

2015 Anti-Bribery and Corruption Benchmarking Report, Kroll/Compliance Week

30

Third-Party Risk Management Capability Maturity Model

Internal Auditors Research Foundation,Crowe Horwath LLP

31

Companies “are not taking advantage of the solutions that are out there to the extent that they probably could, and frankly should be expected to, based on potential regulatory scrutiny.”

Robert Huff Managing Director, Kroll

Final Thoughts

This presentation material is intended to provide a summary of the subject matter covered for training purposes only. It does not purport to be comprehensive or to render legal advice. No reader should act on the basis of any matter contained in this presentation without first obtaining specific professional advice.

Sam GibbinsGeneral Manager, Asia

sam.gibbins@grcsolutions.com.sg+65 6622 5666+65 9008 5569

www.grcsolutions.com.sg