Third-Party Intermediaries: Managing Global Corruption Risk

Monday, September 24, 2012 - 16:42

The Editor interviews Marc Miller, Partner, KPMG ForensicSM, New York.

Editor: How has the regulatory landscape changed regarding the way governments are viewing bribery and corruption?

Miller: Enforcement of global anticorruption conventions remains at an all-time high, and organizations worldwide continue to face hurdles when addressing compliance and trying to change cultural norms in the markets where they operate. We continue to see proactive enforcement sweeps by the DOJ and the SEC, but that has, to some degree, been countered with more support from the board level, which has transcended down into the C-suite dedicating more attention to this topic.

As a reaction to this surge of FCPA enforcement over the past few years, governments worldwide have increased and enhanced their activities and focus on antibribery and corruption. Although the active enforcement countries continue to be the U.S. and Germany, other big-economy countries are becoming stronger anticorruption players. For instance, China adopted an amendment to its criminal law last year that criminalized paying bribes to non-Chinese government officials and officials of international organizations. In 2010, the UK enacted its Bribery Act, which signaled a new frontier in the war against corruption by, among other things, making it a crime to accept a bribe and by criminalizing purely commercial bribery. There are now 39 countries that have adopted the OECD’s Anti-Bribery Convention.

With this heightened attention to bribery and corruption, companies need to understand the regulatory framework wherever they operate, especially when they consider evolving business initiatives in emerging markets. 

Editor: Regarding antibribery and corruption, what should be the top priorities for companies with a global footprint or those expanding internationally?

Miller: Global companies should prioritize and focus on three key areas. First, they should start by assessing their bribery and corruption risks to ensure they are implementing the most appropriate mitigation strategy. Regulators consistently expect companies to adopt proportionate risk-based procedures, so a broad-based assessment is necessary to align their compliance program with the risks.

Second, as companies reach into new markets, they have to rely on third-party intermediaries, or TPIs. Companies should design a TPI management strategy for on-boarding, managing and auditing TPIs in a globally consistent manner. We have seen a recent trend in enforcement of TPI-related matters, with almost 90 percent of all cases brought under the FCPA involving TPIs. This clearly is a priority of regulators, and it also should be a priority of industry.

And third, a company needs to ensure it has the right technology and resources to incorporate data analytics and manage big data challenges that are inherent in antibribery and corruption compliance. While there still are not widely accepted best practices in this arena, we are definitely seeing common trends in companies of all sizes, such as the continuing emergence of compliance and internal audit departments. Global companies can leverage sophisticated technology options to assess their TPIs, to conduct due diligence on business partners, and to use data analytics to monitor and test business transactions. Using technological solutions can greatly increase the effectiveness of compliance procedures and a company’s ability to manage risks.

Editor: You mentioned that a top priority should be managing TPIs. What exactly is a TPI, and how are they used by global companies?

Miller: TPIs typically include any third party that acts on behalf of a company, whether they are on the supply side or the sell side of the business. The provisions in the FCPA cover virtually any agent of the company, and the UK Bribery Act goes further to include any person associated with the company. For instance, suppliers, distributors, customs brokers, resellers and sales agents are common examples. But some TPIs are not as obvious, such as travel agents, lobbyists, joint venture partners, and even lawyers and accountants.

As a result of expanding global footprints, companies often have to rely on TPIs to penetrate local markets, to navigate local regulations, and to facilitate sales and distribution. Many countries even require by law that foreign companies retain a local TPI to act as an in-country representative. You can see that a company with extensive global operations can easily have hundreds of TPIs. The real challenge that companies are facing is how to assess and mitigate the risks that all of these TPIs can create.

Editor: What are the kinds of risks that TPIs pose to global companies?

Miller: The primary risk is that a company could violate the FCPA and other antibribery and corruption laws based on the corrupt conduct of its TPIs, even if the company does not have actual knowledge of what its TPIs are doing. Liability can attach if a company merely has an awareness that a high probability exists that a TPI might make a corrupt payment. In fact, the UK Bribery Act does not require any level of knowledge about a TPI’s actions, and a company could be held strictly liable if it does not have adequate procedures in place.

Not only is it very difficult to control the actions of third parties, especially in distant geographic locations, there also may be cultural and societal norms in those areas that condone or even encourage corrupt conduct. These risks are even more acute in emerging markets. In fact, a recent antibribery and corruption survey conducted by KPMG reflects that seven out of ten executives believe there are places in the world where business simply cannot be conducted without engaging in bribery or corrupt conduct. Against this backdrop, you can understand why global companies need to be proactive in addressing third-party risks.

Editor: How can companies mitigate risks created by TPIs?

Miller: Managing third-party risks starts before a TPI is retained and, as importantly, continues throughout the life of the business relationship. Conducting risk-based due diligence on a potential TPI can identify red flags before problems arise. At the outset, evaluation of the business purpose as well as answering such questions as “Why can’t we do this ourselves?”, “Why do we need another distributor in this market?”, or “Is the fair market value of what we will pay this TPI reasonable?” are just a few of the internal decision points that should be considered. Self-reported information from the TPI should also be seriously evaluated and challenged via confirmation through corporate intelligence or other sources.

Once you reach the contracting stage, companies should utilize standard contracts that include language that their TPIs will comply with applicable antibribery and corruption laws, audit rights that allow companies to inspect the TPI’s books and records to monitor compliance, and termination rights if the TPI violates anticorruption policies or regulations. Beyond upfront diligence and contracting, there should also be a plan in place to monitor TPI performance and evaluate when audit rights should be invoked. Data analytics can be a very helpful tool in evaluating high-risk activity based on geographic and transaction criteria. Additionally, companies should ensure that their TPIs receive regular training on antibribery and corruption laws, policies and practices.

Finally, it is critical for global companies to continue to monitor TPIs throughout the business relationship and to conduct diligence procedures to make sure that antibribery and corruption policies are being followed. It is not enough for companies to have good policies in place if they do not routinely assess compliance with them, and regulators have indicated that monitoring TPIs is an essential part of an adequate compliance program.

Editor: Given the focus on TPIs, how can companies who do business globally with hundreds or thousands of TPIs effectively manage the risk of corruption?

Miller: Companies with large numbers of TPIs face unique challenges not only in identifying their TPIs, but also in determining which TPIs should undergo varying levels of due diligence. It is critical for these companies to adopt a structured approach to understand the scope of their potential TPI population and to assess the relative risks. There are many ways to do this, but they start by aggregating data from around the business through local representatives and company-wide databases. Sources such as purchase orders, vendor master lists, and disbursement data can be mined to identify third parties who pose corruption risks based on data points like nature of service provided via commodity codes, deduplication of vendors across business units or via parent-subsidiary relationships, location of the third party or where services are provided, the volume of business, the likelihood the TPI will interact with government officials, and the frequency of transactions with the third party.

Then, using client- and industry-specific criteria, these third parties can be ranked in terms of the level of risk they pose. Depending on the risk, a company can design appropriate due diligence procedures for each level. If a company has many TPIs, this approach maximizes compliance resources by allowing them to focus on higher-risk TPIs. If this kind of structured approach is designed and documented properly, it will be repeatable, auditable and defensible.  

In addition to this centralized process, companies with worldwide operations should also make sure that there is responsibility and accountability at the regional level. Local management needs to understand the risks that TPIs can create, and they should have ownership in ensuring that TPIs in their region comply with the company’s antibribery and corruption policies. Proper training of local resources is essential for companies that operate in disparate locations with decentralized management responsibilities.

Editor: Are there any obligations for companies to train their TPIs?

Miller: While there is no language in the FCPA or other laws expressly requiring training, having an antibribery and corruption training program has been, and continues to be, considered one of the hallmarks of a sound compliance program. Among other things, the U.S. Federal Sentencing Guidelines identifies effective training as a key component that could allow companies to mitigate sentences. The overall effectiveness of a compliance program, including training, is one of the factors that regulators review in determining whether or not to charge a company. Further, when regulators prosecute and/or settle bribery and corruption cases with companies, they generally require the companies to implement an effective training program.

Editor: How can technology help companies address the risk of bribery and corruption?

Miller: Technology and specifically data analytics are really changing the game for mitigating bribery and corruption risks. Leveraging the powers of data analytics to analyze large and varied data sets to pinpoint higher-risk transactions proves to be a powerful step for monitoring effectiveness of global antibribery and corruption programs. Routines can be programmed to look for certain corruption-related indicia, such as abnormally high margins through sales channels, unusual expenses and above-market commissions. This step can be designed to run on either a programmed or manual basis and can also monitor performance of TPI activities.

With regard to TPI relationships, technology can assist with making the due diligence process more efficient, uniform, documented and auditable. It can help automate a structured and consistent approach to TPI management, as previously described. Platforms can be designed to electronically gather third-party data from the company’s internal sponsors and systems and also from third parties. They then aggregate and normalize the data and store it in a central repository while also identifying red flags for follow-up and remediation. The process should be tailored for each client and can also be set to interface with LMS and general procurement systems so that vendors are not paid until authorized as an approved TPI.

Corporate intelligence tools also enable the automation of the management, measurement, remediation and reporting of antibribery and corruption risks associated with TPI relationships in accordance with regulations, policies and business decisions. Technology-enabled research tools can be used to provide both financial and integrity due diligence by accessing online public data, including global sanctions and regulatory enforcement lists, corporate records, court filings and media reports. These tools assimilate the data and highlight potential problem areas. This technology should be used on a regular basis to provide updated reports as companies monitor their TPIs.

Editor: To tie this back to where we started, what kinds of information about a company’s antibribery and corruption program will regulators want to see?

Miller: That’s a good question. Regulators may want everything you have on a particular subject. It’s very difficult to predict what a regulator will expect of you: they will not only want to hear about and obtain your compliance policies, but will also want to see evidence of how you have brought your antibribery and corruption program to life.  This may include providing them with internal audit reports together with the data analytics performed to help define the audit scope. It may include evidence of business sponsor justification, TPI due diligence questionnaires and evidence of how red flags were remediated through additional procedures and/or contracting. In the end, companies that have implemented some of the procedures that I discussed can use this to their advantage by showing regulators that they have considered their unique bribery and corruption risks and have taken appropriate steps to prevent, detect and respond to such risks.

Marc Miller specializes in bribery and corruption matters, financial reporting investigations and compliance program assistance services. He also oversees global investigative and forensic support services for multiple KPMG clients in the pharmaceutical, medical device, life sciences and consumer markets industry.

Please email the interviewee at marcmiller@kpmg.com with questions about this interview.