Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Know Your Customer

Do FCPA considerations come into play for customers? How should you think about your obligations under the FCPA for a group not traditionally associated with FCPA liability or even FCPA risk? These questions and perhaps others are raised by the FCPA investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a U.S. company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. This investigation demonstrates why businesses need to be more concerned with not only who they do business with but how their customers might be doing business. In banking and financial services parlance, you now need to ramp up your organization’s Know Your Customer (KYC) information to continue throughout a seller-purchaser relationship, in the context of the FCPA.

There does not have to be a direct bribe or other corrupt payment made by a U.S. company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third-parties. However, as the Fifth Circuit said in US v. Kay, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. While at first blush, ProEnergy may appear to be at the edge of potential FCPA liability; if it knew, had reason to know, or should have taken steps to know about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The FinCEN rules on customer due diligence for financial institutions are a good starting point for other commercial entities to base their compliance program for customers around.

Three key takeaways:

  1. Non-banking and non-financial service entities need to consider their KYC obligations in the context of FCPA risk.
  2. FinCEN rules on customer due diligence are a good starting point for the non-financial institution.
  3. Ongoing monitoring should be used and the information incorporated into your customer risk profile going forward.
Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 1: Michael Parker on Risk Mitigation

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, from the Volkov Law Group. In this Part 1, I visit with Michael Parker on the need for risk mitigation to bring a third party into a relationship with your organization.

Parker has worked in the compliance arena for six years, learning from his experience in government and tech. For a compliance program to be successful, executive leadership must also have a Board of Directors buy-in for oversight. A third-party risk management platform aims to protect the business’s assets and create a single source of truth. Through such a mechanism, third parties can be screened for anti-bribery, anti-corruption, human trafficking, and much more. The Board needs visibility to make decisions and an audit log to show activity and diligence if ever needed. It is critical for all compliance functions to stay up to date with regulations and keep their third-party platform consistently updated.

Key Highlights

  • How can a risk-based approach, coupled with a single source of truth and a robust platform, help protect business assets and comply with changing regulations?
  • What is the German Supply Chain Act, and how can companies ensure compliance related to human trafficking and human slavery?
  • How can companies use visual analytics to gain insights into their risk-based approach and show evidence of due diligence in the face of an audit?

Notable Quotes

  1. “Companies don’t do bad things; people do. And as people do, the regulatory landscape changes and can change quickly. So keeping up with those changes is critical to protecting your assets and mitigating risk.”
  2. “We need to increase our defensibility and audibility if somebody comes knocking; we can show and illustrate that we have done our due diligence to mitigate any risk of doing business with this third party.”
  3. “Companies don’t do bad things; people do.”
  4. “Put a platform in place that is robust lends itself to a number of different benefits.”

 Resources

Michael Parker on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Corruption, Crime and Compliance

Joint Compliance Notice on Sanctions Evasion Issued by Justice, Treasury and Commerce Departments

In this insightful solo episode of Crime, Corruption, and Compliance, host Michael Volkov delves into the details of the first-of-its-kind Joint Compliance Note (JCN) regarding the evasion of Russia sanctions and export controls. This noteworthy document has been jointly issued by the United States Justice Department, the Department of Commerce, and the Treasury Department, highlighting its significance in the world of compliance.

Throughout the episode, Michael explores the critical red flag lists, government expectations, and alerts to common high-risk scenarios provided by the JCN, emphasizing the crucial role it plays in guiding organizations through potential compliance challenges. With the U.S. Russia Sanctions and Export Control Program being unprecedented in its scope and complexity, Michael sheds light on the challenges faced by trade compliance officers and the steps organizations can take to mitigate risks.

 

Key ideas you’ll hear in this episode:

  • The JCN is an essential resource for compliance professionals, detailing red flags and tactics used by organizations and individuals to evade applicable sanctions and export controls.
  • The joint issuance of this document by DOJ, OFAC, and BIS highlights the importance placed on organizations to implement and maintain risk-based compliance programs.
  • Third-party intermediaries and transshipment points are often exploited to disguise the involvement of specially designated nationals (SDNs) or parties on the BIS entity list in transactions, obscuring the true identities of end-users.
  • The JCN provides an invaluable list of red flags to watch for if a company suspects that a customer is using a third party to evade sanctions or export controls, with real-world examples for context. Some of the red flags to watch out for include:
  • Use of corporate vehicles, such as shell companies, to obscure ownership, source of funds, or countries involved.
  • A customer’s reluctance to share information about the end use of a product.
  • Use of shell companies for international wire transfers.
  • Declining customary installation, training, or maintenance services.
  • Mismatched IP addresses that do not correspond to a customer’s reported location data.
  • Last-minute changes to shipping instructions contrary to customer history or business practices.
  • Payments coming from a third-party country or business not listed on the end-user statement.
  • Use of personal email accounts instead of company email addresses.
  • Operation of complex and/or international businesses using residential addresses or addresses common to multiple closely held corporate entities.
  • Changes to standard letters of engagement that obscure the ultimate customer.
  • Transactions involving a change in shipments or payments previously scheduled for Russia or Belarus.
  • Transactions involving entities with little or no web presence.
  • Routing purchases through certain transshipment points commonly used to illegally redirect restricted items to Russia or Belarus.
  • In the face of potential violations, companies are encouraged to utilize voluntary disclosure programs maintained by DOJ, OFAC, and BIS.
  • Compliance and trade compliance professionals should review the JCN thoroughly to ensure overall trade compliance and be ready to conduct additional due diligence when confronted with any red flags.

 

KEY QUOTES:

“When multiple red flags come up, organizations are expected to screen the entities and persons involved and then conduct additional risk-based due diligence on customers, intermediaries, and counterparties.” – Michael Volkov

 

“In other words, not only do you need to screen, but they’re going to require you, and they’re going to second guess you on the issue of whether you should have done additional due diligence. And that’s important.” – Michael Volkov

 

“When confronted with any of these kinds of situations or any other red flags, remember, it’s key to do follow up due diligence, do more, and document what you do to make sure that you are protected in this situation.” – Michael Volkov

 

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
FCPA Compliance Report

Kelly Paxton on Maximizing Your Network

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, I am joined by Kelly Paxton, a certified fraud examiner who has worked in the anti-corruption space for years. In our conversation, Kelly talks about the importance of networking and how women are often underestimated in the field. She is a proponent of the Certified Fraud Examiner designation and emphasizes the need to foster a brand for yourself. She also encourages listeners to remember that good people can make bad choices and to take an interest in the stories behind fraud cases. Kelly talks about her passion for defense work and delves into the nuances of different types of offenders. Her wisdom and insight make her an invaluable guest on the podcast.

 Key Highlights

Networking at National Industry Events for Fraud Examiners [00:04:34]

The Importance of Encouraging Women in Fraud Risk Management [00:08:17]

The Benefits of Becoming a Certified Fraud Examiner [00:11:55]

The Consequences of Choosing to Commit Fraud [00:19:51]

Breaking Through Stereotypes: Exploring Unconventional Life Experiences [00:24:04]

The Value of Defense Work [00:27:59]

 Notable Quotes

1.      “At the end of the day, the business owners are the ones who have the assets that are getting stolen.”

2.      “We have this thing called the optimism bias. We don’t think bad things will happen to us. Even more so, we don’t think bad things will happen to us compared to thinking good things will happen to us. We hire people. We know I can trust. So why would they steal?”

3.      “Don’t look at it as a cost center. Give the fraud professionals the ability to keep training in networking.”

4.     “The genius of LinkedIn is you meet the person, you send the invitation, you meet the person, and a couple of years down the road, you’re like that person pops up again. And you go back in your messages and remember, oh, yeah. I saw them there. I connected there.”

 Episode Links

Fraudish

Kelly Paxton on LinkedIn

Connect with Tom Fox on LinkedIn

Categories
Daily Compliance News

March 20, 2023 – The Alfred E. Newman Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

  • UBS to buy Credit Suisse. (FT)
  • Crisis, what crisis? (FT)
  • O’Sullivan linked to Wirecard. (FT)
  • Does mattering matter? (FT)
Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Risk Mitigation

With the ever-changing landscape of regulations and laws, it is becoming increasingly difficult for companies to keep up and remain compliant. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the risk mitigation and I visit with Michael Parker, Director of Advisory and Consulting Services for Diligent, to discuss how to approach the Board of Directors around the crucial issue of third-party risk management and risk mitigation. Parker has been in the compliance industry for six years and has experience working with the Department of Homeland Security, Apple Computer, and over 300 clients in the compliance and legal space.

Parker dives into how Diligent’s platform helps companies assess risk and comply with compliance laws such as the FCPA, UK Modern Slavery Act, Uyghur Forced Labor Prevention Act and more. Join us in this five-part series to learn how Diligent’s platform can help reduce risk and ensure compliance.

Here are the steps you need to follow to also get risk mitigation:

  1. Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.
  2. Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.
  3. Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.

Screening is an essential first step in anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc. The process begins by collecting and inputting data into a single source of truth platform such as Diligent’s Third Party Risk Management System. This platform allows for a risk-based approach to screening, in which the compliance professional can assess the risk of doing business with a third party. This assessment includes screening for anti-bribery and anti-corruption, politically exposed persons, state owned entities, watch lists, and embargoes, as well as more recent regulations such as the German Supply Chain Act and the UK Modern Slavery Act. It also provides the ability to document and audit activities, allowing for better visibility and accountability from an internal and external perspective. Finally, the platform is constantly updated to ensure that it is compliant with any new laws or regulations that are implemented.

Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.

The second step in the third-party risk management process is to take a risk-based approach in evaluating the dossier of information. This dossier typically includes the results of the screening process, any due diligence questionnaires, and any additional investigations that have been conducted. All these items should be compiled into a single source of truth and reviewed to ensure that the organization has done its due diligence in assessing the third party.

The risk-based approach should be tailored to the specific organization and its risk profile, as well as the specific third-party that they are doing business with. This evaluation should also take into consideration any changes in laws, regulations, and sanctions that may have been recently implemented. The diligence program should also be able to screen for a variety of different risks, such as anti-bribery, anti-corruption, human trafficking, politically exposed persons, state-owned entities, watchlists, and embargoes.

Once the evaluation is complete, the organization should have a clear understanding of the risks associated with doing business with the third party and can make an informed decision as to whether to approve or deny the business relationship. This risk-based approach should be documented for auditability in case of any potential future inquiries or investigations.

Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Documentation is an essential part of risk mitigation and due diligence. It is important to maintain an audit trail of activities, notes, attachments, and actions taken related to third party risk management. This allows companies to easily access information and prove that they have taken the necessary steps to mitigate risk. A platform such as Diligent’s Third Party Risk Manager can be used to keep track of all the necessary documentation. All activities, notes, and attachments can be stored in a single source of truth, which provides visibility and auditability for the board. Additionally, the platform is regularly updated to ensure that it is up to date with the latest regulations and laws. This allows companies to remain compliant and mitigate risk. All these elements come together to form a dossier of information, which can be used to approve or deny business with third parties. Documentation is a key part of any risk management program and is essential for due diligence.

Over this five-part blog post series will explore reprioritizing you third-party risk management program. It is essential to properly evaluate third-party risk and to document all activities, notes, and attachments to remain compliant and mitigate risk. With the right platform and approach, companies can keep up with the ever-changing regulations and laws and protect their businesses from potential issues. With dedication and hard work, business owners can stay ahead of the curve in risk management and compliance.

For more information, check out Diligent here.

Listen to Michael Parker on the podcast series here.