Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Stories we are following in today’s edition of Daily Compliance News:
Are you considering a third-party questionnaire for your organization? With so much debate around what should be asked, and how detailed you should be, it can be hard to know where to start. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the third-party questionnaire and I am joined by Stephanie Font, the director of the Operations Optimization Group at Diligent as we discuss third party questionnaires and due diligence investigations.
With so much debate around what should be asked in your questionnaire and how detailed your questionnaire should be, it can be hard to know where to start. It is important that every compliance professional understand your risk profile to all crafting of the right due diligence process to ensure compliance. Here are the steps you need to follow to also get compliance and risk.:
Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.
The first step to managing third parties is to create a questionnaire to gather basic information about the third party and what regulations need to be complied with. When creating the questionnaire, it is important to understand the organization’s risk model and what it is trying to achieve. The questionnaire should be tailored to the specific risk factors the organization is trying to address, as well as the regulations that need to be complied with. Questions should include items such as the size of the company, where they do business, and the type of relationship they have. Additionally, the questionnaire should ask questions that will alert to any potential risk factors, such as if they do business in a highly sanctioned country. Once the questionnaire is sent and responses are received, the answers can be used to inform the next step of the due diligence process. Your third-party risk management system should automate some of the process by flagging risk factors and indicating what level of investigation is needed. Lastly, it is important to document the process and create an audit trail that can be used for various reasons, such as compliance and internal review.
Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.
The second step of third-party due diligence is the due diligence investigation. This step involves investigating the third party based on their answers to the questionnaire and other risk factors. The best approach to this investigation is to first understand the company’s risk and what it is trying to accomplish. This allows the company to create a risk model and tailor the questionnaire to fit their needs. The questionnaire should include questions about the size of the company, where it does business, and other risk factors that may arise. After the questionnaire is complete, the next step is to assess the risk factors and determine the appropriate level of investigation needed. This could range from a baseline screening for sanctions list and other global databases to an enhanced due diligence investigation which involves boots on the ground to ask questions about the company’s reputation and verify a manufacturing site. Additionally, it is important to document the process to create an audit trail for internal stakeholders and regulators. This process should be tracked in a third-party risk management system to ensure everything is done correctly.
Documenting: Keeping records of the due diligence investigations to be used in the future.
Documenting is an important step in the due diligence process, as it helps to create an audit trail of the activities and decisions that were taken. When it comes to due diligence, it is important to keep records of all investigations that were conducted, as these records can be used in the future to defend any decisions that were taken. This allows for all the necessary information to be stored in a secure location and can even track any changes or updates to the investigations over time. Additionally, the system can be used to flag any potential risks that come up in the investigations, and it can also automate the process of deciding which type of investigation is necessary based on the risk model. Finally, it is important to keep all documents related to the due diligence process, such as the questionnaire, investigation reports, and any other relevant documents, to create an audit trail and ensure that all compliance regulations are met.
Third party due diligence is a crucial part of any compliance program. A thorough questionnaire and a detailed due diligence investigation can help organizations to mitigate risk and ensure compliance with applicable regulations. Additionally, it is important to document the process, as this creates an audit trail that can be used in the future. With the right tools and processes in place, organizations of any size can successfully manage third party risk and create a robust compliance program. With the right information and guidance, you too can create a successful third-party due diligence process for your organization.
For more information, on Diligent’s Third Party Risk Management solution, click here.
Listen to Stephanie Font on the podcast series here.
Do FCPA considerations come into play for customers? How should you think about your obligations under the FCPA for a group not traditionally associated with FCPA liability or even FCPA risk? These questions and perhaps others are raised by the FCPA investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a U.S. company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. This investigation demonstrates why businesses need to be more concerned with not only who they do business with but how their customers might be doing business. In banking and financial services parlance, you now need to ramp up your organization’s Know Your Customer (KYC) information to continue throughout a seller-purchaser relationship, in the context of the FCPA.
There does not have to be a direct bribe or other corrupt payment made by a U.S. company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third-parties. However, as the Fifth Circuit said in US v. Kay, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. While at first blush, ProEnergy may appear to be at the edge of potential FCPA liability; if it knew, had reason to know, or should have taken steps to know about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The FinCEN rules on customer due diligence for financial institutions are a good starting point for other commercial entities to base their compliance program for customers around.
Three key takeaways:
Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, from the Volkov Law Group. In this Part 1, I visit with Michael Parker on the need for risk mitigation to bring a third party into a relationship with your organization.
Parker has worked in the compliance arena for six years, learning from his experience in government and tech. For a compliance program to be successful, executive leadership must also have a Board of Directors buy-in for oversight. A third-party risk management platform aims to protect the business’s assets and create a single source of truth. Through such a mechanism, third parties can be screened for anti-bribery, anti-corruption, human trafficking, and much more. The Board needs visibility to make decisions and an audit log to show activity and diligence if ever needed. It is critical for all compliance functions to stay up to date with regulations and keep their third-party platform consistently updated.
Key Highlights
Notable Quotes
Resources
Michael Parker on LinkedIn
Check out Diligent’s 3rd party products and services here.
In this insightful solo episode of Crime, Corruption, and Compliance, host Michael Volkov delves into the details of the first-of-its-kind Joint Compliance Note (JCN) regarding the evasion of Russia sanctions and export controls. This noteworthy document has been jointly issued by the United States Justice Department, the Department of Commerce, and the Treasury Department, highlighting its significance in the world of compliance.
Throughout the episode, Michael explores the critical red flag lists, government expectations, and alerts to common high-risk scenarios provided by the JCN, emphasizing the crucial role it plays in guiding organizations through potential compliance challenges. With the U.S. Russia Sanctions and Export Control Program being unprecedented in its scope and complexity, Michael sheds light on the challenges faced by trade compliance officers and the steps organizations can take to mitigate risks.
Key ideas you’ll hear in this episode:
KEY QUOTES:
“When multiple red flags come up, organizations are expected to screen the entities and persons involved and then conduct additional risk-based due diligence on customers, intermediaries, and counterparties.” – Michael Volkov
“In other words, not only do you need to screen, but they’re going to require you, and they’re going to second guess you on the issue of whether you should have done additional due diligence. And that’s important.” – Michael Volkov
“When confronted with any of these kinds of situations or any other red flags, remember, it’s key to do follow up due diligence, do more, and document what you do to make sure that you are protected in this situation.” – Michael Volkov
Resources
Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, I am joined by Kelly Paxton, a certified fraud examiner who has worked in the anti-corruption space for years. In our conversation, Kelly talks about the importance of networking and how women are often underestimated in the field. She is a proponent of the Certified Fraud Examiner designation and emphasizes the need to foster a brand for yourself. She also encourages listeners to remember that good people can make bad choices and to take an interest in the stories behind fraud cases. Kelly talks about her passion for defense work and delves into the nuances of different types of offenders. Her wisdom and insight make her an invaluable guest on the podcast.
Key Highlights
Networking at National Industry Events for Fraud Examiners [00:04:34]
The Importance of Encouraging Women in Fraud Risk Management [00:08:17]
The Benefits of Becoming a Certified Fraud Examiner [00:11:55]
The Consequences of Choosing to Commit Fraud [00:19:51]
Breaking Through Stereotypes: Exploring Unconventional Life Experiences [00:24:04]
The Value of Defense Work [00:27:59]
Notable Quotes
1. “At the end of the day, the business owners are the ones who have the assets that are getting stolen.”
2. “We have this thing called the optimism bias. We don’t think bad things will happen to us. Even more so, we don’t think bad things will happen to us compared to thinking good things will happen to us. We hire people. We know I can trust. So why would they steal?”
3. “Don’t look at it as a cost center. Give the fraud professionals the ability to keep training in networking.”
4. “The genius of LinkedIn is you meet the person, you send the invitation, you meet the person, and a couple of years down the road, you’re like that person pops up again. And you go back in your messages and remember, oh, yeah. I saw them there. I connected there.”
Episode Links
Kelly Paxton on LinkedIn
Connect with Tom Fox on LinkedIn
Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Stories we are following in today’s edition of Daily Compliance News:
With the ever-changing landscape of regulations and laws, it is becoming increasingly difficult for companies to keep up and remain compliant. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the risk mitigation and I visit with Michael Parker, Director of Advisory and Consulting Services for Diligent, to discuss how to approach the Board of Directors around the crucial issue of third-party risk management and risk mitigation. Parker has been in the compliance industry for six years and has experience working with the Department of Homeland Security, Apple Computer, and over 300 clients in the compliance and legal space.
Parker dives into how Diligent’s platform helps companies assess risk and comply with compliance laws such as the FCPA, UK Modern Slavery Act, Uyghur Forced Labor Prevention Act and more. Join us in this five-part series to learn how Diligent’s platform can help reduce risk and ensure compliance.
Here are the steps you need to follow to also get risk mitigation:
Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.
Screening is an essential first step in anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc. The process begins by collecting and inputting data into a single source of truth platform such as Diligent’s Third Party Risk Management System. This platform allows for a risk-based approach to screening, in which the compliance professional can assess the risk of doing business with a third party. This assessment includes screening for anti-bribery and anti-corruption, politically exposed persons, state owned entities, watch lists, and embargoes, as well as more recent regulations such as the German Supply Chain Act and the UK Modern Slavery Act. It also provides the ability to document and audit activities, allowing for better visibility and accountability from an internal and external perspective. Finally, the platform is constantly updated to ensure that it is compliant with any new laws or regulations that are implemented.
Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.
The second step in the third-party risk management process is to take a risk-based approach in evaluating the dossier of information. This dossier typically includes the results of the screening process, any due diligence questionnaires, and any additional investigations that have been conducted. All these items should be compiled into a single source of truth and reviewed to ensure that the organization has done its due diligence in assessing the third party.
The risk-based approach should be tailored to the specific organization and its risk profile, as well as the specific third-party that they are doing business with. This evaluation should also take into consideration any changes in laws, regulations, and sanctions that may have been recently implemented. The diligence program should also be able to screen for a variety of different risks, such as anti-bribery, anti-corruption, human trafficking, politically exposed persons, state-owned entities, watchlists, and embargoes.
Once the evaluation is complete, the organization should have a clear understanding of the risks associated with doing business with the third party and can make an informed decision as to whether to approve or deny the business relationship. This risk-based approach should be documented for auditability in case of any potential future inquiries or investigations.
Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.
Documentation is an essential part of risk mitigation and due diligence. It is important to maintain an audit trail of activities, notes, attachments, and actions taken related to third party risk management. This allows companies to easily access information and prove that they have taken the necessary steps to mitigate risk. A platform such as Diligent’s Third Party Risk Manager can be used to keep track of all the necessary documentation. All activities, notes, and attachments can be stored in a single source of truth, which provides visibility and auditability for the board. Additionally, the platform is regularly updated to ensure that it is up to date with the latest regulations and laws. This allows companies to remain compliant and mitigate risk. All these elements come together to form a dossier of information, which can be used to approve or deny business with third parties. Documentation is a key part of any risk management program and is essential for due diligence.
Over this five-part blog post series will explore reprioritizing you third-party risk management program. It is essential to properly evaluate third-party risk and to document all activities, notes, and attachments to remain compliant and mitigate risk. With the right platform and approach, companies can keep up with the ever-changing regulations and laws and protect their businesses from potential issues. With dedication and hard work, business owners can stay ahead of the curve in risk management and compliance.
For more information, check out Diligent here.
Listen to Michael Parker on the podcast series here.
In this podcast series, two complete MCU fans, Tom Fox, founder of the Compliance Podcast Network, and Megan Dougherty, co-founder of One Stone Creative, indulge in a passion for all things in the Marvel Cinematic Universe by re-watching each movie and then podcasting on every movie in the MCU. However, we will go in a different direction over the next three episodes and review Picard Season 2. In this podcast, we take up episodes 7-8.
Key Highlights
Episode 7-Synopsis [1:16]
Episode 7-Commentary [2:37]
Episode 8-Synopsis [8:13]
Episode 8-Commentary [9:33]
Next time, we will conclude our deep dive into Picard Season 2 by looking at episodes 9-10.
In the Sunday Book Review, I consider books that interest the compliance professional, the business executive, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest me. In today’s edition of the Sunday Book Review, we consider some of the top recently released by Russian oligarchs:
