In today’s edition of Daily Compliance News:
Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.
The 2020 Update stated, “A well-designed compliance program should apply risk-based due diligence to its third- party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”
The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.
There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.
Three key takeaways:
- A Level I due diligence should only be used where there is a low risk of corruption.
- A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.
- Level III due diligence is deep dive, boots on the ground investigation.
Categories
Episode 047–Steven Butera
On this episode of The Ethics Experts, Gio welcomes Steve Butera, Director of Compliance, QI, and Privacy at Pathways Health & Community Support, to the show! They discuss the “why” of compliance, the complexity of it, and how to start E&C from the interview process.
In this episode, CSS’s Executive Director Jackie Hallihan sits down with Senior Consultant Adam DiPaolo to read the tea leaves on 2021. The compliance duo discusses changes to the SEC itself to regulations, rule-making, examination and enforcement trends and how to prepare for the predictability and unpredictability of compliance in the new year.
A CSS RegTech podcast series on moving from a tactical to strategic approach to regulatory compliance. The global regulatory space is complex and fragmented. Financial firms can address this problem through tactical responses to regulatory deadlines or think more strategically on how to optimize their compliance data, operations and technology. The CSS weekly podcast features regulatory experts, former Chief Compliance Officers, cybersecurity specialists, industry partners and RegTech collaborators to help prepare investment management firms for changes on the regulatory horizon. For more information on CSS, visit: www.cssregtech.com
About Our Guest Speakers:
Jackie Hallihan is the Co-Executive Director of CSS’s Compliance Services team and has over 25 years’ regulatory and risk management experience. She was the founder of National Regulatory Services (NRS) which started the compliance resource business and served as its President for over 20 years. She also founded the National Society of Compliance Professionals (NSCP), a non-profit organization for compliance officers, staff and lawyers serving the compliance industry. It now boasts over 2000 memberships. Jackie has been a leading speaker to compliance professionals, including in-house training programs and various other industry association conferences, and has received numerous industry awards. Jackie also serves as Director, Clerk of the New England Broker Dealer Investment Adviser Association (NEBDIAA), a non-profit organization, incorporated in 1997. The purpose of NEBDIAA is to provide a forum for the professional exchange of information among investment advisers, broker dealers, and persons who provide services to investment advisers and broker dealers, and to direct communication among its members which will improve their ability to serve the needs of their respective clients. The forum will help NEBDIAA’s members meet the increased regulatory demands placed on investment advisers, broker dealers, and persons who provide services to investment advisers and broker dealers.
Adam DiPaolo CISA, CRISC is a Section 13 Reporting Manager, Senior Consultant and Associate General Counsel, designing practical solutions to manage regulatory challenges faced by hedge funds, private equity funds, funds of funds, and other investment advisers. In addition to providing compliance services such as annual compliance program reviews, risk assessments and acquisition due diligence, Adam established Section 13 reporting capabilities and EDGAR filing agent services for CSS’s Ascendant compliance services division. He drafts and maintains corporate filings ranging from Forms ADV and PF to Forms 13F and 13H.
The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizingcompliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider.
Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.
Three key takeaways:
- Have a strategic approach to third-party risk management.
- Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
- Managing the relationship is where the real work begins.
As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:
Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.
This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:
- Business Justification by the Business Sponsor;
- Questionnaire to Third-party;
- Due Diligence on Third-party;
- Compliance Terms and Conditions, including payment terms; and
- Management and Oversight of Third Parties After Contract Signing.
Three key takeaways:
- Use the full 5-step process for third party management.
- Make sure you have business development involvement and buy-in.
- Operationalize all steps going forward by including business unit representatives.
In today’s edition of Sunday Book Review:
- Parting the Waters by Taylor Branch
- Judgment Days by Nick Kotz
- The Speech by Gary Younge
- Killing the Dream by Gerald Posner
EMBARGOED! kicks off 2021 with somber reflections on the riot at the U.S. Capitol before pivoting to (what else?) China to consider the new E.O. targeting AliPay, WeChat Pay, and other Chinese apps, the official arrival of BIS’s MEU List, and the latest guidance from OFAC relating to securities investments in Chinese Military Companies. After that, Brian and Tim check in on the latest developments in a rare North Korea sanctions prosecution in SDNY and then wrap up, in the Lightning Round, by briefly covering a successful court challenge to the ICC-related sanctions program and the passage of expanded Nord Stream 2 sanctions.
Subscribe! * Apple Podcasts * Spotify * Amazon Music * Google Podcasts * Stitcher
Questions? Contact us at podcasts@milchev.com.
EMBARGOED! is not intended and cannot be relied on as legal advice; the content only reflects the thoughts and opinions of its hosts.
EMBARGOED! is intelligent talk about sanctions, export controls, and all things international trade for trade nerds and normal human beings alike, hosted by Miller & Chevalier Members Brian Fleming and Tim O’Toole. Each episode will feature deep thoughts and hot takes about the latest headline-grabbing developments in this area of the law, as well as some below-the-radar items to keep an eye on. Subscribe for new bi-weekly episodes so you don’t miss out!
Timestamps:
0:10 Introduction and Roadmap
4:30 Some Brief Reflections on Treason, Sedition, and Insurrection by POTUS
The Rundown
16:54 New E.O. re: AliPay and Other Chinese Apps
28:47 The Military End User List
39:00 Latest Guidance on CCMC E.O.
51:10 Prosecution of Crypto Bro in SDNY
59:52 Lightning Round
1:00:18 PI in ICC Litigation in SDNY
1:05:57 Expanded Nord Stream 2 Sanctions
1:12:40 Final Thoughts
***Stay sanctions free.***
After you complete your risk assessment, you must then translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his BioProcess International article, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”:
Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.
William C. Athanas, in his Industry Week article, “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where virtually all violations are committed by just a few people. Athanas concluded by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick,” to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation.
The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, couple with audit and monitoring going forward. A variety of tools can be used to continuously monitoring risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment.
Three key takeaways:
- Even after you complete your risk assessment, you must evaluate those risks for your company.
- The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk.
- Create a risk matrix and rank your risks; then remediate and monitor as appropriate.