Categories
Blog

AI in Compliance: Part 2, Leveraging AI for Third-Party Risk Management

We continue our week-long look at the use of AI in compliance. Today, we consider third parties. Third-party relationships remain one of the most significant areas of risk for corporate compliance programs. From supply chain partners to distributors and everything in between, third parties act as the face of your organization in many jurisdictions, making their actions, and any misconduct, your problem. To mitigate these risks, companies traditionally relied on periodic due diligence and reactive responses. But in today’s fast-moving and increasingly interconnected world, such approaches fall short.

This is where artificial intelligence (AI) can revolutionize third-party risk management. With AI tools, compliance teams can shift from static, checklist-driven processes to dynamic, continuous monitoring systems. In this post, we’ll explore how AI enhances third-party risk management by screening, monitoring, and evaluating third parties in real time and how it helps meet the DOJ’s 2024 Evaluation of Corporate Compliance Programs (2024 ECCP) expectations for robust, data-driven compliance practices.

The DOJ’s 2024 ECCP places a strong emphasis on using data analytics and continuous monitoring to strengthen compliance programs. These expectations are included with the requirements of a proactive risk management and data-driven compliance. AI allows compliance teams to manage a large volume of third-party relationships efficiently and effectively. To fully align with DOJ expectations, companies should document their use of AI tools, including how they support risk assessments and monitoring activities. Regular audits of AI systems can ensure they remain effective and compliant with legal standards.

AI: The Compliance Professional’s New Ally

The compliance risks tied to third parties are well-documented:  bribery and corruption, reputational damage, and legal and regulatory violations. AI excels at handling exactly the complexity of third-party management entails. It can process vast amounts of data from multiple sources, identify patterns, and provide actionable insights in real-time. Let’s break down how AI can be used at each stage of the third-party lifecycle.

  • Initial Screening.

Traditional screening processes rely on questionnaires and public database checks—important but limited in scope. AI-powered tools enhance this step in a variety of ways. By aggregating diverse data sources, AI systems can pull information from public records, news outlets, litigation databases, social media platforms, and proprietary sources. Through the use of natural language processing (NLP) algorithms, you can detect hidden risks through the analysis of news articles, blogs, or social media posts to uncover potential red flags, such as allegations of fraud, regulatory violations, or ethical misconduct. Finally, with scored risk profiles, AI models assess the likelihood of misconduct based on factors such as geographic risk, industry norms, and historical behavior. This risk scoring allows compliance teams to prioritize their efforts.

  • Onboarding Due Diligence

The onboarding phase is critical for setting the tone of the relationship and understanding the potential risks. AI can assist you in a variety of ways. With automated document review, AI tools can process contracts, certifications, and policies submitted by third parties, flagging inconsistencies or missing information. One area that continues to bedevil due diligence is the identification of Beneficial Ownership. By cross-referencing corporate records, AI can reveal ultimate beneficial owners, including individuals who might otherwise remain hidden. Machine learning (ML) models trained on historical compliance data can predict the likelihood of future misconduct, enabling proactive risk mitigation strategies through predictive insights. The bottom line is that by ensuring a thorough onboarding process, AI helps organizations comply with DOJ guidance, which emphasizes the importance of understanding third-party relationships.

  • Continuous Monitoring

A one-time due diligence exercise is no longer sufficient. The 2024 ECCP made clear the need for ongoing monitoring to ensure that third-party relationships remain compliant. AI facilitates this mandate by offering real-time alerts, where AI-driven systems can monitor news feeds, regulatory databases, and other sources 24/7, sending alerts when a third party is implicated in a legal issue, sanctions violation, or reputational scandal. One of the more challenging areas for compliance professionals has in around transaction monitoring. Here, AI can analyze financial transactions involving third parties, flagging anomalies that might indicate fraud or corruption. Finally, in the area of behavioral analytics, AI tools can track changes in a third party’s behavior, such as a sudden increase in high-risk transactions or shifts in geographic focus. These patterns often signal emerging risks. The bottom line is that with continuous monitoring, companies can address potential problems before they escalate into full-blown compliance failures.

  • Periodic Risk Re-Evaluation

AI ensures that risk assessments are dynamic, reflecting changes in the external environment and the third party’s circumstances. As far back as 2020, the DOJ told compliance professionals that risk assessments should be performed with your organization’s risk change, so a periodic risk re-evaluation directly aligns with the DOJ’s expectations. Key AI capabilities in this area include geopolitical risk analysis, using AI to evaluate the impact of geopolitical events, such as sanctions, trade disputes, or political instability, on third-party relationships. Your industry trends are something the DOJ has been talking about for at least 10 years, and AI systems can monitor regulatory developments and industry trends, helping organizations anticipate new compliance risks. Perhaps most excitedly are the customizable risk models you can create with AI. This would allow compliance teams to adjust risk assessment models based on evolving business needs, ensuring that evaluations remain relevant and actionable.

Overcoming Challenges in AI Implementation

While the benefits of AI are clear, implementing these tools effectively requires careful planning and preparation in several areas. First is your data quality. The old adage of GIGO (Garbage In, Garbage Out) has been replaced by BIBO (Best Input, Best Output). Here, AI is only as effective as the data it analyzes. Organizations must invest in robust data governance practices to ensure accuracy, completeness, and consistency.

Transparency is a key issue for compliance in using AI, and it was directly addressed in the 2024 ECCP. The black-box nature of AI decision-making can be a concern. Compliance teams should work with internal teams and vendors to ensure algorithms are interpretable and results are explainable. AI tools must integrate seamlessly with existing compliance systems to avoid creating silos or inefficiencies. While the US is far behind the rest of the world in data privacy laws, GDPR and others still apply to any internationally facing organization. This means companies must deploy AI responsibly, respecting privacy laws and ensuring that monitoring does not cross ethical boundaries.

The Future of Third-Party Compliance

AI is transforming third-party risk management from a reactive, one-size-fits-all process into a dynamic, data-driven discipline. By leveraging AI tools for screening, onboarding, monitoring, and reassessment, compliance professionals can manage third-party risks with unprecedented precision and agility. However, as with any powerful tool, AI must be used thoughtfully. By focusing on data quality, transparency, and ethical considerations, organizations can harness the full potential of AI while maintaining trust and accountability.  At the end of the day, a best practices compliance program is not simply about checking the box; rather, it is about creating a system that evolves with the risks it manages. AI is that system’s next evolution.

Categories
Blog

Lessons on Managing 3rd Parties from Star Trek: The Omega Glory

Last month, I wrote a blog post on the tone at the top, exemplified in Star Trek’s Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. Today, I will continue my two-week series by looking at the following hallmarks of an effective compliance program laid out by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the FCPA Resources Guide, 2nd edition. Today, we look at lessons learned on managing third parties from The Omega Glory episode.

Trust, verification, and alignment with core values are paramount in third-party management. These principles are crucial in today’s complex business environment, where organizations rely on external partners to achieve their objectives. Interestingly, these concepts are vividly illustrated in an unlikely source: the classic Star Trek episode The Omega Glory. This episode provides a fascinating backdrop for exploring the intricacies of third-party management. Today, we dive into the narrative and draw valuable lessons for managing third-party relationships.

In The Omega Glory,  Captain James Kirk and his crew encounter a planet named Omega IV, where two factions, the Yangs and the Kohms, are locked in a perpetual conflict. The Yangs parallel the American patriots of the Revolutionary War, while the Kohms resemble the communists. The Enterprise crew discovers that a Starfleet officer, Captain Ron Tracey, has violated the Prime Directive, the Federation’s core principle of non-interference, by intervening in the planet’s internal affairs to gain immortality from the planet’s unique properties. Tracey’s actions cause chaos and disrupt the natural progression of Omega IV’s societies. In the end, Captain Kirk is forced to confront Tracey and restore balance, emphasizing the need for adherence to principles and respect for the natural order.

Lesson 1: The Importance of Adhering to Your Core Values

One of the primary lessons from The Omega Glory is the significance of adhering to core values and principles. In the episode, Captain Tracey abandons the Prime Directive to pursue personal gain, resulting in disastrous consequences. This mirrors real-world scenarios where third-party relationships can be compromised when organizations or individuals prioritize short-term gains over long-term values and ethical standards.

Organizations must ensure their partners share and adhere to the same core values when engaging with third parties. Establishing clear guidelines and ethical standards is essential for maintaining alignment and preventing deviations that could harm the organization’s reputation and objectives. Regular audits and assessments help verify that third parties operate by these values.

Lesson 2: The Necessity of Due Diligence and Verification

Captain Tracey’s actions underscore the importance of due diligence and verification. He assumed that the planet’s properties could provide eternal life without fully understanding the implications of his interference. This assumption led to unintended consequences and endangered his crew and the planet’s inhabitants.

Due diligence is a critical component of third-party management. Organizations must thoroughly assess potential partners to evaluate their capabilities, integrity, and compatibility with organizational goals. Verification processes, such as background checks, financial audits, and compliance assessments, ensure that third parties meet the required standards. Regular monitoring and ongoing evaluations help maintain transparency and accountability in the relationship.

Lesson 3: The Dangers of Unchecked Authority

Most compliance professionals rarely see unchecked power from third parties, yet this episode provides important insight for compliance professionals. Captain Tracey exercises unchecked authority, disregarding Starfleet regulations and the ethical implications of his actions. His uncontrolled power leads to chaos and conflict, highlighting the dangers of allowing individuals or entities to operate without oversight.

Unchecked authority in third-party management can lead to breaches of trust, legal violations, and reputational damage. Organizations must establish clear governance structures and oversight mechanisms to ensure third parties operate within defined boundaries. Implementing robust contractual agreements, performance metrics, and reporting frameworks can help maintain control and mitigate risks associated with third-party relationships.

Lesson 4: The Role of Communication and Collaboration

Throughout the episode, communication breakdowns contribute to misunderstandings and conflicts. Captain Kirk ultimately resolves the situation by facilitating dialogue and collaboration between the Yangs and the Kohms, emphasizing the importance of open communication in resolving disputes and achieving mutual understanding.

Effective communication is a cornerstone of successful third-party management. Organizations should establish open lines of communication with their partners, fostering a collaborative environment that encourages feedback, transparency, and problem-solving. Regular meetings, status updates, and joint planning sessions help align objectives and address potential issues before they escalate. This will also help manage the commercial relationship after the contract is signed.

Lesson 5: The Need for Flexibility and Adaptability

The episode highlights the need for flexibility and adaptability in complex situations. Captain Kirk’s ability to adapt to changing circumstances and devise innovative solutions is crucial in resolving the conflict and restoring balance. Third-party relationships often involve dynamic and evolving challenges. Organizations must remain flexible and adaptable to changing circumstances, such as shifts in market conditions, regulatory requirements, or technological advancements. Developing contingency plans, embracing innovation, and fostering a culture of continuous improvement can help organizations navigate uncertainties and maintain successful third-party relationships.

Third-party relationships also mandate ongoing monitoring from a data analytics perspective. Compliance may need to conduct additional investigation if there are significant changes in the volume of goods sold by a third party or the amount of commissions paid to a particular third-party agent, region, or business unit. However, third parties must understand and receive a steady diet of communication and training on the need to do business ethically and in compliance with your company’s values.

The Omega Glory serves as a compelling training vehicle for the complexities and challenges of third-party management. The episode’s themes of adherence to core values, due diligence, oversight, communication, and adaptability provide valuable insights for organizations seeking to optimize their third-party relationships. By learning from Captain Kirk’s experiences on Omega IV, businesses can enhance their third-party management practices, mitigate risks, and achieve sustainable success in an interconnected world.

In conclusion, organizations must prioritize trust, verification, business justification, and alignment with core values in their third-party management strategies. By adhering to these principles and drawing lessons from unconventional sources like Star Trek, businesses can navigate the complexities of modern partnerships and achieve their strategic objectives with integrity and success.

Join us tomorrow as we consider the lessons on ongoing monitoring and continuous improvement of Spectre of the Gun Ultimate.

Categories
Compliance Week Conference Podcast

Compliance Week 2024 Speaker Preview Podcasts – Rodney Campbell on Managing 3rd Parties

In this episode of the Compliance Week 2024 Speaker Preview Podcasts series, Rodney Campbell discusses his presentation at Compliance Week 2024, “Empowering TPRM Compliance: Transformative Strategies in Third-Party Risk Management.” Some of the issues he will discuss in this podcast and his presentation are:

  • Why managing third parties is a critical element in your TPRM program
  • Leveraging your business unit to help manage third parties
  • New ideas for the compliance program from Compliance Week 2024

I hope you can join me at Compliance Week 2024. This year’s event will be held April 2-4 at The Westin Washington, DC, Downtown. The line-up for this year’s event is first-rate, with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 19th year, join 500+ compliance, ethics, legal, and audit professionals who gather to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs, among many others, to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 80+ respected cross-industry practitioners who are CEOs, CCOs, regulators, federal officials, and practitioners to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from panels on leadership, fraud detection, confronting regulatory change, abiding by cross-border rules and regulations, and the always-favorite fireside chats.
  • Bring actionable takeaways to your program from various session types, including cyber, AI, Compliance, Board obligations, data-driven compliance, and many others, for you to listen, learn, and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount on the registration price. Enter the discount code TFOX2024 for $200 off.

The Compliance Week 2024 Preview Podcast series is a production of the Compliance Podcast Network. Compliance Week is the sponsor of this series.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 21 – Managing Your Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation, and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area that the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

1. Have a strategic approach to third-party risk management.

2. Rank third parties based upon a variety of factors, including compliance and business performance, length of relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.

3. Managing the relationship is where the real work begins.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Managing Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

The 2023 ECCP posed the following questions:

Risk-Based and Integrated Processes—How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?

Appropriate Controls—How does the company ensure there is an appropriate business rationale for the use of third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

Management of Relationships—How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks? How does the company monitor its third parties? Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past? How does the company train its third-party relationship managers about compliance risks and how to manage them? How does the company incentivize compliance and ethical behavior by third parties? Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?

Real Actions and Consequences—Does the company track red flags that are identified from due diligence of third parties and how those red flags are addressed? Does the company keep track of third parties that do not pass the company’s due diligence or that are terminated, and does the company take steps to ensure that those third parties are not hired or re-hired at a later date? If third parties were involved in the misconduct at issue in the investigation, were red flags identified from the due diligence or after hiring the third party, and how were they resolved? Has a similar third party been suspended, terminated, or audited as a result of compliance issues?

The key is to have a strategic approach to how you structure and manage your third-party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to control risk while optimizing the performance of your third parties.

Amalgamate third parties but have fallbacks. It is incumbent to consolidate your third-party relationships to a smaller number to more fully operationalize your compliance program. This will make the entire third-party lifecycle easier to manage. However, a company must not “over-consolidate” by going down to a single source. You should build a diversified base, with through “dual-sourcing.” From the compliance perspective, you may want to have a primary and secondary third-party that you work with in a service line or geographic area to retain this redundancy.

Monitor any subcontracted work. This is one area that requires an appropriate level of compliance management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third-party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

Legal Protections. This is where your compliance terms and conditions will come into play. Consider a full indemnity if your third-party violates the FCPA and your company is dragged into an investigation because of the third-party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the DOJ or SEC during the pendency of an investigation. Finally, you need a clause that requires your third-party to cooperate in any compliance investigation. This means cooperation with you and your designated investigation team, but it may also mean cooperation with U.S. governmental authorities as well.

Keep track of your third parties’ financial stability. This is one area that is not usually discussed in the compliance arena around third parties, but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third-party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward red flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third-party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished.

Formalize incentives for third-party performance. One of the key elements for any third-party contract is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third-party. If you have a long-term stable relationship with a third-party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third-party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance.

By linking compensation to performance, there should be an increase in third-party performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked. This would seem to be low hanging fruit for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs.

You should rank third parties based upon a variety of factors including performance, length of relationship, benchmarking metrics and compliance KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them.

Auditing third parties. Critical to any best practices compliance program and an important tool in operationalizing your compliance program, this is a key way a company can manage the third-party relationship after the contract is signed and one which the government will expect you to engage in going forward.

Document review and selection is important for this process, you should ask for as much electronic information as possible well in advance of your audit. Request the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer.

Regarding potential interviewees, focus on those who interact with government entities, foreign government officials or third parties, including those personnel involved with:

• Business leadership;

• Sales/marketing/business development;

• Operations;

• Logistics;

• Corporate functions such as human resources, finance, health, safety and environmental, real estate and legal

For the interview topics, there are several lines of inquiry. Remember this is an audit interview, not an investigative interview. Avail yourself of the opportunity to engage in training while you are interviewing people. The topics to interview on include:

• General policies and procedures;

• Books and records pertaining to compliance risks;

• Test knowledge of FCPA or other anti-corruption laws and their understanding of your company’s prohibitions;

• Regulatory challenges they may face;

• Any payments of taxes, fees or fines;

• Government interactions they have on your behalf; and

• Other compliance areas you may be concerned about or that would impact your company, including trade, anti-boycott, anti-money laundering (AML), anti-trust.

Managing your third parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – The Third Party Risk Management Process

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Albemarle FCPA Enforcement Action: Part 5 – Lessons Learned

Over the past several blog posts, I have been exploring the Albemarle FCPA enforcement action.  We have explored in some detail the DOJ Non-Prosecution Agreement (NPA) and the SEC Administrative Order(Order). In this final blog post on the series, I want to suss out some lessons for the compliance professional.

Consequence Management

When Kenneth Polite announced the Pilot Program in conjunction with the 2023 Evaluation of Corporate Compliance Programs (ECCP), the focus was largely on clawbacks. However, the relevant section in the ECCP was entitled “Consequence Management,” indicating a broader focus on both incentives to do business ethically and in compliance as well as disincentives. The ECCP asked a series of questions:

  • Has the company considered the impact of its financial rewards and other incentives on compliance?
  • Has the company evaluated whether commercial targets are achievable if the business operates in a compliant and ethical manner?
  • What role does the compliance function have in designing and awarding financial incentives at senior levels of the organization?
  • How does the company incentivize compliance and ethical behavior? What percentage of executive compensation is structured to encourage enduring ethical business objectives?
  • Are the terms of bonus and deferred compensation subject to cancellation or recoupment, to the extent available under applicable law, in the event that non-compliant or unethical behavior is exposed before or after the award was issued?
  • Does the company have a policy for recouping compensation that has been paid where there has been misconduct?
  • Have there been specific examples of actions taken (e.g., promotions or awards denied, compensation recouped, or deferred compensation canceled) as a result of compliance and ethics considerations?

The NPA noted that Albemarle engaged in holdbacks, as they did not pay bonuses to certain employees involved in the conduct or those who had oversight. The NPA stated, “The Company withheld bonuses totaling $763,453 during its internal investigation from employees who engaged in suspected wrongdoing.” The illegal conduct involved those who “(a) had supervisory authority over the employee(s) or business area engaged in the misconduct; and (b) knew of, or were willfully blind to, the misconduct.” The significance of this effort was vital as it qualified Albemarle for an additional fine reduction of a dollar-for-dollar credit of the amount of the withheld bonuses under the Criminal Division’s March 2023 Compensation Incentives and Clawbacks Pilot Program.

Indeed, Deputy Attorney General Lisa Monaco, in a recent speech, said, “The pilot program also rewards companies that claw back or withhold incentive compensation from executives responsible for misconduct – or attempt to do so in good faith. For every dollar that a company claws back or withholds from an employee who engaged in misconduct – or a supervisor that knew of or turned a blind eye to it – the Department will deduct a dollar from the otherwise applicable penalty that the resolving company would pay.”

She specifically cited the Albemarle FCPA resolution, where “the company received a clawback credit for withholding bonuses of employees who engaged in misconduct. Not only did Albemarle keep the bonuses that would have gone to wrongdoers, but the company also received an offset against its penalty for the same amount. That’s money saved for Albemarle and its shareholders – and a concrete demonstration of the value of clawback programs.”

 Remediation During Investigation

The NPA cited several remedial actions by the company that helped Albemarle obtain the superior result in terms of the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it. The NPA provided that Albemarle:

  • Strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization;
  • Transformed its business model and risk management process to reduce corruption risk in its operation and to embed compliance in the business, including implementing a go-to-market strategy that resulted in eliminating the use of sales agents throughout the Company, terminating hundreds of other third-party sales representatives, such as distributors and resellers, and shifting to a direct sales business model;
  • Provided extensive training to its sales team and restructured compensation and incentives so that compensation is no longer tied to sales amounts;
  • Used data analytics to monitor and measure the compliance program’s effectiveness and
  • We are engaged in continuous testing, monitoring, and improvement of all aspects of its compliance program, beginning almost immediately following the identification of misconduct.

Two of the factors are relatively new and certainly are noteworthy for the compliance professional. The first is the change in the company’s approach to sales and their sales teams. Obviously, it was corrupt third-party agents that brought the company to such FCPA grief. Many of the quotes in the NPA and Order make it clear that Albemarle executives had an aversion to paying bribes but had greater moral flexibility when a third-party agent was involved. This led to the company moving away from third-party agents to a direct sales force.

Moving to a direct sales force does have its risks, which must be managed, but those risks can certainly be managed with an appropriate risk management strategy, monitoring of the strategy, and improvement; those risks can be managed. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Every time you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. By having a direct sales business model, your organization will have a direct relationship with your customer and, therefor, the ability to develop it further.

The NPA also specifically called out the Company’s use of data analytics in two ways. The first was to monitor the Company’s compliance program, and the second was to measure the compliance program’s effectiveness. While this language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions’ access to all company data, this is the first time it has been called out in a settlement agreement in this manner. Moreover, although not specifically tied to the lack of a required corporate Monitor, it would appear that by using data analytics, Albemarle was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation.

Internal Controls Over Commission Increases

According to the SEC Order, the Company failed to devise and maintain a sufficient system of internal accounting controls with respect to commission rates and deviations from contracted rates. In other words, even though there were internal controls in place for the setting of third-party agents’ commissions, they could be overridden at will. The Order concluded by noting, “As a result, sales personnel were able to increase agents’ commission rates in multiple countries – including Vietnam, India, China, and UAE – despite certain Albemarle personnel having knowledge of red flags indicating the agents would use a portion of the commission to make bribe payments to obtain contracts, influence tender specifications, or obtain nonpublic information concerning competitors’ bids.”

Every compliance professional should review their company’s controls over agents’ commission rates to make sure the business unit personnel alone cannot raise commission rates. While business units can always make the business case, this enforcement action drives home the message that the compliance function is not ‘one and done’ when an agent is approved but must be monitored throughout the third-party relationship lifecycle. Any requested change to a commission rate must go through the same analysis and approval process as the original approval.

Timely Self-Disclosure

There was a significant discussion in the NPA around Albemarle’s voluntary self-disclosure to the DOJ. However, NPA noted that “the disclosure was not “reasonably prompt” as defined in the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy and the U.S. Sentencing Guidelines.” The NPA reported that Albemarle learned of allegations regarding possible misconduct in Vietnam approximately 16 months before disclosing it to the DOJ. Interestingly, the SEC Order only stated, “Albemarle made an initial self-disclosure to the Commission of potential FCPA violations in Vietnam following its completion of an internal investigation of such conduct and, at the same time, self-reported potential violations it was investigating in India, Indonesia, and China. Albemarle later self-disclosed to the Commission potential violations in other jurisdictions as part of an expanded internal investigation.”

This meant the self-disclosure “was not within a reasonably prompt time after becoming aware of the misconduct in Vietnam,” and it means that Albemarle did not meet the standard for voluntary self-disclosure under the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy. While the DOJ “gave significant weight” to the Company’s voluntary, even if untimely, disclosure of the misconduct, it is undoubtedly cautionary.

What the DOJ wants is self-disclosure as soon as possible. One only needs to recall the case of Cognizant Technologies, where the company received a complete Declination where there were allegations of C-Suite involvement in the bribery schemes. This Declination was provided in large part because the company made its self-disclosure only two weeks after the information filtered up to the Board of Directors. While Cognizant Technologies may be the gold standard, it shows that if a company timely self-discloses, it can be considered for a full Declination.

The Albemarle FCPA resolution documents are chocked full of solid information that every compliance professional can use in the future. They are well worth a deep dive—finally, a kudos to Albemarle for obtaining this superior result.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties- Freight Forwarders

The FCPA world is littered with cases involving freight forwarders, brokers and agents in the shipping and express delivery arena. Both the DOJ and SEC have aggressively pursued third-party business relationships where bribery and corruption have been found. This is particularly true where companies are required to deliver goods into a foreign country through the assistance of a freight forwarder or express delivery service.
If you utilize the services of a third-party for as a freight forwarders, brokers and agents in the shipping and express delivery arena, that company’s actions will go a long way in determining your company’s FCPA liability. You must have a thoughtful process and document that process.

Three key takeaways:

  1. Express delivery services and freight forwarders present unique compliance risks.
  2. There must be a business justification to bring on new express delivery services or freight forwarders in high risk jurisdictions.
  3. Consider constructing a risk matrix in this area.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Distributor Compensation

One of the issues in any compliance program is the compensation paid to a third party, as FCPA exposure arises when companies pay money, either directly or indirectly, to fund bribe payments. Another area that leads to exposure from third parties is with distributors. In a distributor relationship, the distributor purchases a product, taking the risk of loss and title, at a discount from a manufacturer. The distributor resells at an uplift, and that spread between the purchase price and sales price is the distributor’s income. If a product is purchased at an inflated discounted rate and sold, the difference between the purchase price and resale value could be used for corrupt purposes. Commission payments and excessive distributor discounts can be channeled to pay bribes.

The FCPA Resource Guide, 2nd edition, noted that common red flags associated with third parties include “unreasonably large discounts to third-party distributors.” When companies grant distributors uncommonly steep discounts, bribes can result either: 1) because the company instructs the distributor to use the excess amounts to fund corrupt payments; or 2) because the distributor pays bribes on its own, without the express direction or implicit suggestion from the company, to gain some business advantage.

Three key takeaways:

  1. Creating a well-thought-out process that operationalizes your compliance program around distributor compensation in a manner that documents your decision-making calculus is key.
  2. Require multiple levels of approval for an out-of-range distributor discount.
  3. Tracking distributor discounts globally make your company more efficient.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Terminating 3rd Parties

At some point, you will be required to terminate a third party and there will be multiple legal, compliance and business issues to navigate through. If you are stuck doing it in the middle of a FCPA or U.K. Bribery Act investigation, there may well be some tension to do so and do so quickly. If you have not thought through this issue and created a process to follow before a crisis occurs, you may well be in for a very tough road. Yet the 2023 ECCP specifically asked that question in the section entitled, Real Actions and Consequences, when it posed the query: Has a similar third party been suspended, terminated, or audited as a result of compliance issues?

The key theme in termination is planning. The Office of Comptroller of the Currency (OCC), OCC Bulletin 2013-29, said that regarding third-party termination, a bank should develop a “contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.”

Although rarely considered, the termination of a third-party relationship can be as important a step as any other in the management of the third-party lifecycle. While having the contractual right to terminate is a good starting point, it is only the starting point. You not only need to have a compliance and legal plan in place but a business plan as well. If you do not, the cost in both monetary and potential business reputation can be quite high.

 Three key takeaways:

1. Termination of third parties is an oft-neglected part of the third-party risk management process.

2. Make certain you have the contractual right to terminate third parties written into your compliance terms and conditions.

3. Have a strategy in place for termination before a crisis arises.