Tag: Third parties

Categories
Compliance Week Conference Podcast

Compliance Week 2024 Speaker Preview Podcasts – Rodney Campbell on Managing 3rd Parties

In this episode of the Compliance Week 2024 Speaker Preview Podcasts series, Rodney Campbell discusses his presentation at Compliance Week 2024, “Empowering TPRM Compliance: Transformative Strategies in Third-Party Risk Management.” Some of the issues he will discuss in this podcast and his presentation are:

  • Why managing third parties is a critical element in your TPRM program
  • Leveraging your business unit to help manage third parties
  • New ideas for the compliance program from Compliance Week 2024

I hope you can join me at Compliance Week 2024. This year’s event will be held April 2-4 at The Westin Washington, DC, Downtown. The line-up for this year’s event is first-rate, with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 19th year, join 500+ compliance, ethics, legal, and audit professionals who gather to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs, among many others, to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 80+ respected cross-industry practitioners who are CEOs, CCOs, regulators, federal officials, and practitioners to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from panels on leadership, fraud detection, confronting regulatory change, abiding by cross-border rules and regulations, and the always-favorite fireside chats.
  • Bring actionable takeaways to your program from various session types, including cyber, AI, Compliance, Board obligations, data-driven compliance, and many others, for you to listen, learn, and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount on the registration price. Enter the discount code TFOX2024 for $200 off.

The Compliance Week 2024 Preview Podcast series is a production of the Compliance Podcast Network. Compliance Week is the sponsor of this series.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 21 – Managing Your Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation, and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area that the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

1. Have a strategic approach to third-party risk management.

2. Rank third parties based upon a variety of factors, including compliance and business performance, length of relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.

3. Managing the relationship is where the real work begins.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Managing Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

The 2023 ECCP posed the following questions:

Risk-Based and Integrated Processes—How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?

Appropriate Controls—How does the company ensure there is an appropriate business rationale for the use of third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

Management of Relationships—How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks? How does the company monitor its third parties? Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past? How does the company train its third-party relationship managers about compliance risks and how to manage them? How does the company incentivize compliance and ethical behavior by third parties? Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?

Real Actions and Consequences—Does the company track red flags that are identified from due diligence of third parties and how those red flags are addressed? Does the company keep track of third parties that do not pass the company’s due diligence or that are terminated, and does the company take steps to ensure that those third parties are not hired or re-hired at a later date? If third parties were involved in the misconduct at issue in the investigation, were red flags identified from the due diligence or after hiring the third party, and how were they resolved? Has a similar third party been suspended, terminated, or audited as a result of compliance issues?

The key is to have a strategic approach to how you structure and manage your third-party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to control risk while optimizing the performance of your third parties.

Amalgamate third parties but have fallbacks. It is incumbent to consolidate your third-party relationships to a smaller number to more fully operationalize your compliance program. This will make the entire third-party lifecycle easier to manage. However, a company must not “over-consolidate” by going down to a single source. You should build a diversified base, with through “dual-sourcing.” From the compliance perspective, you may want to have a primary and secondary third-party that you work with in a service line or geographic area to retain this redundancy.

Monitor any subcontracted work. This is one area that requires an appropriate level of compliance management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third-party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

Legal Protections. This is where your compliance terms and conditions will come into play. Consider a full indemnity if your third-party violates the FCPA and your company is dragged into an investigation because of the third-party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the DOJ or SEC during the pendency of an investigation. Finally, you need a clause that requires your third-party to cooperate in any compliance investigation. This means cooperation with you and your designated investigation team, but it may also mean cooperation with U.S. governmental authorities as well.

Keep track of your third parties’ financial stability. This is one area that is not usually discussed in the compliance arena around third parties, but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third-party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward red flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third-party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished.

Formalize incentives for third-party performance. One of the key elements for any third-party contract is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third-party. If you have a long-term stable relationship with a third-party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third-party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance.

By linking compensation to performance, there should be an increase in third-party performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked. This would seem to be low hanging fruit for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs.

You should rank third parties based upon a variety of factors including performance, length of relationship, benchmarking metrics and compliance KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them.

Auditing third parties. Critical to any best practices compliance program and an important tool in operationalizing your compliance program, this is a key way a company can manage the third-party relationship after the contract is signed and one which the government will expect you to engage in going forward.

Document review and selection is important for this process, you should ask for as much electronic information as possible well in advance of your audit. Request the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer.

Regarding potential interviewees, focus on those who interact with government entities, foreign government officials or third parties, including those personnel involved with:

• Business leadership;

• Sales/marketing/business development;

• Operations;

• Logistics;

• Corporate functions such as human resources, finance, health, safety and environmental, real estate and legal

For the interview topics, there are several lines of inquiry. Remember this is an audit interview, not an investigative interview. Avail yourself of the opportunity to engage in training while you are interviewing people. The topics to interview on include:

• General policies and procedures;

• Books and records pertaining to compliance risks;

• Test knowledge of FCPA or other anti-corruption laws and their understanding of your company’s prohibitions;

• Regulatory challenges they may face;

• Any payments of taxes, fees or fines;

• Government interactions they have on your behalf; and

• Other compliance areas you may be concerned about or that would impact your company, including trade, anti-boycott, anti-money laundering (AML), anti-trust.

Managing your third parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – The Third Party Risk Management Process

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Albemarle FCPA Enforcement Action: Part 5 – Lessons Learned

Over the past several blog posts, I have been exploring the Albemarle FCPA enforcement action.  We have explored in some detail the DOJ Non-Prosecution Agreement (NPA) and the SEC Administrative Order(Order). In this final blog post on the series, I want to suss out some lessons for the compliance professional.

Consequence Management

When Kenneth Polite announced the Pilot Program in conjunction with the 2023 Evaluation of Corporate Compliance Programs (ECCP), the focus was largely on clawbacks. However, the relevant section in the ECCP was entitled “Consequence Management,” indicating a broader focus on both incentives to do business ethically and in compliance as well as disincentives. The ECCP asked a series of questions:

  • Has the company considered the impact of its financial rewards and other incentives on compliance?
  • Has the company evaluated whether commercial targets are achievable if the business operates in a compliant and ethical manner?
  • What role does the compliance function have in designing and awarding financial incentives at senior levels of the organization?
  • How does the company incentivize compliance and ethical behavior? What percentage of executive compensation is structured to encourage enduring ethical business objectives?
  • Are the terms of bonus and deferred compensation subject to cancellation or recoupment, to the extent available under applicable law, in the event that non-compliant or unethical behavior is exposed before or after the award was issued?
  • Does the company have a policy for recouping compensation that has been paid where there has been misconduct?
  • Have there been specific examples of actions taken (e.g., promotions or awards denied, compensation recouped, or deferred compensation canceled) as a result of compliance and ethics considerations?

The NPA noted that Albemarle engaged in holdbacks, as they did not pay bonuses to certain employees involved in the conduct or those who had oversight. The NPA stated, “The Company withheld bonuses totaling $763,453 during its internal investigation from employees who engaged in suspected wrongdoing.” The illegal conduct involved those who “(a) had supervisory authority over the employee(s) or business area engaged in the misconduct; and (b) knew of, or were willfully blind to, the misconduct.” The significance of this effort was vital as it qualified Albemarle for an additional fine reduction of a dollar-for-dollar credit of the amount of the withheld bonuses under the Criminal Division’s March 2023 Compensation Incentives and Clawbacks Pilot Program.

Indeed, Deputy Attorney General Lisa Monaco, in a recent speech, said, “The pilot program also rewards companies that claw back or withhold incentive compensation from executives responsible for misconduct – or attempt to do so in good faith. For every dollar that a company claws back or withholds from an employee who engaged in misconduct – or a supervisor that knew of or turned a blind eye to it – the Department will deduct a dollar from the otherwise applicable penalty that the resolving company would pay.”

She specifically cited the Albemarle FCPA resolution, where “the company received a clawback credit for withholding bonuses of employees who engaged in misconduct. Not only did Albemarle keep the bonuses that would have gone to wrongdoers, but the company also received an offset against its penalty for the same amount. That’s money saved for Albemarle and its shareholders – and a concrete demonstration of the value of clawback programs.”

 Remediation During Investigation

The NPA cited several remedial actions by the company that helped Albemarle obtain the superior result in terms of the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out an effective compliance program and had tested it. The NPA provided that Albemarle:

  • Strengthening its anti-corruption compliance program by investing in compliance resources, expanding its compliance function with experienced and qualified personnel, and taking steps to embed compliance and ethical values at all levels of its business organization;
  • Transformed its business model and risk management process to reduce corruption risk in its operation and to embed compliance in the business, including implementing a go-to-market strategy that resulted in eliminating the use of sales agents throughout the Company, terminating hundreds of other third-party sales representatives, such as distributors and resellers, and shifting to a direct sales business model;
  • Provided extensive training to its sales team and restructured compensation and incentives so that compensation is no longer tied to sales amounts;
  • Used data analytics to monitor and measure the compliance program’s effectiveness and
  • We are engaged in continuous testing, monitoring, and improvement of all aspects of its compliance program, beginning almost immediately following the identification of misconduct.

Two of the factors are relatively new and certainly are noteworthy for the compliance professional. The first is the change in the company’s approach to sales and their sales teams. Obviously, it was corrupt third-party agents that brought the company to such FCPA grief. Many of the quotes in the NPA and Order make it clear that Albemarle executives had an aversion to paying bribes but had greater moral flexibility when a third-party agent was involved. This led to the company moving away from third-party agents to a direct sales force.

Moving to a direct sales force does have its risks, which must be managed, but those risks can certainly be managed with an appropriate risk management strategy, monitoring of the strategy, and improvement; those risks can be managed. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Every time you have a third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. By having a direct sales business model, your organization will have a direct relationship with your customer and, therefor, the ability to develop it further.

The NPA also specifically called out the Company’s use of data analytics in two ways. The first was to monitor the Company’s compliance program, and the second was to measure the compliance program’s effectiveness. While this language follows a long line of DOJ pronouncements, starting with the 2020 Update to the Evaluation of Corporate Compliance Programs, about the corporate compliance functions’ access to all company data, this is the first time it has been called out in a settlement agreement in this manner. Moreover, although not specifically tied to the lack of a required corporate Monitor, it would appear that by using data analytics, Albemarle was able to satisfy the DOJ requirement for implementing controls and then effectively testing them throughout the pendency of the DOJ investigation.

Internal Controls Over Commission Increases

According to the SEC Order, the Company failed to devise and maintain a sufficient system of internal accounting controls with respect to commission rates and deviations from contracted rates. In other words, even though there were internal controls in place for the setting of third-party agents’ commissions, they could be overridden at will. The Order concluded by noting, “As a result, sales personnel were able to increase agents’ commission rates in multiple countries – including Vietnam, India, China, and UAE – despite certain Albemarle personnel having knowledge of red flags indicating the agents would use a portion of the commission to make bribe payments to obtain contracts, influence tender specifications, or obtain nonpublic information concerning competitors’ bids.”

Every compliance professional should review their company’s controls over agents’ commission rates to make sure the business unit personnel alone cannot raise commission rates. While business units can always make the business case, this enforcement action drives home the message that the compliance function is not ‘one and done’ when an agent is approved but must be monitored throughout the third-party relationship lifecycle. Any requested change to a commission rate must go through the same analysis and approval process as the original approval.

Timely Self-Disclosure

There was a significant discussion in the NPA around Albemarle’s voluntary self-disclosure to the DOJ. However, NPA noted that “the disclosure was not “reasonably prompt” as defined in the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy and the U.S. Sentencing Guidelines.” The NPA reported that Albemarle learned of allegations regarding possible misconduct in Vietnam approximately 16 months before disclosing it to the DOJ. Interestingly, the SEC Order only stated, “Albemarle made an initial self-disclosure to the Commission of potential FCPA violations in Vietnam following its completion of an internal investigation of such conduct and, at the same time, self-reported potential violations it was investigating in India, Indonesia, and China. Albemarle later self-disclosed to the Commission potential violations in other jurisdictions as part of an expanded internal investigation.”

This meant the self-disclosure “was not within a reasonably prompt time after becoming aware of the misconduct in Vietnam,” and it means that Albemarle did not meet the standard for voluntary self-disclosure under the Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy. While the DOJ “gave significant weight” to the Company’s voluntary, even if untimely, disclosure of the misconduct, it is undoubtedly cautionary.

What the DOJ wants is self-disclosure as soon as possible. One only needs to recall the case of Cognizant Technologies, where the company received a complete Declination where there were allegations of C-Suite involvement in the bribery schemes. This Declination was provided in large part because the company made its self-disclosure only two weeks after the information filtered up to the Board of Directors. While Cognizant Technologies may be the gold standard, it shows that if a company timely self-discloses, it can be considered for a full Declination.

The Albemarle FCPA resolution documents are chocked full of solid information that every compliance professional can use in the future. They are well worth a deep dive—finally, a kudos to Albemarle for obtaining this superior result.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties- Freight Forwarders

The FCPA world is littered with cases involving freight forwarders, brokers and agents in the shipping and express delivery arena. Both the DOJ and SEC have aggressively pursued third-party business relationships where bribery and corruption have been found. This is particularly true where companies are required to deliver goods into a foreign country through the assistance of a freight forwarder or express delivery service.
If you utilize the services of a third-party for as a freight forwarders, brokers and agents in the shipping and express delivery arena, that company’s actions will go a long way in determining your company’s FCPA liability. You must have a thoughtful process and document that process.

Three key takeaways:

  1. Express delivery services and freight forwarders present unique compliance risks.
  2. There must be a business justification to bring on new express delivery services or freight forwarders in high risk jurisdictions.
  3. Consider constructing a risk matrix in this area.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Distributor Compensation

One of the issues in any compliance program is the compensation paid to a third party, as FCPA exposure arises when companies pay money, either directly or indirectly, to fund bribe payments. Another area that leads to exposure from third parties is with distributors. In a distributor relationship, the distributor purchases a product, taking the risk of loss and title, at a discount from a manufacturer. The distributor resells at an uplift, and that spread between the purchase price and sales price is the distributor’s income. If a product is purchased at an inflated discounted rate and sold, the difference between the purchase price and resale value could be used for corrupt purposes. Commission payments and excessive distributor discounts can be channeled to pay bribes.

The FCPA Resource Guide, 2nd edition, noted that common red flags associated with third parties include “unreasonably large discounts to third-party distributors.” When companies grant distributors uncommonly steep discounts, bribes can result either: 1) because the company instructs the distributor to use the excess amounts to fund corrupt payments; or 2) because the distributor pays bribes on its own, without the express direction or implicit suggestion from the company, to gain some business advantage.

Three key takeaways:

  1. Creating a well-thought-out process that operationalizes your compliance program around distributor compensation in a manner that documents your decision-making calculus is key.
  2. Require multiple levels of approval for an out-of-range distributor discount.
  3. Tracking distributor discounts globally make your company more efficient.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Terminating 3rd Parties

At some point, you will be required to terminate a third party and there will be multiple legal, compliance and business issues to navigate through. If you are stuck doing it in the middle of a FCPA or U.K. Bribery Act investigation, there may well be some tension to do so and do so quickly. If you have not thought through this issue and created a process to follow before a crisis occurs, you may well be in for a very tough road. Yet the 2023 ECCP specifically asked that question in the section entitled, Real Actions and Consequences, when it posed the query: Has a similar third party been suspended, terminated, or audited as a result of compliance issues?

The key theme in termination is planning. The Office of Comptroller of the Currency (OCC), OCC Bulletin 2013-29, said that regarding third-party termination, a bank should develop a “contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.”

Although rarely considered, the termination of a third-party relationship can be as important a step as any other in the management of the third-party lifecycle. While having the contractual right to terminate is a good starting point, it is only the starting point. You not only need to have a compliance and legal plan in place but a business plan as well. If you do not, the cost in both monetary and potential business reputation can be quite high.

 Three key takeaways:

1. Termination of third parties is an oft-neglected part of the third-party risk management process.

2. Make certain you have the contractual right to terminate third parties written into your compliance terms and conditions.

3. Have a strategy in place for termination before a crisis arises.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – ROI for 3rd Party Risk Management

A study by Forrester Research Inc. compared the user experience, which led to a positive ROI for the technology user around third-party risk management. I found the approach and methodology used persuasive and valuable for the compliance professional to consider evaluating such a process in your organization. Some of the key findings readily translate for the compliance practitioner. The first area was in risk assessments of third parties. If you provide a technological platform, you can enhance the speed and efficiency of your risk assessments on an ongoing basis. This decrease in time, both in terms of length and person-hours, will yield an immediate cost saving for your compliance function.

 

Various other factors could increase your ROI, as detailed in the Forrester report, which includes renewal assessments, ongoing monitoring, and increased business efficiencies for both your organization and the third parties, which would all work to increase ROI. Most critically, you would demonstrate the operationalization of your compliance program into the very fabric of your organization.

Three key takeaways:

1. Why is demonstrating ROI on your third-party risk management program important?

2. Determining ROI helps to demonstrate operationalizing your compliance program.

3. Determining third-party management program ROI can help to tear down compliance siloes.

Categories
31 Days to More Effective Compliance Programs

Day 12 of One Month to Better 3rd Party Management – Auditing of Third Parties

Auditing third parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third-party relationship after the contract is signed and which the government will expect you to engage in going forward. As stated in the 2020 Update, under the section entitled, Management of Relationships, is the following query: Does the company have audit rights to analyze the books and accounts of third parties and has the company exercised those rights in the past? This means you must not only have audit rights but also exercise them.

 Three key takeaways:

1. Be prepared.

2. It is not an investigative interview but an audit interview.

3. Listen, listen, and listen.