Tag: Third parties

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-DOJ Metrics on Third Parties

In a 2015 speech before the SIFMA Compliance and Legal Society New York Regional Seminar, former Assistant Attorney General Leslie Caldwell for the first time, laid out metrics the DOJ would consider in evaluating a corporate compliance program around third parties. Caldwell began with the following question, “Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?” This inquiry was brought forward into the DOJ’s 2017 Evaluation and all subsequent updates, including the most recent.

 Three key takeaways:

1. It all starts with a Relationship Manager.

2. Have company oversight of all third parties.

3. Audit, monitor, and remediate on an ongoing basis.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Evaluation of Due Diligence With Candice Tal

An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. Not only must all red flags be cleared, but there must also be evidence of the decision-making process to show to a regulator if one comes knocking. Around third parties, consider what risks you face in both your sales and supply chain. Suppose there is a key player several tiers down the line which creates or builds a key component or delivers a critical service. In that case, you may want to put more management around that relationship from the compliance perspective.

For anything below tier 2, you may be able to manage your risks by having your direct tier one counterpart take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counterparty so that if the government comes knocking, you can show that you did not only contractually obligate your direct counterparty to do so but also provided them the tools and training to do so. Finally, you will need to be able to show that your direct counterpart did so.

Three key takeaways:

  1. There is no set formula for clearing red flags or the evaluation of due diligence.
  2. Know when to say enough has been done.
  3. You must “Document, Document, and Document” your evaluation of any red flags.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls for Third Parties

Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts of how bribery occurs in the healthcare industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China,” for the following “This is a systemic problem, and foreign pharmaceutical companies are in a conundrum. If they want to grow in China, they must give bribes. It’s not a choice because officials in the health ministry, hospital administrators, and doctors demand it.”

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel, and entertainment, and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk, such as the higher risk recognized in China. Within this context, there are four general internal controls to consider. 

Three Key Takeaways:

  1. GSK in China continues to be an example of the lack of internal controls for an effective compliance program.
  2. General areas of review for internal compliance controls.
  3. Third parties are still at the highest risk of corruption-related issues.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
Greetings and Felicitations

Great Structures Week V: The Tacoma Narrows Bridge Failure and Preventing Failure in Your Compliance Program

Welcome to the Greetings and Felicitations, a podcast where I explore topics that might not seem directly related to compliance but influence our profession. In this special series, I consider many structural engineering concepts are apt descriptors for an anti-corruption compliance program. In this concluding episode 5, I consider the Tacoma Narrows Bridge failure and preventing failure in your compliance program. Highlights include:

  • Why and how did the Tacoma Narrows Bridge fail?
  • What are the key lessons it provides to compliance professionals?
  • Why are 3rd parties still the greatest risk to any compliance program?
  • What steps can you take to manage third parties most effectively?
  • Why is continuous monitoring key to managing risk?

Resources

 “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler from The Teaching Company.

Categories
Compliance and Coronavirus

Brenda Ferraro on Jump Starting You 3rd Party Risk Management Program


Welcome to the newest addition to the Compliance Podcast Network, Compliance and Coronavirus. As the Voice of Compliance, I wanted to start a podcast which will help to bring both clarity and sanity to the compliance practitioner and compliance profession during this worldwide health and healthcare crisis. In this episode, I am joined by Brenda Ferraro, 3rd Party Risk at Prevalent, Inc. In this time of increased pressure on supply chains, 3rd party risk management has become even more critical. The same is true for 3rd parties on the sales side of the equation. Ferraro discusses the need for quick, efficient and accurate 3rd party risk assessment for business resiliency.
For more information on Prevalent, check out their website by clicking here.  For more information on the Prevalent Jump Start Program, click here.
This podcast is sponsored by SAI Global. To learn how you can protect your business operations and workforce during these uncertain times, visit saiglobal.com/risk for free resources, expert guidance, and industry-leading technology.

Categories
31 Days to More Effective Compliance Programs

Financial health of third-parties


Continuous improvement can take many ways, shapes and forms. One thing that is most generally not considered is the financial health of the third-party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third-party. The financial health of third-parties is not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.
Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third-parties can help the compliance practitioner meet the DOJ requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.
 Three key takeaways: 

  1. What is the financial health of your third-parties?
  2. Poor financial results can open a company to engaging in risky behavior.
  3. Financial health monitoring can be used as continuous improvement.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Introduction and Key 2022 Enforcement Actions Involving 3rd Parties

Over the month of April, I will consider the risk management of third-parties in an operationalized compliance program. As every compliance practitioner is aware, third-parties still present the highest risk under the FCPA. You must assess whether the company has a business rationale for needing the third party in the transaction, and the risks posed by third-parties, including their reputations and relationships, if any, with foreign government officials. You should ensure that contract terms with third parties specifically describe the services to be performed, the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region.   Finally you must engage in ongoing monitoring of the third-party relationships, through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

In this introduction, I visit with Alexander Cotoia, a Regulatory and Compliance Attorney at the Volkov Law Group to consider how recent FCPA enforcement actions point towards the use cases for a robust third-party risk management system. In 2022, the overwhelming majority of FCPA related enforcement actions involved third parties and required organizations to reprioritize third party risk management. In this episode, we consider case studies involving ABB Limited, GOL Airlines and Oracle which all demonstrated the importance of understanding bribery and corruption schemes, making voluntary disclosures, and reassessing third party risk management.

3 Key Takeaways

1. How can organizations reprioritize third-party risk management as a core compliance function?

2. What strategies can organizations use to avoid FCPA violations and maximize cooperation credit?

3.How can organizations effectively assess the risks posed by potential business partners?

Check out The Compliance Handbook, 3rd edition here

Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 337 – James Gellert on Assessing 3rd Party Financial Health for Compliance

In this episode, I visit with James Gellert, CEO of RapidRatings, a company that uses a financial dialogue to determine third-party supplier health and viability. Gellert explains what supply chain resilience is and how examining your suppliers’ financial health can lead to a more financially efficient supply chain. We then discuss the company’s third-party risk management tools. We consider how a company might evaluate a potential purchaser, partner, or someone buying a part of a business. Finally, we have a lengthy discussion of how a corporate compliance function uses the health of a third party as a tool to determine third-party compliance risk. 

For more information on RapidRatings, check out their website by clicking here.

Categories
This Week in FCPA

This Week in FCPA-Episode 56

  • The Kokesh case at the US Supreme Court is significant for SEC enforcement of the FCPA around profit disgorgement. For what it means to the compliance practitioner, see Tom’s piece in the FCPA Compliance & Ethics Blog. For a legal review of the decision, see Miller & Chevalier client alert authored by Saskia Zandieh. Marc Bohn considered the case in the FCPA Blog. Marc and I discuss the case on the FCPA Compliance Report, Episode 332.
  • Trevor McFadden to leave the DOJ for federal bench. See article by Matt Kelly in Radical Compliance. Hui Chen’s contract not to be renewed, her position is posted for job applicants. Apply for the position here. Andrew Weissman leaves as head of the Fraud Section to go Special Prosecutor’s staff.
  • Former PetroTiger General Counsel Gregory Weismann is banned from SEC practice. See article in the FCPA Blog.
  • Matthew Stephenson considers what a Wal-Mart settlement might look like. See his article in the Global Anti-Corruption Blog.
  • The federal judge who sentenced Samuel Mebiame, the bag man for Och-Ziff; criticized the DOJ for its lack of prosecution of any individuals from the company. See article by Sam Rubenfeld in WSJ Risk and Compliance Report.
  • Jay previews his weekend report.
  • Tom continues to talk about the release of his new book 2016 – The Year in Corporate FCPA Enforcement. For more information and to purchase, click here.

    •  
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-3kx” float=”none”]
    When do Mike & Mike agree on anything? Find out on This Week in FCPA. [/tweet_box]
    Jay Rosen can be reached:
    Mobile (310) 729-6746
    Toll Free (866)-201-0903
    JRosen@affiliatedmonitors.com
    Tom Fox can be reached:
    Phone: 832-744-0264
    Email: tfox@tfoxlaw.com]]>

    Categories
    Compliance Into the Weeds

    Day 18 of One Month to Operationalizing Your Compliance Program-Through Management of Third Party Relationships

    Management of Relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties?
    If you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA violation. Now the DOJ has explicitly adopted this approach as a key determination of whether you have operationalized your compliance program. There are several different ways that you should manage your post-contract relationship.
    Relationship Manager
    There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

    • Point of contact with the Third Party for all compliance issues;
    • Maintaining periodic contact with the Third Party;
    • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
    • Submitting annual reports summarizing services provided by the Third Party;
    • Assisting the company’s compliance function with any issues with respect to the Third Party.

    The Relationship Manager can be the Business Sponsor who prepared the Business Rationale discussed on Day 17. By using the Business Sponsor as the Relationship Manager, your company will further operationalize compliance by continuing to have the business unit lead the front-line relationship, communications and contact with the third party. As noted compliance commentator Scott Moritz has said, “This puts the onus on each stakeholder.”
    Compliance Professional
    Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such a resource. A third party may not be large enough to have its own compliance staff so any company using third party representatives should provide a dedicated resource to third parties. This will not create a conflict of interest nor are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.
    Third Party Oversight Committee
    A Third Party Oversight Committee further operationalizes compliance. It review all documents relating the full panoply of a third party’s relationship with a company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third party who might represent a company on the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in anti-corruption compliance, this is a manner to deliver additional management of that risk.
    After the commercial relationship has begun the Third Party Oversight Committee should monitor the third party relationship on no less than an annual basis.  This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Third Party Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance.  In addition to the above remedial review, the Third Party Oversight Committee should review all payments requested by the third party to assure such payment are within the company guidelines and are warranted by the contractual relationship with the third party. Lastly, the Third Party Oversight Committee should review any request to provide the third party any type of non-monetary compensation.
    Audit
    A key tool in operationalizing the relationship with a third party post-contract is auditing the relationship. You should secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line, any audit of a third party include, at a minimum, a review of the following:

    1. the effectiveness of existing compliance programs and codes of conduct;
    2. the origin and legitimacy of any funds paid to Company;
    3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
    4. all disbursements made for or on behalf of Company; and
    5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

    If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

    • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
    • Determine that actual due diligence took place on the third party.
    • Review FCPA compliance training program; both the substance of the program and attendance records.
    • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
    • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
    • Review employee expense reports for employees in high-risk positions or high-risk countries.
    • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
    • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
    • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
    • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances.

    Three Key Takeaways

    1. Management of the third party relationship is the key step in determining the effectiveness of your compliance program in this risk area.
    2. By using non-compliance functions, such as the Business Sponsor or Relationship Manager you more fully operationalize your compliance program.
    3. Never forget to put a second set of eyes on all third party relationships.

    This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-37H” float=”none”]Management of 3rd parties is where the rubber meets the road in operationalizing your compliance program.[/tweet_box]]]>