Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Third Party Risk Management & Effective Controls
Michael Volkov, CEO and Founder | The Volkov Group
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 2
About the Presenter
Michael VolkovCEO and Founder, The Volkov Law Group
Michael Volkov has over 35 years of experience in practicing law. A former federal prosecutor
and veteran white-collar defense attorney, he has expertise in areas of ethics and compliance,
internal investigations and enforcement matters. Michael Volkov has extensive experience
with best practices, government expectations, and industry standards for ethics and
compliance programs.
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 3
Aggressive Enforcement Risks – 2019 Record Year
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 4
2019: Record Year in FCPA Enforcement
• Largest year in corporate penalties
• Record number of individual prosecutions: 34 (increase over 26 in 2018)
• DOJ dedicated to BIG cases; SEC handles more “routine” cases
• Maturation of FCPA Corporate Enforcement Policy
• SEC books and records risks
• Two top 10 cases: Ericsson ($1 billion) and MTS ($950 million)
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 5
The Numbers
• SEC: 12 corporate enforcement actions filed; 7 individual enforcement actions
• DOJ: 7 companies (+2 declinations)
• MTS Telesystems, Fresenius, Walmart, Technip/FMC, Microsoft, Samsung, Ericsson; Cognizant and Quad Graphics Declinations
• DOJ: 34 individual criminal indictments and/or guilty pleas
• Total corporate fines (DOJ and SEC): $2.726 billion
• Corporate monitors 3 (MTS, Fresenius, Wal-Mart)
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 6
Total Corporate Fines: 2008-2019
$-
$500
$1,000
$1,500
$2,000
$2,500
$3,000
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Fines (millions)
Fines (millions) Linear (Fines (millions))
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 7
Top Ten Corporate FCPA Settlements
0
100
200
300
400
500
600
700
800
900
1000
Ericsson (2019) Telia (2017) MTS (2019) Siemens (2008) VimpelCom(2016)
Alstom (2014) KBR/Halliburton(2009)
Teva (2016) Och-Ziff (2016) BAE (2010)
Fines (millions)
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 8
Types of third party intermediaries disclosed in FCPA-related enforcement actions
Third party intermediaries disclosed in FCPA-related enforcement actions
Third Parties & Bribery
Source: Foreign Corrupt Practices Act (FCPA) Clearinghouse – Stanford Law School and Sullivan & Cromwell LLP
“Nearly every single case comes out of third party risk.”
Evan Epstein, Executive director, Rock Center for Corporate Governance, Stanford University
Agent / Consultant /Broker
Shell company
Contractor / Sub-contractor
Lawyer
Other
0
5
10
15
20
25
30
35
All Third party intermediaries
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 9
DOJ & OFAC Issue New Compliance Guidance
• The Department of Justice published updated Evaluation of Corporate Compliance Programs in April 2019
• The Department of Treasury’s OFAC published its Framework – robust, prescriptive, and imposes significant new obligations on companies involved in international economy (June 2019)
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 10
OFAC Enforcement Highlights
• OFAC enforcement record level of total fines
• $1.28 billion (with a “B”) and 26 enforcement actions (second highest total number of enforcement actions)
• OFAC enforcement stretching well beyond financial institutions
• Increasing threat of individual prosecutions
• Supply chain liability
• Several actions against companies for post-acquisition conduct
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 11
Number of OFAC Enforcement Actions
0
5
10
15
20
25
30
35
40
2019 2018 2017 2016 2015 2014 2013 2012 2011 2010
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 12
OFAC Total Fines 2010 to 2019
0
100
200
300
400
500
600
700
800
900
1000
1100
1200
1300
1400
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Fines (Millions)
Fines (Millions)
The Most Important OFAC Case of 2019
• OFAC liability for supply chain sourcing
• Liability without intent or knowledge
• Requires supply chain risk assessment
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 14
ELF Cosmetics: Supply Chain Risks
The Facts• On January 31, 2019, OFAC announced a $996,080
settlement with e.l.f. Cosmetics, Inc. (“ELF”), a California cosmetics company, for violation of the North Korean Sanctions Regulations.
• ELF violated the North Korea sanctions by importing 156 shipments of false eyelash kits from two suppliers in China that contained materials sourced by these suppliers from North Korea.
• The total value of the illegal shipments was approximately $4.4 million.
• ELF’s violations and failure to act occurred as part of its supply chain risk management.
• ELF failed to discover that approximately 80% of the false eyelash kits supplied by two of ELF’s China-based suppliers contained materials from North Korea.
Lesson Learned• ELF failed to exercise sufficient supply chain due diligence
while sourcing products from a region that poses a high risk of connection to North Korea.
• To remediate, ELF:
1. Implemented supply chain audits that verify the country of origin of goods and services used in ELF products;
2. Adopted new procedures to require suppliers to sign certificates of compliance stating that they will comply with all U.S. export controls and trade sanctions; and
3. Conducted an enhanced supplier audit.
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 15
Third Party Risk Management: Classify and Stratify
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 16
Determining Risk Profile
• Identify and weigh your risks:
• Is the company’s risk assessment process effective?
• Is the company’s compliance program tailored to the risk assessment?
• Are the risk criteria periodically updated?
• Global companies involved in international business
• Foreign official interactions and bribery
• International sanctions
• Money laundering
• Export licensing and sanctions
• Third party business partners (e.g. vendors, suppliers, intermediaries)
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 17
Define Purpose and Scope of Third Party Risk Management
Purpose
• Protect company’s culture from third party conduct
• Allocate resources to minimize risk through consistent, risk-ranking process
• Protect company from reputational harm
• Avoid government investigation and enforcement action
Scope
• Define third parties: agents, distributors, consultants, lobbyists, vendors, suppliers, nominees
• Define risks
• Legal: FCPA, sanctions, AML
• Data & cybersecurity
• Ethical: conflicts of interest
• Reputational: bad actors bring bad conduct and bad publicity
Understanding Risks
• Bribery
• Fraud
• Sanctions
• Cyber and data security
• Money laundering: third party payments
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 19
4 Required Steps For Minimizing Risk
Information Collection
Analysis and Investigation
Red Flags & Resolutions
Residual Risk Mitigation
Classify Your Third Parties
• Representation
• Agents and sub-agents
• Distributors and sub-distributors
• Customs/immigration
• Regulatory
• Government-owned (any amount)
• Professionals
• Vendors/suppliers
• Nominees
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 21
Sub-Agents & Sub-Distributors
• Legal liabilities can extend to actions of sub-agents and sub-distributors
• Technology, pharmaceutical/medical device industries rely on layers of agents and distributors (e.g. channel partners)
• Risk has to be identified, assessed and mitigated
• Risk strategy can be overwhelming
• Risk management can reduce burden
• Sampling techniques to monitor and audit
• Contractual provisions can be used to shift risk
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 22
Professionals & Risks
• Lawyers, accountants, business consultants
• High-risk interactions involving regulatory matters (e.g. India), tax authorities (e.g. China), judicial, permitting
• Assign appropriate resources and attention
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 23
OFAC Third Party Risks: Distributors & Agents
Distributors, agents and other intermediaries
Robust documentation
Contractual provisions and certifications
End-use assurances and documentation
Proactive auditing
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 24
OFAC Supply Chain Risks: The New Frontier
• Supply chain audits (akin to conflict minerals compliance)
• Parties that are not in direct privity
• Liability extends to unknown sourcing from prohibited parties
• Contractual provisions need to “flow down” OFAC compliance
• Geographic and product/service risks have to be evaluated (e.g. close proximity to North Korea, Iran)
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 25
Apollo Aviation: Your Distribution Chain
• Apollo Aviation Group paid OFAC $210,600 for violations of the Sudanese Sanctions Program.
• Apollo leased two aircraft engines to Company 1 (UAE), which subleased to a Ukrainian airline, Company 2, which then installed the engines on an aircraft of Sudan Airways, a prohibited entity at the time.
• Apollo liable for Company 2’s activities in distribution chain despite lease containing certification of compliance.
• Lesson learned: companies have to track distribution to ensure non-prohibited party.
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 26
Information Collection: Defining Risk by Class
• Representatives (e.g., agents and distributors)
• Vendors or suppliers that:
• Are government-owned or controlled or have foreign government ownership; and/or
• Interact on the company’s behalf with foreign government officials (e.g., customs brokers)
• Professionals that:
• Are government-owned or controlled or have foreign government ownership; and/or
• Interact on the company’s behalf with foreign government officials
• Vendors or suppliers with:
• Transactions above a threshold revenue/contract amount; and
• Locations in a country with CPI of <50
• Vendors or suppliers with:
• Transactions below a threshold revenue/contract amount; and
• Locations in a country with CPI of >50
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 27
Stratify Third Parties
• Geographic areas (proxy for risk):
• Corruption Perceptions Index
• OFAC proximity to targeted countries (N. Korea, Iran, Cuba)
• Importance – critical functions
• Opportunities for misconduct:
• Annual spend/revenue
• Length of relationship
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 28
Cyber and Data Security Third Party Risks
Cyber & Data Security Threats: An Evolving Set of Risks• Primary threats today:
• Phishing and malware attacks
• Ransomware (growing)
• Denial-of-service attacks against high-profile companies by attacking Internet of Things (IoT) devices (service disruptions to Twitter, Airbnb, Android devices)
• Ransomware attacks circumvent encryption and rely on tried-and-true phishing campaigns
• Point of sale attacks have declined because of advent of chip technology
• Focus on corporate data – financial and personal data
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 30
Global Enforcement Risks
• Cybersecurity law is a patchwork of global statutes and regulations; U.S. Congress has failed to act
• Federal patchwork incudes:
• The Health Insurance Portability and Accountability Act (“HIPAA”)
• The Fair Credit Reporting Act (“FCRA”) provides consumers with certain privacy rights governing their financial data
• The Gramm-Leach-Bliely Act gives banking customers certain privacy rights relating to banking data
• The FTC’s exercise of authority under Section 5 was recently curtailed in LabMD decision by 11th Circuit
• SEC has imposed cybersecurity disclosure requirements
• Cybersecurity, data privacy and breach notification requirements have fallen to the U.S. States
• The New York Department of Financial Services has imposed comprehensive set of cybersecurity requirements
• EU’s General Data Protection Regulations (“GDPR”)
• The EU’s leadership in this area will have a resounding impact on U.S. global companies that collect EU citizen data
• Other government are quickly following the EU’s lead, including United Kingdom, Australia, Japan and South Korea
• Look for aggressive enforcement action this year or next (Significant maximum penalty of 4% of worldwide revenues)
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 31
Third Parties and Cyber Risks
• Third parties can be used as back door to circumvent cybersecurity
• IoT risks: expanding network of physical devices, vehicles, home appliances that contain software, sensors and network connectors to transmit and exchange data
• Third parties which deal with global companies may become a target for a cybercriminal
• Businesses connect as many as 3 billion objects to the existing network and are expanding past network devices
• IoT devices are generally unsecured and lack basic protections
• Only one quarter of companies assess, manage and monitor third party cyber risks
• Global companies will have to:
• Conduct due diligence cybersecurity risk analysis
• Impose cybersecurity standards on their third parties, especially small and medium-sized businesses
Legal and Compliance Responsibilities
• Legal and compliance should:
• Develop an information governance framework
• Classify data
• Implement training and awareness
• Coordinate closely with IT
• HR and compliance should develop onboarding procedures for employees, third parties and vendors
• Third party cyber risks should be included in due diligence screening
• Risk ranking process based on access to critical data
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 33
Data Breach & Response
• Legal requirements vary across U.S. states and countries
• Countries are gravitating toward EU framework
• GDPR has imposed strict 72 hour and documentation requirements
• GDPR definition of “breach” is broad
• Legal and compliance have to prepare a response protocol and define responsibilities for each actor
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 34
Third Party Risk Management Tools
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 35
Third Party Risk Management
• Does process for third party due diligence and risk management correspond to enterprise risk associated with the activity?
• Has the process been integrated into procurement and vendor management?
• Appropriate due diligence may vary based on industry, country, size and nature of the transaction, and historical relationship with the third party
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 36
10 Elements of Third Party Program
• Written policies and procedures
• Business sponsor participation
• Pre-defined tier levels and requirements for due diligence (basic, enhanced)
• Risk ranking process with consistent risk rule application
• Red flag protocol to identify and resolve red flags
• Contractual certification
• Internal review and approval process (must be outside business)
• Advice of counsel and documentation
• Rational assessment of “representational” vendors and suppliers
• Monitoring and auditing program strategies to reflect risk
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 37
Automation is Imperative
• Effective risk identification requires gathering and analyzing more and more information
• Gathering information is time consuming!
• Analyzing information is time consuming!
• Automation is an effective strategy to manage information flow
• Intelligent automated systems provide efficient information presentation
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 38
Benefits of Automation
• Maintain database with red, yellow and green risk assignments
• Screen thresholds based on class and amount of revenue
• Basic screening and continuous monitoring
• Enhanced investigations
• Investigation and resolution rules
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 39
Internal Controls: Database RequirementsThree prescriptive requirements for reliance on information technology solutions:
Which solutions did you consider and why did you select the specific solution?
Selection
What settings did you implement in the screening software and how does this incorporate your risk assessment and profile?
Calibration
How often do you test your solution to ensure that your results are accurate and reliable?
Routine
Testing
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 40
Due Diligence Is Deficient (By Definition) If Beneficial Ownership Is Not Identified
• Natural person who legally owns business entity
• FCPA risk – small government official interest creates serious bribery risk
• Shell companies and other sophisticated techniques to hide ownership interests
• Sanctions – Specially Designated National (SDN) ownership of 50% or more
• AML (PEP) and third party payment risks
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 41
Artificial Intelligence & Machine Learning
• New technology for faster and more efficient database searches
• Some due diligence data service providers offer platforms with this capability
• Artificial intelligence = increased computer storage and processing capabilities
• Artificial intelligence = more efficient and faster search
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 42
Monitoring and reporting
Risk based screening and approval
Entity validation
Business justification
Mat
uri
ty
Automation
Building & Scaling Your Third Party Program
Monitoring Third Parties
• Risk rank third parties annually (even twice a year)
• Respond to open source intelligence of third party involvement in misconduct
• Assign monitoring tools based on relative risk ranking
• Higher risk demand greater ongoing scrutiny
• Change in status, financial controls, and “routine” monitoring
• Document monitoring strategy and obtain advice of counsel
• Tools for monitoring/response:
• Audit, transaction testing, spot checks, invoice verification, unannounced visits/meetings, annual training, more frequent certifications, refreshed due diligence, additional training, compliance reminders
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 44
Red Flags: Common Issues for Investigations
• Government ownership (e.g., state-owned enterprises)
• Government official/political party ownership (or closely-affiliated)
• Sanctions, denied parties, watch lists
• Civil/criminal allegations, misconduct and/or convictions
• Regulatory allegations and violations
• Other reputational concerns and “red flags”
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 45
Financial Controls
Breakdown internal approval process for payments to vendors
and agents/distributors
SEC’s Focus on Invoice-to-Payment Process
Compliance coordination and
controls for review, authorization and payment process
Third party contractual obligations to justify
invoices with documentation and
explanations
Identify suspicious expenditures
Flagging relationships or expenses for follow up
reviewTransaction monitoring
Follow up audits on relationships and
payments
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 46
Third Party Training & Certifications
• DOJ and SEC expectations to train third parties
• How much in-person versus online programs
• Risk ranking may guide type and frequency
• Certification compliance programs: distributor/supplier codes and annual certification programs
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 47
Commit to Conduct Minimum Number of Annual Audits
• DOJ and SEC are frustrated that companies do not regularly conduct audits of high-risk third parties
• Commit to minimum number of audits
• Conduct variety of “audits” aside from intense financial and compliance audits
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 48
Proactive Sampling of Third Party Transactions
• Focus is immaterial transactions
• Search for anomalies in high-risk accounts
• Strategy for sampling is:
• Risk rank financial operations by region, country or product/service
• Identify high-risk accounts in these categories
• Sampling protocol
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 49
Transaction Analytics & Sampling Focus
• Apply forensic analytic tools to search for “anomalies” or “suspect” transactions
• Depends on trial balance account labels
• Difficult if transactions outside of ERP system and on spreadsheets
• If ERP system, transaction testing can be conducted remotely
• Adequate documentation
• Duplicate transactions
• Proper justification
• Compliance with controls
• Comparison of vendor data with employees, agents or distributors data
• Emails and surrounding communications if necessary
© 2020 Copyright NAVEX Global, Inc. All Rights Reserved. | Page 50
Thank You!