Recently, I was reading a whitepaper by Kelvin Dickenson, Managing Director of Global Compliance Solutions at Dun & Bradstreet, titled “Anti-Bribery and Corruption Compliance for Third Parties: Is an off the shelf product enough?” As the D&B paper well points out, “the risks of insufficient third-party diligence have never been greater.” I totally agree; however, the question remains: what are the solutions? In this article, I will use the D&B whitepaper as a companion guide in discussing third-party compliance gaps that I have observed in my own international sales experience. Furthermore, I hope that by discussing these real-world perspectives, compliance professionals and practitioners might use these examples in order to review their own compliance models in order to reduce risk and address some of the loopholes I will describe.
As a preface, let me share that the discussion here is about the difficulty that a corporation or audit entity would most likely encounter when trying to investigate, assess and/or vet a third party with corrupt intent, and that such intermediaries will often surround themselves with a “circle of lies” which is difficult to expose. Such third-party suppliers will often use corrupt means during the on-boarding process, especially when confronted with a corporate entity making an honest attempt to execute on due diligence. While I agree with D&B that exposing that risk “is difficult, if not impossible, to achieve by purchasing an off-the-shelf product alone,” I see room for growth in terms of understanding how those intermediaries are attempting to evade and manipulate traditional assessment and vetting protocols.
What do I care? It is not my law
First, we should understand and appreciate that for many third parties, the mentality is “I am not covered” by U.S. or other international anti-bribery acts, so the thinking remains “sure, I will sign anything, as long as I get the agreement.” In other words, it is a “not in my jurisdiction,” or worse, “it is not illegal here” mindset. That is a dangerous situation for all involved; such agents are willing to sign affidavits and representations knowing that they have no intention of complying with the law, and that is not the kind of dynamic that gets exposed during normal questionnaires or self-assessments.
A ring of lies
As the D&B paper states, “companies can’t simply rely on paper-thin assurances by employees, distributors or customers,” when it comes to third-party transactions. Rather, “they need to look at the surrounding circumstances of any payment to adequately assess whether it could wind up in a government official’s pocket.” The challenge to that statement is that when it comes to a corrupt third party, it is difficult to make that assessment, as such entities will attempt to surround themselves with a “ring of lies.” Such deceptions have a number of components that I will describe and that are difficult to pierce from an assessment perspective.
The greatest object in the way of a reliable third-party risk assessment is when the “internal business sponsor,” as labeled by D&B, is in collusion with the third party in order to assist the agent in circumventing standard assessment protocols. Such collusion can take the form of having the internal business sponsor complete the self-assessment (including additional “coaching”), as well as conspiring as to what financial tools are available in order to transfer necessary funds for a corrupt payment. These types of conversations are difficult to track, and in large organizations that manage a multitude of vendors in high- and low-risk regions, the risk is even greater.
When you have an internal business sponsor and a third party surveying financial tools that can be used corruptly, such conversations can include the use of discretionary discounts, marketing allowances, expense reimbursement, the transfers of samples or even the use of “scope of work” and “after-sales agreements” to facilitate corrupt transactions. Such discussions are not always on a “grand” basis but can occur repeatedly, with low financial amounts, to avoid detection. In a discussion I had with a corporate compliance professional, he said “what keeps me awake at night is that while some events that occur day in and day out may seem minor, when they become commonplace and shared among international personnel, it can end up as a significant problem.”
Impact of regime change
As D&B states, “a common gap we often see is that once a third party is vetted, there is no ongoing review for changes in status or risk.” Where I see that gap is that once a third party is vetted, there is often no review process in high-risk areas where a change in regime (government) can have a significant impact on the relationship that the third party has with government officials. Stated more simply, I have seen cases where an agent has no corrupt ties with government contacts, but after a regime change, the opposite takes place. Accordingly, today’s clean third party could be tomorrow’s corrupt agent, dependent on a change in regime and the consequential relationships with public officials.
When talking to Mr. Dickenson, he added that another risk is “if your diligence process ensures that a particular agent is suitable and qualified for a defined scope of transaction, but you don’t systemically aggregate and monitor transactions, then a corrupt associate can get their agent approved under the guise of a limited scope and then funnel much greater funds to them when they are an approved vendor.” Mr. Mike Kenealy, Chief Operating Officer of FCPA Integrity, added that in some countries even the due diligence process is fraught with risk, “as many of the databases normally used in an assessment system are corrupt themselves, and in some countries, it might even be illegal to obtain certain information as part of the standard evaluation protocol.”
My own conclusion is much along the lines of D&B, where they assert that “traditional approaches to managing diligence around third parties, including reliance on off-the-shelf products alone…have not proven sufficient in preventing bribery.” I think when you look at the circle of lies that can often surround a corrupt third party, adding on the mentality of “it is not my law” and the potential collusion with an internal business sponsor, a substantial risk that is difficult to detect can exist under the best of due-diligence intentions.
As D&B states, the on-boarding process presents the greatest opportunity to develop a practice that prevents “diligence to be bypassed.” Thus, a more thorough and narrative examination of the third party, including the history of the particular market sector (in case there was corruption in that sector in the past), and a view of the internal business sponsor relationship, might be a guide to a more robust gate to keep out those who may irreparably harm a company through corruption and bribery. As Mr. Dickenson shared with me in a discussion on third-party risk, “in building anti-corruption programs, proportionate due diligence at on-boarding is the foundation to keeping bribery out, but it will not be effective unless the rest of the program is equally strong.”