Connecting Risk Management & Compliance · •Largest year in corporate penalties •Record number...

Third Party Risk Management & Effective Controls

Michael Volkov, CEO and Founder | The Volkov Group

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 2

About the Presenter

Michael VolkovCEO and Founder, The Volkov Law Group

Michael Volkov has over 35 years of experience in practicing law. A former federal prosecutor

and veteran white-collar defense attorney, he has expertise in areas of ethics and compliance,

internal investigations and enforcement matters. Michael Volkov has extensive experience

with best practices, government expectations, and industry standards for ethics and

compliance programs.


Aggressive Enforcement Risks – 2019 Record Year


2019: Record Year in FCPA Enforcement

• Largest year in corporate penalties

• Record number of individual prosecutions: 34 (increase over 26 in 2018)

• DOJ dedicated to BIG cases; SEC handles more “routine” cases

• Maturation of FCPA Corporate Enforcement Policy

• SEC books and records risks

• Two top 10 cases: Ericsson ($1 billion) and MTS ($950 million)


The Numbers

• SEC: 12 corporate enforcement actions filed; 7 individual enforcement actions

• DOJ: 7 companies (+2 declinations)

• MTS Telesystems, Fresenius, Walmart, Technip/FMC, Microsoft, Samsung, Ericsson; Cognizant and Quad Graphics Declinations

• DOJ: 34 individual criminal indictments and/or guilty pleas

• Total corporate fines (DOJ and SEC): $2.726 billion

• Corporate monitors 3 (MTS, Fresenius, Wal-Mart)


Total Corporate Fines: 2008-2019

$-

$500

$1,000

$1,500

$2,000

$2,500

$3,000

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Fines (millions)

Fines (millions) Linear (Fines (millions))


Top Ten Corporate FCPA Settlements

0

100

200

300

400

500

600

700

800

900

1000

Ericsson (2019) Telia (2017) MTS (2019) Siemens (2008) VimpelCom(2016)

Alstom (2014) KBR/Halliburton(2009)

Teva (2016) Och-Ziff (2016) BAE (2010)

Fines (millions)


Types of third party intermediaries disclosed in FCPA-related enforcement actions

Third party intermediaries disclosed in FCPA-related enforcement actions

Third Parties & Bribery

Source: Foreign Corrupt Practices Act (FCPA) Clearinghouse – Stanford Law School and Sullivan & Cromwell LLP

“Nearly every single case comes out of third party risk.”

Evan Epstein, Executive director, Rock Center for Corporate Governance, Stanford University

Agent / Consultant /Broker

Shell company

Contractor / Sub-contractor

Lawyer

Other

0

5

10

15

20

25

30

35

All Third party intermediaries


DOJ & OFAC Issue New Compliance Guidance

• The Department of Justice published updated Evaluation of Corporate Compliance Programs in April 2019

• The Department of Treasury’s OFAC published its Framework – robust, prescriptive, and imposes significant new obligations on companies involved in international economy (June 2019)


OFAC Enforcement Highlights

• OFAC enforcement record level of total fines

• $1.28 billion (with a “B”) and 26 enforcement actions (second highest total number of enforcement actions)

• OFAC enforcement stretching well beyond financial institutions

• Increasing threat of individual prosecutions

• Supply chain liability

• Several actions against companies for post-acquisition conduct


Number of OFAC Enforcement Actions

0

5

10

15

20

25

30

35

40

2019 2018 2017 2016 2015 2014 2013 2012 2011 2010


OFAC Total Fines 2010 to 2019

0

100

200

300

400

500

600

700

800

900

1000

1100

1200

1300

1400

2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Fines (Millions)

Fines (Millions)

The Most Important OFAC Case of 2019

• OFAC liability for supply chain sourcing

• Liability without intent or knowledge

• Requires supply chain risk assessment


ELF Cosmetics: Supply Chain Risks

The Facts• On January 31, 2019, OFAC announced a $996,080

settlement with e.l.f. Cosmetics, Inc. (“ELF”), a California cosmetics company, for violation of the North Korean Sanctions Regulations.

• ELF violated the North Korea sanctions by importing 156 shipments of false eyelash kits from two suppliers in China that contained materials sourced by these suppliers from North Korea.

• The total value of the illegal shipments was approximately $4.4 million.

• ELF’s violations and failure to act occurred as part of its supply chain risk management.

• ELF failed to discover that approximately 80% of the false eyelash kits supplied by two of ELF’s China-based suppliers contained materials from North Korea.

Lesson Learned• ELF failed to exercise sufficient supply chain due diligence

while sourcing products from a region that poses a high risk of connection to North Korea.

• To remediate, ELF:

1. Implemented supply chain audits that verify the country of origin of goods and services used in ELF products;

2. Adopted new procedures to require suppliers to sign certificates of compliance stating that they will comply with all U.S. export controls and trade sanctions; and

3. Conducted an enhanced supplier audit.


Third Party Risk Management: Classify and Stratify


Determining Risk Profile

• Identify and weigh your risks:

• Is the company’s risk assessment process effective?

• Is the company’s compliance program tailored to the risk assessment?

• Are the risk criteria periodically updated?

• Global companies involved in international business

• Foreign official interactions and bribery

• International sanctions

• Money laundering

• Export licensing and sanctions

• Third party business partners (e.g. vendors, suppliers, intermediaries)


Define Purpose and Scope of Third Party Risk Management

Purpose

• Protect company’s culture from third party conduct

• Allocate resources to minimize risk through consistent, risk-ranking process

• Protect company from reputational harm

• Avoid government investigation and enforcement action

Scope

• Define third parties: agents, distributors, consultants, lobbyists, vendors, suppliers, nominees

• Define risks

• Legal: FCPA, sanctions, AML

• Data & cybersecurity

• Ethical: conflicts of interest

• Reputational: bad actors bring bad conduct and bad publicity

Understanding Risks

• Bribery

• Fraud

• Sanctions

• Cyber and data security

• Money laundering: third party payments


4 Required Steps For Minimizing Risk

Information Collection

Analysis and Investigation

Red Flags & Resolutions

Residual Risk Mitigation

Classify Your Third Parties

• Representation

• Agents and sub-agents

• Distributors and sub-distributors

• Customs/immigration

• Regulatory

• Government-owned (any amount)

• Professionals

• Vendors/suppliers

• Nominees


Sub-Agents & Sub-Distributors

• Legal liabilities can extend to actions of sub-agents and sub-distributors

• Technology, pharmaceutical/medical device industries rely on layers of agents and distributors (e.g. channel partners)

• Risk has to be identified, assessed and mitigated

• Risk strategy can be overwhelming

• Risk management can reduce burden

• Sampling techniques to monitor and audit

• Contractual provisions can be used to shift risk


Professionals & Risks

• Lawyers, accountants, business consultants

• High-risk interactions involving regulatory matters (e.g. India), tax authorities (e.g. China), judicial, permitting

• Assign appropriate resources and attention


OFAC Third Party Risks: Distributors & Agents

Distributors, agents and other intermediaries

Robust documentation

Contractual provisions and certifications

End-use assurances and documentation

Proactive auditing


OFAC Supply Chain Risks: The New Frontier

• Supply chain audits (akin to conflict minerals compliance)

• Parties that are not in direct privity

• Liability extends to unknown sourcing from prohibited parties

• Contractual provisions need to “flow down” OFAC compliance

• Geographic and product/service risks have to be evaluated (e.g. close proximity to North Korea, Iran)


Apollo Aviation: Your Distribution Chain

• Apollo Aviation Group paid OFAC $210,600 for violations of the Sudanese Sanctions Program.

• Apollo leased two aircraft engines to Company 1 (UAE), which subleased to a Ukrainian airline, Company 2, which then installed the engines on an aircraft of Sudan Airways, a prohibited entity at the time.

• Apollo liable for Company 2’s activities in distribution chain despite lease containing certification of compliance.

• Lesson learned: companies have to track distribution to ensure non-prohibited party.


Information Collection: Defining Risk by Class

• Representatives (e.g., agents and distributors)

• Vendors or suppliers that:

• Are government-owned or controlled or have foreign government ownership; and/or

• Interact on the company’s behalf with foreign government officials (e.g., customs brokers)

• Professionals that:

• Are government-owned or controlled or have foreign government ownership; and/or

• Interact on the company’s behalf with foreign government officials

• Vendors or suppliers with:

• Transactions above a threshold revenue/contract amount; and

• Locations in a country with CPI of <50

• Vendors or suppliers with:

• Transactions below a threshold revenue/contract amount; and

• Locations in a country with CPI of >50


Stratify Third Parties

• Geographic areas (proxy for risk):

• Corruption Perceptions Index

• OFAC proximity to targeted countries (N. Korea, Iran, Cuba)

• Importance – critical functions

• Opportunities for misconduct:

• Annual spend/revenue

• Length of relationship


Cyber and Data Security Third Party Risks

Cyber & Data Security Threats: An Evolving Set of Risks• Primary threats today:

• Phishing and malware attacks

• Ransomware (growing)

• Denial-of-service attacks against high-profile companies by attacking Internet of Things (IoT) devices (service disruptions to Twitter, Airbnb, Android devices)

• Ransomware attacks circumvent encryption and rely on tried-and-true phishing campaigns

• Point of sale attacks have declined because of advent of chip technology

• Focus on corporate data – financial and personal data


Global Enforcement Risks

• Cybersecurity law is a patchwork of global statutes and regulations; U.S. Congress has failed to act

• Federal patchwork incudes:

• The Health Insurance Portability and Accountability Act (“HIPAA”)

• The Fair Credit Reporting Act (“FCRA”) provides consumers with certain privacy rights governing their financial data

• The Gramm-Leach-Bliely Act gives banking customers certain privacy rights relating to banking data

• The FTC’s exercise of authority under Section 5 was recently curtailed in LabMD decision by 11th Circuit

• SEC has imposed cybersecurity disclosure requirements

• Cybersecurity, data privacy and breach notification requirements have fallen to the U.S. States

• The New York Department of Financial Services has imposed comprehensive set of cybersecurity requirements

• EU’s General Data Protection Regulations (“GDPR”)

• The EU’s leadership in this area will have a resounding impact on U.S. global companies that collect EU citizen data

• Other government are quickly following the EU’s lead, including United Kingdom, Australia, Japan and South Korea

• Look for aggressive enforcement action this year or next (Significant maximum penalty of 4% of worldwide revenues)


Third Parties and Cyber Risks

• Third parties can be used as back door to circumvent cybersecurity

• IoT risks: expanding network of physical devices, vehicles, home appliances that contain software, sensors and network connectors to transmit and exchange data

• Third parties which deal with global companies may become a target for a cybercriminal

• Businesses connect as many as 3 billion objects to the existing network and are expanding past network devices

• IoT devices are generally unsecured and lack basic protections

• Only one quarter of companies assess, manage and monitor third party cyber risks

• Global companies will have to:

• Conduct due diligence cybersecurity risk analysis

• Impose cybersecurity standards on their third parties, especially small and medium-sized businesses

Legal and Compliance Responsibilities

• Legal and compliance should:

• Develop an information governance framework

• Classify data

• Implement training and awareness

• Coordinate closely with IT

• HR and compliance should develop onboarding procedures for employees, third parties and vendors

• Third party cyber risks should be included in due diligence screening

• Risk ranking process based on access to critical data


Data Breach & Response

• Legal requirements vary across U.S. states and countries

• Countries are gravitating toward EU framework

• GDPR has imposed strict 72 hour and documentation requirements

• GDPR definition of “breach” is broad

• Legal and compliance have to prepare a response protocol and define responsibilities for each actor


Third Party Risk Management Tools


Third Party Risk Management

• Does process for third party due diligence and risk management correspond to enterprise risk associated with the activity?

• Has the process been integrated into procurement and vendor management?

• Appropriate due diligence may vary based on industry, country, size and nature of the transaction, and historical relationship with the third party


10 Elements of Third Party Program

• Written policies and procedures

• Business sponsor participation

• Pre-defined tier levels and requirements for due diligence (basic, enhanced)

• Risk ranking process with consistent risk rule application

• Red flag protocol to identify and resolve red flags

• Contractual certification

• Internal review and approval process (must be outside business)

• Advice of counsel and documentation

• Rational assessment of “representational” vendors and suppliers

• Monitoring and auditing program strategies to reflect risk


Automation is Imperative

• Effective risk identification requires gathering and analyzing more and more information

• Gathering information is time consuming!

• Analyzing information is time consuming!

• Automation is an effective strategy to manage information flow

• Intelligent automated systems provide efficient information presentation


Benefits of Automation

• Maintain database with red, yellow and green risk assignments

• Screen thresholds based on class and amount of revenue

• Basic screening and continuous monitoring

• Enhanced investigations

• Investigation and resolution rules


Internal Controls: Database RequirementsThree prescriptive requirements for reliance on information technology solutions:

Which solutions did you consider and why did you select the specific solution?

Selection

What settings did you implement in the screening software and how does this incorporate your risk assessment and profile?

Calibration

How often do you test your solution to ensure that your results are accurate and reliable?

Routine

Testing


Due Diligence Is Deficient (By Definition) If Beneficial Ownership Is Not Identified

• Natural person who legally owns business entity

• FCPA risk – small government official interest creates serious bribery risk

• Shell companies and other sophisticated techniques to hide ownership interests

• Sanctions – Specially Designated National (SDN) ownership of 50% or more

• AML (PEP) and third party payment risks


Artificial Intelligence & Machine Learning

• New technology for faster and more efficient database searches

• Some due diligence data service providers offer platforms with this capability

• Artificial intelligence = increased computer storage and processing capabilities

• Artificial intelligence = more efficient and faster search


Monitoring and reporting

Risk based screening and approval

Entity validation

Business justification

Mat

uri

ty

Automation

Building & Scaling Your Third Party Program

Monitoring Third Parties

• Risk rank third parties annually (even twice a year)

• Respond to open source intelligence of third party involvement in misconduct

• Assign monitoring tools based on relative risk ranking

• Higher risk demand greater ongoing scrutiny

• Change in status, financial controls, and “routine” monitoring

• Document monitoring strategy and obtain advice of counsel

• Tools for monitoring/response:

• Audit, transaction testing, spot checks, invoice verification, unannounced visits/meetings, annual training, more frequent certifications, refreshed due diligence, additional training, compliance reminders


Red Flags: Common Issues for Investigations

• Government ownership (e.g., state-owned enterprises)

• Government official/political party ownership (or closely-affiliated)

• Sanctions, denied parties, watch lists

• Civil/criminal allegations, misconduct and/or convictions

• Regulatory allegations and violations

• Other reputational concerns and “red flags”


Financial Controls

Breakdown internal approval process for payments to vendors

and agents/distributors

SEC’s Focus on Invoice-to-Payment Process

Compliance coordination and

controls for review, authorization and payment process

Third party contractual obligations to justify

invoices with documentation and

explanations

Identify suspicious expenditures

Flagging relationships or expenses for follow up

reviewTransaction monitoring

Follow up audits on relationships and

payments


Third Party Training & Certifications

• DOJ and SEC expectations to train third parties

• How much in-person versus online programs

• Risk ranking may guide type and frequency

• Certification compliance programs: distributor/supplier codes and annual certification programs


Commit to Conduct Minimum Number of Annual Audits

• DOJ and SEC are frustrated that companies do not regularly conduct audits of high-risk third parties

• Commit to minimum number of audits

• Conduct variety of “audits” aside from intense financial and compliance audits


Proactive Sampling of Third Party Transactions

• Focus is immaterial transactions

• Search for anomalies in high-risk accounts

• Strategy for sampling is:

• Risk rank financial operations by region, country or product/service

• Identify high-risk accounts in these categories

• Sampling protocol


Transaction Analytics & Sampling Focus

• Apply forensic analytic tools to search for “anomalies” or “suspect” transactions

• Depends on trial balance account labels

• Difficult if transactions outside of ERP system and on spreadsheets

• If ERP system, transaction testing can be conducted remotely

• Adequate documentation

• Duplicate transactions

• Proper justification

• Compliance with controls

• Comparison of vendor data with employees, agents or distributors data

• Emails and surrounding communications if necessary

© 2020 Copyright NAVEX Global, Inc. All Rights Reserved. | Page 50

Thank You!

Date post:	15-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Connecting Risk Management & Compliance · •Largest year in corporate penalties •Record number...

Documents