Identifying and assessing thirdparty intermediaries for anti-bribery and corruption risks

Transcription

1 Identifying and assessing thirdparty intermediaries for anti-bribery and corruption risks September 17, 2012 kpmg.com Disclaimer The information contained in this webcast, entitled identifying and assessing third-party intermediaries for anti-bribery and corruption risks, is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 1 1

2 Administrative CPE regulations require online participants take part in online questions You must respond to a minimum of four questions in order to be eligible for CPE credit Polling questions will appear on your media player on top of the slides Do not view the presentation ti on slide show mode polling questions will not appear Send Questions via "Ask a Question" Button Help Desk: or outside the United States at With you today from KPMG Mark Barnes Principal and Global Lead for KPMG s High Growth Markets Center of Excellence Marc Miller Partner and Co-Chair of KPMG s Global Anti-Bribery and Corruption Services Scott Hilsen Director David Hilton Director Marck Aghnatios Director Jilane Khakhar Director 3 2

3 Regulatory framework Transparency International (TI) 2011 world map 5 3

4 Recent case law U.S. vs. Bourke: Business Partner ( Pirate of Prague ) United Industrial Corp.: Agent (retired Egyptian Air Force general) Alcatel-Lucent: Consultant Maxwell Technologies: Chinese Agent InVision Technologies Inc.: Distributor Data Systems & Solutions LLC: Subcontractor 6 Setting the context KPMG 2011 Anti-bribery and Corruption Survey Total respondents: 214 (United States and United Kingdom Top three anti-bribery and anti-corruption risk areas: 1. Auditing third-party compliance 2. Due diligence on foreign agents/third parties 3. Variations with regard to country requirements and local laws (e.g., facilitation payments) Extensive preretention due diligence requirements pertaining to, as well as postretention oversight of, all agents and business partners, including the maintenance of complete due diligence records at the company FCPA Review Opinion Procedure Release No (July 12, 2004) 7 4

5 Setting the context 73 percent of respondents found performing effective due diligence on foreign TPIs challenging or very challenging. KPMG Anti-Bribery and Corruption Survey 2011 How do you define a TPI in your organization? How do you identify which TPIs should be included in due diligence procedures? How do you determine the relative risk of each TPI? How do you determine what level of due diligence to perform on each TPI? How do you implement a comprehensive TPI management process? 8 Polling question #1 What is your organization s biggest challenge regarding third-party intermediaries? A. Identifying the total population of third-party intermediaries B. Determining i which h third-party t intermediaries i should undergo some level l of due diligence C. Assessing the relative risk of each third -party intermediary D. Determining what is the appropriate level of due diligence for each third-party intermediary E. We currently do not assess third-party intermediaries 9 5

6 Polling question #2 During which stage(s) does your organization perform risk assessments on third-party intermediaries in the normal course of business? A. Proactive M&A due diligence B. Retrospectively (e.g., after on-boarding a third party;, a joint venture/business partner) C. Occasionally as required (e.g., when areas of concern or certain risks come to light ) D. Almost never 10 What is a TPI? 6

7 Regulatory definitions any officer, director, employee, or agent 78dd-1 (a) Foreign Corrupt Practices Act The FCPA prohibits corrupt payments through intermediaries. It is unlawful to make a payment to a third party, while knowing that all or a portion of the payment will go directly or indirectly to a foreign official. The term knowing includes conscious disregard and deliberate ignorance. The laypersons guide to the FCPA, U.S. Department of Justice A relevant commercial organisation ( C ) is guilty of an offence under this section if a person ( A ) associated with C bribes another person a person ( A ) is associated with C if (disregarding any bribe under consideration) A is a person who performs services for or on behalf of C. Sections 7(1) and 8(1) Bribery Act Company-based and industry-based scope of potential TPIs Entities we have seen defined as a TPI Purchasing Agents Regulatory Affairs Consultants Lobbyists Travel and Expense Vendors Joint Venture Partners Product Registration Agents Freight Forwarders Customs Agents Resellers Wholesalers Health & Safety Consultants Promotional Consultants Distributors Shippers Sales Agents Brokers Licensees 13 7

8 Better model for third-party management Technology Enablement and Integration TPI Population Identification of Covered TPIs Risk Ranking/ Scoring Due Diligence Review Follow-up 14 Polling question #3 Does your organization have a customized definition of a TPI? A. Yes, the definition is based on our business and operational understanding of the services our vendors provide to us. B. Yes, the definition was provided by external counsel/consultant. C. No, there is no definition but we historically do include certain types of vendor in our due diligence program. D. No, we do not have a customized definition. 15 8

9 Covered TPIs for risk assessment Better model for third-party management Identification Technology Enablement and Integration TPI Population Identification of Covered TPIs Risk Ranking/ Scoring Due Diligence Review Follow-up Obtaining a complete population of third parties Customer Master Aggregation, normalization, and deduplication of data sets: Vendor master files: Consultants, lobbyists, agents, brokers, customs vendors, etc. Broker Files Vendor Master Customer master files: Distributors, resellers, etc. Agent distributor listing: Broker files Distribution records Joint venture agreements Distributor Listing Agent Listing 17 9

10 Better model for third-party management Identification (continued) Technology Enablement and Integration TPI Population Identification of Covered TPIs Risk Ranking/ Scoring Due Diligence Review Follow-up Suppliers Customers Agents Use of data analytics to define population of covered TPIs Application of risk criteria: Vendor service code Vendor industry category Name Expense category Application of Filters and Grouping: Business unit responsibility Geographic Covered TPIs 18 Polling question #4 If your organization has previously attempted to identify its TPIs, what approach did it take? A. Used entire vendor population as a starting point and distilled this down to a list of TPIs B. Identified d each TPI individually id and built up a list of TPIs C. Neither of these approaches 19 10

11 Risk ranking covered TPIs A risk-based approach to integrity due diligence Lower Risk third parties Sanctions/ PEP Screening Volume of Subjects/ Third Parties Astrus reports (Intermediate) In-Depth integrity due diligence Higher Risk third parties Depth of Research 21 11

12 Better model for third-party management Risk ranking Technology Enablement and Integration TPI Population Identification of Covered TPIs Risk Ranking/ Scoring Due Diligence Review Follow-up High Priority /Risk Medium Priority/Risk Low Priority Risk Ranking and/or Scoring Risks are specific to each client and are agreed in advance with management and legal Approach is tailored to client based on responses from management and operations Maximizes compliance resources by focusing on higher risk TPIs Structured, documented and capable of being articulated in compliance program Low Priority/Low Risk 22 Polling question #5 What sources do you rely on to obtain due diligence on your TPIs? A. Internet searches (e.g.,google) B. Sophisticated t desktop research including Internet t and other reputable data sources C. Manual research involving site visits/interviews D. Bit of both A, B, and C E. None of the above 23 12

13 Integrity due diligence for covered TPIs Better model for third-party management Technology Enablement and Integration TPI Population Identification of Covered TPIs Risk Ranking/ Scoring Due Diligence Review Follow-up High Priority /Risk Advanced Enquiries and Investigation Medium Priority/Risk Due Diligence Reports Astrus Low Priority Low Priority/Low Risk Questionnaire-based information request and limited public records verification Structured approach to large number of lower risk TPIs 25 13

14 Astrus Astrus is KPMG s online integrity due diligence tool portal. Astrus reports are standard-scope, fast-turnaround reports based on online public records only. Astrus is aimed at clients who need to screen large numbers of customers or counterparties for integrity/regulatory risks. Cost-efficient first pass as part of a risk-based approach to due diligence Astrus Reports KPMG s Astrus due diligence solution is unit-priced Astrus reports provide risk-indicator reporting based upon client-specific risk tolerances Astrus leverages the collective knowledge of KPMG s Corporate Intelligence network globally to help clients assess reputational, regulatory and jurisdictional risk KPMG s Forensic professionals add value through iterative and local-language research and by applying targeted search strategies depending on the subject The Astrus reports are prepared by trained KPMG professionals. Currently, KPMG can deliver up to 10 reports within 5-7 business days. For larger volumes, KPMG offers agreed upon scheduled deliveries

15 Better model for third-party management Technology Enablement and Integration TPI Population Identification of Covered TPIs Risk Ranking/ Scoring Due Diligence Review Follow-up Review of compliance information can be facilitated by: Simple and clear report Single aggregated report Central Repository for Due Diligence Information and Follow-up System for retaining current and historic due diligence information Disseminated and available to decision makers, compliance, and legal Audit trail of requests, responses, and follow-up The information collected as part of the TPI management process can be used for: Compliance decisions Business decisions Vendor management Exclusion/debarment of certain vendors. 28 Polling question #6 What are your typical time frames to assess your vendors, business partners, (third-party intermediaries)? A. A week to 10 days B. More than two weeks C. Up to a month or longer D. We have no uniform time frame 29 15

16 Technology enablement of TPI management Better model for third-party management Technology Enablement and Integration TPI Population Identification of Covered TPIs Risk Ranking/ Scoring Due Diligence Review Follow-up Due Diligence tools enable the automation of the management, measurement, remediation and reporting of FCPA controls and risks in accordance with regulations, policies, and business decisions: Automate FCPA processes, business rules, and controls Identify and assess TPI risks Manage Red Flag triggers and resolutions Enables end-to-end visibility through real-time reporting and configurable dashboard capabilities Stores centrally TPI questionnaires, Corporate Intelligence Reports, Contracts, Significant Correspondence, etc. Enable role-based actions, notifications, and dashboards Integrate to procurement, training, and third-party databases (D&B, WorldCheck, etc ) Support audit activities based on identified areas of risk Facilitates TPI research on historical data Enables annual or configured periodic Due Diligence renewals 31 16

17 FCPA technology elements Categories of TPI TPI Scope Management Extract global TPI list i.e. ERP or Procurement systems Import and analyze data source (s) Identify Third Party Intermediaries (TPIs) categories in scope for due diligence Identify and extract full population of Third Party Intermediaries (TPIs) in scope Training & Contract Management Capture training data and confirmation of completion Capture contract related information i.e. contract type, contract start and end dates, contract reference code (s) Build business rules for notification of contract expiration or renewal FCPA Technology Elements Risk & Due Diligence Management Initiate Due Diligence process for individual TPIs and conduct qualitative and quantitative analysis: Business Justification, TPI Questionnaire, FMV Assessment Identify red flags and TPI risk rating triggers escalation and additional reviews Determine necessity of corporate intelligence reports. Retain TPI for on-boarding or Not-Retain TPI and capture assessment data. TPI Scope Enterprise Integration Integrate with enterprise systems and applications for downstream or upstream data requirements i.e. ERP or Procurement systems Integrate with third party vendors to capture background check data i.e. WorldCheck, D&B Reporting Management Generate reports to capture TPI status: Retained, Not Retained, In Progress, etc Break-out reports by Region, TPI Category, etc Generate reports for TPIs that are due for renewal Build dashboards to provide real-time data on TPIs, and accommodate various user roles: business sponsors, regional, compliance officer, regional business & compliance 32 TPI due diligence process Sample workflow Business Representative (BR) logins into TPI DD Tool BR Initiates New DD Process TPI completes DD Questionnaire BR completes DD Questionnaire Manage Contract and DD Training 1. TPI Qualification Process The TPI qualification process is tracked and managed within the TPI DD tool. DD Survey may include the following sections: Business justification Selection criteria Annual certification FMV assessments Sub-TPI due diligence Renewal 3 years Government connections Background check Etc. Identifies and Reviews Red Flags Regional Business and Route Red Flags for Final Report Review, Compliance Leader Reviews Corporate Intelligence Risk Approve/Deny TPI Red Flags Assessment On-boarding 2. TPI Profile Review Red Flag ID Red Flag criteria/scoring rules are designated within the TPI DD tool, and are automatically flagged to the Compliance Officer and Regional and Compliance Leaders. 3. TPI Risk Assessment Request is triggered to conduct corporate intelligence gathering (Astrus reports) to validate self-reported info and assist with assessment of red flags. 4. TPI DD Resolution Acceptance or Denial of TPI on-boarding

18 Questions? Today s presenters Mark Barnes mbarnes1@kpmg.com Marc Miller marcmiller@kpmg.com Scott Hilsen shilsen@kpmg.com David Hilton dhilton1@kpmg.com Marck Aghnatios maghnatios@kpmg.com Jilane Khakhar jilanekhakhar@kpmg.com 35 18

19 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 19