TRANSACTION SCREENING FOR COMPLIANCE RISKS

Transcription

1 TRANSACTION SCREENING FOR COMPLIANCE RISKS 2014 Background So you ve done your Due Diligence What are the Next Steps? Beyond Due Diligence Escalation Evaluating Red Flags How are the red flags appropriately Apply Risk Reducing Steps escalated? After further fact Monitoring and gathering, how are you going to What actions are Measuring analyze the required to information? mitigate the risk? How is this risk going to be What risk monitored over evaluation are you time? going to make? How is the ongoing risk going to be measured? 1

2 Risk Reducing Factors Contractual Controls Rep and warranty from Director(s) Additional audit clauses Restrictions around MDF's Restrictions selling certain named 3Ps Requirements to push down compliance to sub-tiers Detailed invoices as to what Client is paying 3P to do Payment methods stipulated as noncash Training Annual requirement e-learning Directors/Vendor facing sales Evidence that the 3P have trained their employees 2

3 Compliance program Provide copies of compliance program Copies of annual audits of CP Draft and implement a CP Regular meetings to discuss compliance interviews with senior management GTE restrictions Customer Restrictions Special approvals needed for certain customers Limits placed on use/selection of subcontractors Limits on use of sub-distributors (or approvals required in advance) Blacklist certain customers Employee Restrictions Pre-approval for certain employees (e.g. former government employees) Requirement for background checks Allow audit/produce copies on background checks (senior employees) Provide list of employees who do work for Client 3

4 Audit Requirement to allow vendor to audit book and records on CP Reduce all internal audits Notify all extended investigations Produce all internal audits on request Notify on all subpoenas and government requests (related to bribery/corruption/fraud) Certifications Annual certification by company/directors Certification of certain activities Sign Client CoC or Partner Policy Certification not to sell to certain markets Refresh Due Diligence Obtain corporate records/information from the company directly Meeting to discuss inconsistencies Review of media annually Separate investigation/dd on a principal/litigation record/incident Repeat DD annually/bi-annually Regular questionnaire Culture assessment Conduct Site Visit 4

5 Leading Edge All this is fine But how do you manage the actual risks of the transaction? The Problem Too many companies focus on due diligence then implement controls and (some, albeit limited) monitoring, then walk away Most due diligence passes there is only so much that you can find in a public records search They file the documents and the due diligence and hope that the ultimate transaction or the engagement is clean and as proposed The Objective The objective is to get ahead of the curve. Stop corruption or non-compliant practices before it happens Too much is done after the fact and Compliance is cleaning up the practices The aim is to get ahead of it and predict when it occurs or likely to occur 5

6 Predictive Analysis You want to have a system that predicts when non-compliant events are going to occur To have this you need 2 key pieces: Access to Data Prediction Knowledge on risks Transaction Monitoring Ideally, you want to have a model in place that not only looks at due diligence and their overall integrity (and maintain that), but also: Consider each transaction Validate that the transactions are not tainted with illegality Make sure each transaction is authorized, approved, is in accordance with what you understood was the case when the third party was approved Examples of Transactions Checks Channel Partners Watch each transaction to know whether it is in compliance Special payment mechanisms are not requested Discount or margin approvals are understood and approved Delivery mechanisms for products that look unfamiliar Changes in services scope which changes the risk profile Acting outside the agreed contract services That SOW s often negotiated by the business are within scope and compliant as they often lack proper oversight from finance and legal That payments and recovery of expenses are approved and within scope and compliant 6

7 Examples of Transactional Checks Suppliers Change in scope of supplier Payment mechanisms Increase in volume with supplier Changed in ordering activity Delivery term changes Additional payments or changes in payment terms Example Grey Market Selling Partners that have been approved by the due diligence process engaged in counterfeit or grey market selling You need the ability to identify when an order is placed What are the characteristics of an order that might lead to grey market? What products are in our experience always at risk of grey market? What size of order do we typically see leads to grey market? Are specific countries being involved increase the risk of grey market? Does a type of discount give rise to a grey market risk What product mix gives rise to a grey market risk? Example Grey Market Selling You want to have a solution that: Scans every order that goes through the system and in real-time run the algorithm against the orders to flag any that meet the criteria, based on a statistical likelihood of issue Those that are identified are, in real time, flagged to someone to assess and review before products are shipped 7

8 Example - Corruption Partners that have been approved by the due diligence process engaged in corrupt practices You need the ability to identify when an order is placed what might be a corrupt deal Larger discount requested Urgent deal Specific customer or location of customer Specific sales rep (or partner) that has had issues previously A deal where a cross reference to a sales rep shows that large entertainment took place previously A deal where a consultant was engaged by the subsidiary around the same time that was in the same area with unclear objectives of delivery Example - Corruption You want to have a solution that: Actively searches deal in an automated way that looks for the indicia of a corrupt deal You need to know what those indicia is for your company You need to test them over time and try How do you do it? Data In order to make this all work, you need to invest time in the data access Most companies will have a large data mart that is either available to applications or you can build a replica data mart or access a subset of that data You need live access to the data 8

9 How do you do it? Application You will need a Big Data software application IBM s SPSS or other software that will allow you to search across large aspects of data quickly How do you do it? Knowledge You need to know a lot about the historical issues in the company Where you have had issues? Where issues are likely to arise You need to establish where you need to look across the data This is by far the hardest challenge and will require support from internal and potentially external experts How do you do it? Escalation Paths You need to establish what to do one you get a hit Who looks at the love deal, how, when and what are they looking for These are likely to be live deals which are time pressured so the analysis and freeze on deals need to be carefully managed 9

10 How do you do it? Recalibration You need to recalibrate the assessment criteria often based on the number of hits that you get and how many of them are false positives Also recalibrate to see new risks that are appearing Thank you 10