2/13/2013
1
February 27, 2013
Ryan McConnell, Partner, Morgan, Lewis and BockiusEric Morehead, Sr. Compliance Counsel, Corpedia, an NYSE Euronext Company
AVOIDING THIRD PARTY SURPRISES
AGENDA
•Third Party Risks – Why Do We Worry?
•Due Diligence
•Ongoing Monitoring
•Training and Other Third Party Considerations
•Trade Control Pitfalls
•FCPA Auditing Process
2/13/2013
2
WHY IS FOCUS ON THIRD PARTIES SO IMPORTANT?
Willie Sutton Rule for Third Party Risk
Third party relationships are where the risk is at
Third parties present compliance barriers
Lack of control / Including joint ventures and with partners
Different cultures / foreign business environment
Distance and logistics
3
WHY DO WE WORRY?
4
Third parties are where the regulatory focus is
currently
Over 85% of FCPA cases in the last five years related to
third party actions
Third parties expose organizations to environmental,
health and safety, labor and human rights, data privacy
and a myriad of other risks
Risk‐based due diligence can be considered by DOJ and
SEC in assessing the effectiveness of a company’s
compliance program
2/13/2013
3
WHY DO WE WORRY?
5
Organizations are held to high legal standards regarding third party acts
Anti‐Bribery provisions: “[K]nowledge is established if a person is aware of a high probability of the existence of [the particular] circumstance, unless the person actually believes that such circumstance does not exist.”
Accounting provisions: strict liability
WHO ARE THIRD PARTIES TO WORRY ABOUT? Agents who represent your Company in before foreign government
officials Commercial Sales Representatives (CSRs) Legal Domestic Representative Sales/Marketing Agents
Processing Consultants Freight forwarders/customs brokers Visa processors Security providers
Professional Consultants Attorneys / tax firms
86
2/13/2013
4
WHO ARE THIRD PARTIES TO WORRY ABOUT? Joint Venture Partners
Other agents or representatives who do not represent your Company before foreign government officials – for example: distributors and resellers suppliers and vendors contractors and sub‐contractors service providers charities and NGO’s and…
87
PANALPINA: A REASON TO WORRY
2010 DOJ/SEC investigation
Millions in improper payments to customs officials by Panalpina on behalf of numerous oil and gas companies
Began with 2007 DOJ settlement with Vetco Gray
Panalpina ‐ $81.8 million in fines and penalties
Panalpina’s clients collectively paid nearly $155 million in fines and penalties
Royal Dutch Shell plc
Pride International Inc.
Transocean Corp.
GlobalSantaFe Corp.
Noble Corp.
Tidewater Inc.
2/13/2013
5
2012 FCPA RESOURCE GUIDE Recognizes that third parties are commonly used to conceal the payment of bribes
Recognizes that the degree of risk‐based due diligence will vary based on industry, country, size and nature of the transaction, as well as historical relationships
89
2012 FCPA RESOURCE GUIDE 3 guiding principles of “risk‐based due diligence:
First, companies should understand the qualifications and associations of partnerships, including business reputation and connections with foreign officials
Second, companies should understand the business rationale for including the third party in the transaction
Third, companies should undertake some form of ongoing monitoring of third‐party relationships (i.e. audits)
810
2/13/2013
6
DUE DILIGENCE
PEER COMPANIES ARE CONDUCTING DUE DILIGENCE ON THIRD‐PARTY AGENTS AND BUSINESS PARTNERS
12
73%
23%
4%
Yes
No
Doesn't apply
Source: 2011 ACC/Corpedia Survey
2/13/2013
7
OKAY, SO HOW DO WE APPROACH DUE DILIGENCE?•With a plan
• Bring in stakeholders from the C‐Suite to the BU’s.
• Look at peer organizations
• Establish risk universe – what are the organization’s risks?
• Sort or “tier” third parties based on risk
• Establish your due diligence plan
• Designate team members and their continuing responsibilities
• Don’t forget to include IT – you’ll want to utilize automation for these processes
13
RESEARCH THE RISK UNIVERSE
•Don’t just round up the usual suspects
•Talk to “boots on the ground”
•Surveys and knowledge assessments are some of the best tools in your toolbox – look at historical trends
•Talk to audit
•Look at hotline/helpline and open door report trends
•Employee disclosure forms / exit interviews
14
2/13/2013
8
RESEARCH THE RISK UNIVERSE
•Talk to third parties (current and former)
•Review third party files / explore history of those relationships
•Talk to peer organizations •Review resources (SCCE & Ethisphere)•Talk to consultants and outside counsel (if you must)
This research will direct your risk assessment process
15
WHAT IS A RISK ASSESSMENT?
•Basic parameters are determining likelihood of risk coupled with severity
•Severity is economic severity – all of the costs of an event to that organization
•Likelihood is based on both internal and external factors
16
2/13/2013
9
APPROACHING RISK ASSESSMENT
•“Tiering” or organizing risk based on unique factors
•Some common factors include, but aren’t limited to:
• Region of the world (Transparency International listings –www.transparency.org)
• Type of business
• Volume or dollar value of business
• Critical nature of supply or particular product
• Relationship of third party to government officials
• Third party’s “rap sheet” – does the organization (or its principals) have a history?
A common tiering method is to score based on these factors and then assign review based on score
17
TIERING THIRD PARTIES FOR DUE DILIGENCE REVIEW
TIERS I II III
Simple questionnaire (non‐authenticated)
Certifications (including COC and specific risks, training)
Cross‐check to relevant databases
Detailed questionnaire
Document request (including financials)
Assessment of third party compliance program (verification)
Review and interview of principals
On‐site visit and audit
18
Once a score is assigned, then the third parties to be reviewed can be split into tiers based on risk
2/13/2013
10
THIRD PARTY VETTING BY PEER ORGANIZATIONS
19
55%52%
49% 48%
30%
5%
0%
10%
20%
30%
40%
50%
60%
Certification Documentationrequests
On‐site visits Spot checks Independent third‐party audits
Other
What methods does your organization employ to conduct due diligence on 3rd parties? (Select all that apply)
Source: 2011 ACC/ Corpedia Survey
DUE DILIGENCE METHODS
20
Certifications
Most common type of due diligence
In most circumstances won’t be seen as effective on its own
Often included in the terms of the contract/agreement with the third party –in other words – it can be boilerplate
2/13/2013
11
DUE DILIGENCE METHODS
21
Third parties often certify to:
Codes of conduct, or supplier codes of conduct
Specific anti‐bribery or anti‐corruption statements or policies
Often these summary statements, or supplier codes are not the same as other organizational policies, organizations should make sure that:
Such statements, policies or certifications are in the appropriate native language
And that they cover the relevant risk topic (such as anti‐corruption) in sufficient detail
Training
Organizations should make sure that any training is sufficient, well documented and delivered in the appropriate language
DUE DILIGENCE METHODS
22
The questionnaire
Filled out by the third party?
How is it reviewed?
Attachments required?
How is it tracked
2/13/2013
12
DUE DILIGENCE METHODS
23
The Questionnaire ‐‐ Some topics to cover include:
List of contacts with government
Prior audits including government audits
Risk topic policy and training
Anti‐corruption
COI
HSE, human rights, export controls
Ownership / principal employee history
Results of any inspections or assessments
Due diligence of their third parties and sub contractors
DUE DILIGENCE METHODS
24
Document requests, including, but not limited to:
Incorporation / ownership documentation
Details about their history and operation
Books – including AP, bank statements and other documents to determine money flows
Past business documentation (order information, past invoices, etc)
2/13/2013
13
DUE DILIGENCE METHODS
25
Internal review
Searches both public (Google,Linked In) and private (Dunn and Bradstreet, etc)
Review of any materials provided by the third party
Accounting records
Compliance program materials (training, policies)
Questionnaire and other responses
Litigation / regulatory history
ADDITIONAL DUE DILIGENCE METHODS
26
Conduct international watch‐list screening
Conduct interviews with local regulators or industry peers to determine reputation
Conduct a site visit (discreet or not)
Hire a third party to conduct in‐country due diligence
2/13/2013
14
ONGOING MONITORING
HOW DO PEER ORGANIZATIONS MANAGE ONGOING RELATIONSHIPS WITH THIRD PARTIES?
28
18%
25%
45%
45%
54%
54%
64%
66%
71%
81%
84%
84%
90%
0% 20% 40% 60% 80% 100%
Encourage 3rd party certifications
Encourage 3rd party to maintain a hotline
Periodic audits
Categorize agents by risk level
Provide compliance training
Targeted communications to 3rd party
Ongoing compliance monitoring
Require Code acknoledgement
Written Code applicable to 3rd parties
Make hotline available to 3rd parties
Conduct due diligence in selection process
Train employees to spot red flags
Explicit contract provisions for compliance
Source: 2011‐12 Ethisphere EQ Data
2/13/2013
15
THE ONGOING RELATIONSHIP
•Don’t Forget The Tiers
• Base scope and frequency of review on risk tiers
• Adjust for changes – such as ownership/leadership shifts with third parties
•Consider an Automated Solution
• Look into a database if you have hundreds rather than dozens of third parties
•Don’t Be Afraid To Pull The Trigger
• Ask questions
• Enforce audit rights
• Demand to see documentation
•Have a Defined Process – Who Makes the Call to Cut Ties?
2/13/2013 29
TRAINING AND OTHER THIRD PARTY CONSIDERATIONS
30ConfidentialMay 14, 2012
2/13/2013
16
TRAINING PRIORITIES DON’T REFLECT RISK
Source: ACC-Corpedia 2012 Compliance Program and Risk Assessment Benchmarking Survey
Compliance Training Provided According
to Risk Area
TRAINING
•Build Awareness
•Accessibility
• Language
•Cast a wide net – include:
• Back office
• Audit
• Third Parties
2/13/2013 32
2/13/2013
17
OTHER THIRD PARTY CONSIDERATIONS
•Supplier Code
• Translated?
• How does it compare to COC?
• What risk topics does it cover?
• Does it include oversight language?
•Hotline Available to Third Parties
•Other Compliance Resources
•G&E Tracking and pre‐approval
2/13/2013 33
U.S. SANCTIONS AND EXPORT CONTROLS ISSUES
2/13/2013
18
U.S. economic sanctions forbid:Directly engaging in orFacilitating others engaging in Prohibited dealings with sanctioned countries, governments, persons or activities
Deemed Export Risk:Facility visitorsIntra‐company networksInternational trainingInternational work environments
RECENT CORPORATE U.S. TRADE CRIMINAL PROSECUTIONS
•Banking - Credit Suisse ($536 m) and ABN Amro ($500 m): Deliberately removed material information for customers in Iran, Libya, the Sudan, Cuba, such as customer names, bank names and addresses, from payment messages so that the wire transfers would pass undetected through filters at U.S. financial institutions.
•Oilfield Services – Agar Corporation ($2 m): Facilitated the export of multi-phase flow meters by an affiliate in Venezuela to the Sudan for use in the Melut Basin oilfield. Recent Weatherford, 10Q disclosed that company had spent over $110 million on investigation costs for FCPA and sanctions investigation involving sales in Iran, Cuba, Sudan, and Syria and had incurred 53 million in costs related to its exit from sanctioned countries.
•Defense Industry– BAE ($400 m): admitted to making false statements and failing to make required disclosures to the U.S. government, as required by the AECA and ITAR. As part of the licensing scheme, applicants are required to identify associated commissions to the State Department- whether they are legitimate commissions or bribes - paid to anyone who helps secure the sales of defense materials. BAE admitted that, as part of the conspiracy, it knowingly and willfully failed to identify commissions paid to third parties for assistance in soliciting, promoting or otherwise securing sales of defense items.
2/13/2013
19
DEEMED EXPORTS
•Deemed export – release of controlled technology to foreign person in U.S. deemed to be an export to person’s country or countries of nationality – must get a license before releasing controlled technology
•60% of licensees processed by BIS are for PRC nationals followed by India (13%), Iran (8%), Russia and Germany (2%) and UK (1%)
•Most applications processed in 36 days
•Voluntary Self‐Disclosures FY2005‐FY2009
Civil penalty resulting from settlement agreement is an average of 44% of the maximum fine (average over the 7 cases)
4 of 7 cases (over half) involved information released to foreign national from the People’s Republic of China
2 of 7 cases involved information released to Ukrainian foreign nationals
2 of 7 cases involved information released to Russian foreign nationals
4 of 7 cases (over half) involve companies in the semiconductor industry
Mitigating U.S. Export Control and Sanctions Risk Through Compliance
2/13/2013
20
CHARGING ANALYSIS
2/13/2013
21
2/13/2013
22
EXPORT CONTROLS AND/OR TRADE SANCTIONS IN CODES OF CONDUCT: MAIN JUSTICE STORY
Of 48 oil and gas company Codes of Conduct analyzed, 19 include export controls and/or trade sanctions policies. (approx. 40%)
Of 22 technology company Codes of Conduct analyzed, 14 include export controls and/or trade sanctions policies (approx. 64%)
OIL AND GAS COMPANY EXPORT CONTROLS AND/OR
TRADE SANCTIONS DATA
Of the 19 Codes that include export control policies, 6 include guidance tailored to the company’s industry/business (e.g.,
company-specific export compliance risks)
3 include an explanation of the basic purpose of export controls (e.g., address importance in the protection of national security and foreign policy interest in the U.S.)
6 list possible penalties for violations of export law
13 tell employees where to direct their questions and/or where to seek guidance on export compliance
2 emphasize the importance of accurate record-keeping and documentation for exports
2/13/2013
23
FCPA AUDIT PROGRAM
FCPA AUDIT PROGRAM
Company’s Internal Operations (Internal Audits)
Outside Operations (Third Party Audits)
Joint Ventures (JVs) (Joint Venture Audits)
1246
2/13/2013
24
FCPA AUDIT PROGRAM – KEY ELEMENTS
Risk assessment Planning Interviews Transactional testing (Accountants) Discuss findings / remediation Reporting Follow‐up procedures
1247
FCPA AUDIT PROGRAM ‐ RISK ASSESSMENT
“Risk” based The genesis of a Risk Assessment Program Self‐initiated Settlement /Monitor
How often conducted?
1248
2/13/2013
25
FCPA AUDIT PROGRAM ‐ RISK ASSESSMENT
Select metrics to prioritize markets Revenue/Growth Corruption Perceptions Index
(CPI) Number of DOJ/SEC
investigations Number of Third Parties Others?
How to weigh various metrics?
1249
FCPA AUDIT PROGRAM – PLANNING
Gain an understanding of local laws on facilitation payments. Even though these may not be allowed under Company policy (except in limited circumstances), they could even be illegal in some countries adding to the seriousness of any violation. A good source would be Trace International;
Gain an understanding of the country economic conditions and standard of living to help conclude on whether customer entertainment expenses are considered ‘extravagant’ relative to the local cost of living (sources: The Big Mac Index (http://www.economist.com/content/big‐mac‐index) and country gross domestic product per capita information);
5014
2/13/2013
26
FCPA AUDIT PROGRAM – PLANNING
Obtain names and other information on key Government officials in the country (e.g. President, Prime Minister, Minister of Petroleum, and any other key officials);
Review of third party agents, especially those who represent the Company before foreign government officials;
Review business activities (revenue) with governmental entities and National Oil Companies; and
Review details of open and closed internal investigations (talk to your friends in audit).
5114
INTERNAL AUDITS – PLANNING
Who conducts audit? In‐House (Legal and Internal Audit) Outsiders (Law Firm and Accounting Firm)
Staffing Travel Full process audit of location first ‐ analyzing
document/approval flow and internal control structure, including FCPA exposure areas such as Cash, Petty Cash, Vendor Set‐up and Maintenance, Vendor Payments, and Payroll
1252
2/13/2013
27
INTERNAL AUDITS – PLANNING
Identify key finance personnel and local operations management
Understand the legal entity structure of the divisions operating within the country and whether there are any JVs
Obtain financial statements for the period under review, including full trial balance and chart of accounts
1253
TRANSACTIONAL TESTING
•Identify certain transactions related to key risk factors for testing
purposes. The risk factors focus on include Compliance Sensitive
Accounts and the recording of transactions to the general
ledger/subledgers:
Charitable Contributions/Political Donations Commissions/Discounts/Rebates/Credit Notes
Customs expense, including freight forwarders
Expediting/Extortion/Facilitation payments
Fines and Penalties (tax, customs, visa)
Gifts
1554
2/13/2013
28
TRANSACTIONAL TESTING Licenses, Permit Fees and regulatory expenses
LobbyingMarketing
Promotion expenses
Petty Cash Security expenses Sponsorships Third Parties Trade Association/Memberships/Training/Seminars/Conferences
Travel, meals and entertainment of key employees
Visa/Immigration Assistance
Review of contracts and invoices for third parties, including processing consultants and professional consultants
1555
INTERVIEWS •Selection of interviewees
• Representative Sample: Leadership, Sales/Marketing, Operations, Logistics, Human Resources, Finance, HS&E, Real Estate, Legal
• Focus on those who interact with third parties/government
• Optics of interviews
• Phone interviews
•Thoroughly understand the interviewee’s job responsibilities
•Perceptions of corruption within country/industry/company – get lots of local color commentary
•Focus on “high risk” areas of company
1556
2/13/2013
29
INTERVIEWS
•Inquire about issues that arise from books and records review (don’t put chicken before the egg if you can help it)
•Present and future focus: not an internal investigation
•Controls environment is key focus
•Do interviewees take compliance seriously?
•Questions about other compliance areas – trade, antiboycott, anti‐money laundering, data privacy?
1557
FINAL THOUGHTS ON INTERVIEWS A FRIENDLY EAR CAN BE IMPORTANT
58
Even honest employees can get caught up in circumstances that involve misconduct
Be aware of pressure from above
Managers
Goals and targets
Be an empathetic sounding board
Reiterate, often, the anti‐retaliation message
Consider culture – speaking up may not be a priority everywhere
2/13/2013
30
REPORTING AND FOLLOW‐UP
Audit report(s) Legal report (Chief Compliance Officer) Finance report (Head of Internal Audit)
Style / aim of report(s) Dealing with related investigations and/or sticky issues that
arise from audit Modes of communication other than reports Getting management’s support Audit recommendations Compliance program in general
Future oversight
1259
FCPA AUDIT RIGHTS (THIRD PARTIES AND JVS)
Contractual right to examine books and records to ensure compliance with Third Party /JV Agreement and anti‐corruption laws
How hard to push? Privacy considerations Attempts to limit circumstances when audit may be conducted
1260
2/13/2013
31
FCPA AUDIT RIGHTS (THIRD PARTIES AND JVS)
Attempts to limit scope of audit Contractual provision requiring that Third Party or JV / JV Partner maintain books and records in “reasonable detail,” and also adequate internal controls
Remedies for breach for these provisions, including termination
If you have audit rights ‐‐ use them!
1261
THIRD PARTY AUDITS
Risk Assessment Geography Nature of Third Party Relationship Exposure
Planning Audit rights Your company’s business unit Communication with third party and pre‐audit requests /
questionnaires Size and “compliance awareness” of third party Communicating findings and recommendations to third party
1262
2/13/2013
32
JOINT VENTURE AUDITS
Risk Assessment Ownership versus management control
Majority management (>50%) = audit JV partner Minority management (50% or less) = audit JV entity
Is JV partner a state owned enterprise (SOE)? Pre‐audit document review Assess compliance program, if any
Code of conduct? Anti‐corruption policies, training? Board resolutions, minutes? Hotline and non‐retaliation policy? Influence of parent companies? Procedures for internal investigations?
Special challenges with implementing recommendations
1263
Thank You