Managing Third Party
Information & Data
Presented By
Michael Volkov | CEO, The Volkov Law Group LLC
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 0
Agenda
• DOJ and OFAC Expectations
• Best Practices Third-Party Risk
Management
• Optimizing Information Management
• Defining Risk Procedures Through Data
• Automated Third-Party Risk Management
• Key Takeaways
• Panel Discussion
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 1
DOJ & OFAC Expectations
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 2
DOJ & OFAC Issue New Compliance Guidance
• The Department of Justice published
updated Evaluation of Corporate
Compliance Programs in April 2019
• The Department of Treasury’s OFAC
published its Framework – robust,
prescriptive and imposes significant new
obligations on companies involved in
international economy (June 2019)
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 3
3 New Questions from DOJ
• Is the program well-designed?
• Is the program effectively implemented?
• Does the compliance program actually
work in practice?
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 4
OFAC Guidelines on Sanctions Risk Assessment
• Risk Assessment must consist of a “holistic review of the
organization from top-to-bottom and assess its touchpoints to the
outside world.”
• Required elements
− Clients and customers
− Products and services
− Supply chain
− Intermediaries and counter-parties
− Transactions
− Locations
− Potential mergers and acquisitions, particularly non-US companies
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 5
Best Practices Third-Party Risk Management
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 6
Determining Risk Profile
• Identify and weigh your risks:
− Is the company’s risk assessment process effective, and is the
company’s compliance program tailored to the risk assessment, and
are the risk criteria “periodically updated”?
• Global companies involved in international business
− Foreign official interactions and bribery
− International sanctions
− Money laundering
− Export licensing and sanctions
− Third-Party business partners (e.g. vendors, suppliers, intermediaries)
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 7
Third Party Risk Management
• Does process for third party due diligence
and risk management correspond to
enterprise risk associated with the activity?
• Has the process been integrated into
procurement and vendor management?
• Appropriate due diligence may vary based
on industry, country, size and nature of the
transaction, and historical relationship with
the third-party
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 8
Third Party Risk Management (continued)
• Guiding Principles
− First, qualifications and associations of its third-party partners, including
its business reputation, and relationship, if any, with foreign officials
− Second, business rationale for including the third party in the transaction
•
Contract: Services to be performed and invoicing and payment methods.
•
Payment terms comparable to market
•
Document actual performance of work
− Third, companies should monitor third-party: can include updating due
diligence, exercising audit rights, providing training, and requesting
annual compliance certifications
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 9
Due Diligence & Independent Research
• Companies have to develop a sanctions risk rating for
customers, customer groups, or account relationships
− Due diligence
− Independent research
− Information will guide the timing and scope of future due
diligence efforts
• M&A transactions “which, in recent years, appears to
have presented numerous challenges with respect to
OFAC sanctions”
− Compliance function should also be integrated into the
merger, acquisition, and integration process
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 10
10 Elements of Third-Party Program
• Written policies and procedures
• Contractual certification
• Business sponsor participation
• Internal review and approval process
• Pre-defined tier levels and requirements
for due diligence (basic, enhanced)
• Risk ranking process with consistent risk
rule application
• Red flag protocol to identify and resolve
red flags
(must be outside business)
• Advice of counsel and documentation
• Rational assessment of
“representational” vendors and suppliers
• Monitoring and auditing program
strategies to reflect risk
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 11
Optimizing Information Management
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 12
Compliance Vision Beyond DOJ Requirements
• Compliance industry is moving fast
• Technology and innovation
• Data analytics
• Artificial Intelligence
• Machine learning
• Sophisticated strategies for monitoring, testing and auditing
• Replacing reactive – e.g., classic audit retrospective testing
• Proactive monitoring culture, rules compliance, and risk indicators
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 13
OFAC Information Management Requirements
Three prescriptive requirements for reliance on information technology solutions:
• Selection: Which solutions did you consider and why did you select the specific solution?
• Calibration: What settings did you implement in the screening software and how does
this incorporate your risk assessment and profile?
• Routine Testing: How often do you test your solution to ensure that your results are
accurate and reliable?
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 14
Defining Risk Procedures Through Data
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 15
4 Required Steps For Minimizing Risk
Information
Collection
www.navexglobal.com
Analysis and
Investigation
Red Flags &
Resolutions
Residual Risk
Mitigation
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 16
Information Collection: Defining Risk by Class
• Representatives (e.g., agents and distributors)
• Vendors or suppliers that
− Government-owned or controlled or have
foreign government ownership; and/or
− Interact on company behalf with foreign
government officials (e.g., customs brokers)
• Professionals that
− Government-owned or controlled or have
• Vendors or suppliers with
− Transactions above a threshold
revenue/contract amount; and
− Located in a country with CPI of <50
• Vendors or suppliers with
− Transactions below a threshold
revenue/contract amount; and
− Located in a country with CPI of >50
foreign government ownership; and/or
− Interact on company behalf with foreign
government officials
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 17
Information Collection: Additional Risk Factors
• Suspicious or unusual compensation (high
commission or fees)
• Individuals or entities with questionable
reputation
• Shell companies
• No significant experience relevant to the
business or organization
• Individuals who claim to have special
• Family connections to government officials
• Agents recommended by foreign officials
• Objection to anti-bribery contractual
relationship with a foreign official
• Requests for political or charitable
contributions
• Vague scope of work or description of services
provisions
• Existing or former foreign official (or close ties)
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 18
Analysis & Investigation: High-Risk
• High-Risk: Level I: Red/Yellow flags need to be
investigated and resolved for
• Authorized Agents and Distributors (acting on our behalf)
• Vendors/Suppliers that (1) are government owned or
controlled or have foreign government official ownership;
and/or (2) interact on our behalf with foreign government
officials
• Professionals that (1) are government owned or controlled
or have foreign government official ownership; and/or (2)
interact on our behalf with foreign government officials
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 19
Analysis & Investigation: Medium & Low-Risk
• Medium Risk: Level II: red/yellow flags need to be resolved for
• Vendors/Suppliers (1) above threshold revenue/contract amount; and (2) located in a
high or medium risk country (< 70 CPI)
• Low Risk: Level III: red/yellow flags need to be resolved for
• Professionals that do not interact on our behalf with foreign government officials
(includes nominees, lawyers, accountants, consultants)
• Vendors/Suppliers below contract amount and not located in high-risk or medium-risk
country (70 or above CPI)
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 20
Red Flags: Common Issues for Investigations
• Government ownership (e.g., state-owned
enterprises)
• Government official/political party
ownership (or closely-affiliated)
• Sanctions, Denied Parties, Watch Lists
• Civil/Criminal allegations, misconduct
and/or convictions
• Regulatory allegations and violations
• Other reputational concerns and “red flags”
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 21
Red Flag Investigations & Resolutions
Investigations
Resolutions
• Independent research
• Memorandum analyzing specific risk
factor
• Internet
• Additional database intelligence or
• Explanation of information:
− Does not warrant further inquiry
research
• Potential enhanced due diligence report
www.navexglobal.com
− Does not raise significant risk that third-
party will engage in bribery
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 22
Resolutions: Principles
• Review EDD and determine whether the risk
can be mitigated by:
− Contractual protections
− Specific representations critical to resolution,
• For reputational concerns: Presumption to
proceed unless significant type of
misconduct that raises real and substantial
reputational risks.
and/or
− Enhanced audit and oversight
• For civil/criminal allegations misconduct
and/or convictions, and for regulatory
violations
− Presumption to proceed unless (1) same entity
(not an individual officer, employee); (2) same
business line; (3) same country; (4) high-risk
misconduct or regulatory violation.
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 23
Resolutions: High-Risk
• Resolution Steps for High-Risk: Level I:
red/yellow flags
• Issue ACDD Questionnaire & obtain
internal Business Justification Statement
• Presumption to order enhanced due
diligence (EDD) unless ACDD
Questionnaire and Business Justification
Statement resolve issues.
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 24
Resolutions: High-Risk (continued)
• If, after review of ACDD Questionnaire and
− Details of Civil/Criminal allegations
updated screening, issue(s) requires further
documentation and investigation, then order
enhanced due diligence (EDD) focused on key
risks:
•
Misconduct and/or convictions
•
Who? [Entity itself or affiliated; individual officer,
employee, contractor (if known)?
•
Business relation (same business operations or
different line) Location (same country, region?)
− Government ownership or control (e.g. state-
•
Type of misconduct? (fraud, bribery, money
laundering, sanctions)
owned enterprises) (even when state-owned
interest owns minority share of entity)
− Government official/political party ownership (or
closely-affiliated)
− Sanctions, Denied Parties, Watch Lists
www.navexglobal.com
− Regulatory violation (same business operations or
different line)
− Other risk and reputational concerns
•
Who? Business Relation? Location? Type of
Misconduct (child labor, human trafficking, significant
environmental harm)
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 25
Resolutions: Medium-Risk
• Resolution Steps for Medium-Risk: Level II:
red/yellow flags
• Can the issue be resolved without further
investigation?
• Review information and make a determination
whether the risk can be mitigated:
− Contractual protections
− Specific representations critical to resolution;
and/or
• If not, then issue and require ACDD
Questionnaire. Review again after receiving
ACDD Questionnaire and update risk
evaluation.
− Enhanced audit and oversight.
• Resolution principles
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 26
Resolutions: Medium-Risk (continued)
• For civil/criminal allegations of misconduct and/or
convictions, and for regulatory violations: Presumption
to proceed unless (1) same entity (not an individual
officer, employee); (2) same business line; (3) same
country; (4) high-risk misconduct or regulatory violation
• For reputational concerns: Presumption to proceed
unless significant type of misconduct that raises real
and substantial reputational risks
• Document results: see above (a one-page memo or
paragraph form added to file)
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 27
Resolutions: Low-Risk
• Low-Risk: Level III: red/yellow flags
• Ask the following questions:
− Is the risk associated with the scope of work
for which [company] will retain the third
party?
− Could the risk manifest itself given the
scope of work (e.g., reputational risks)?
• If the answer to either question is yes,
evaluate whether the risk can be
mitigated by:
− Contractual protections
− Specific representations critical to
resolution, and/or
− Enhanced audit and oversight.
• For most third parties, if the answer to
these questions is no, permit the
contract to proceed.
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 28
Red Flag Resolutions: Documentation
Once completed, a short memo or paragraph form should be
completed and added to file
• Example: After further investigation and review, [
]
determined that red/yellow flag based on [issue] related
to prior misconduct involving [issue] was committed by
employee at an affiliated company operating in [country].
Given the tenuous connection of this alleged misconduct
to the core services that [the proposed third party] will
provide [company], this flag can be resolved without
further investigation since such conduct does not indicate
a reasonable risk or that the [third party] will engage in
misconduct.
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 29
Residual Risk Mitigation: Financial Transactions
• Focus is immaterial transactions
• Search for anomalies in high-risk
accounts
• Strategy for sampling is:
− Risk rank financial operations by region,
country or product/service
− Identify high-risk accounts in these
categories
• Sampling protocol
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 30
Residual Risk Mitigation: Beneficial Ownership
Customers/Clients
Due Diligence Factors
• Lack of due diligence of organization’s
• Various OFAC enforcement actions
ownership and business dealings
• Customers
• Supply chain
• Intermediaries
• Counter-parties
involve improper or incomplete due
diligence:
− Ownership
− Geographic locations
− Counter-parties
− Transactions
− Knowledge and awareness of OFAC
sanctions
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 31
Residual Risk Mitigation: Audits & Renewal Policies
• Quarterly audits (sampling as appropriate) to ensure
compliance with risk management controls
− Screening
− Investigation
− Research
− Documentation
− Payments to unapproved third parties
• Due Diligence renewals every 2 years for high and
medium risk levels, every 3 years for low risk levels
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 32
Automated Third-Party Risk Management
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 33
An Automated Solution
• Effective risk identification requires
gathering and analyzing more and more
information
− Gathering information is time consuming!
− Analyzing information is time consuming!
• Automation is an effective strategy to
manage information flow
• Intelligent automated systems provide
efficient information presentation
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 34
Benefits of an Automated Platform
• Maintain database with red, yellow and
green risk assignments
• Screen thresholds based on class and
amount of revenue
− Basic screening & continuous monitoring
− Enhanced investigations
• Investigation and Resolution Rules
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 35
Key Takeaways
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 36
Best Practice Information Management
• US government agencies reinforcing
requirements for third party risk
management
• Data and information drive key risk
management processes
• Keep track of all data, records, actions,
and outcomes
• Automation of your third-party risk
management system is essential
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 37
The Volkov Law Group
• Anti-corruption due diligence, compliance,
enforcement defense and internal
investigations
• The Volkov Law Website:
http://volkovlaw.com
• Follow Corruption, Crime & Compliance
http://corruptioncrimecompliance.com
• Subscribe to podcast service
Michael Volkov: Mvolkov@volkovlaw.com
(240) 505-1992
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 38
Today’s Panel
MODERATOR
Michael Volkov
Stephen Gooding
Chris Bailey
CEO
The Volkov Law Group
Director, Product Specialists
NAVEX Global
RiskRate® Product Manager
NAVEX Global
www.navexglobal.com
Copyright © 2019 NAVEX Global, Inc. All Rights Reserved.
|
Page 39