It is not uncommon for companies that are intent on protecting their cyber assets to hire or consult with former data hackers. As the saying goes, it takes a thief to catch a thief. Who better to guess what cybercriminals are up to and how they operate than a reformed counterpart?
James Lord is not a criminal. On the contrary, he is a former US Department of Justice federal prosecutor who pursued corporations and individuals that were alleged to have violated America’s Foreign Corrupt Practices Act (FCPA), anti-money laundering regulations, measures against securities fraud and other laws.
Ninety percent of all Foreign Corrupt Practices Act enforcement actions involved scenarios where third parties are paying the bribe, not an employee of the company
Lord retired in 2011 after 23 years of government service, and is now in private practice (he is a shareholder of law firm Glade Voogt Lord & Smith). He is drawing on his experience and expertise at the Department of Justice to advise companies on how to conduct their compliance programs and mitigate the risk of being prosecuted for bribery and other corrupt practices.
His insights give CFOs a roadmap on what to do and what not do to avoid litigation and fines, such as the US$965 million that Swedish telecom company Telia agreed to pay in September.
Focus on third parties
So what do CFOs need to know? First of all, recognize that you and your organization may be subject to the FCPA even if your company is not a US business, says Lord. The law covers any act in furtherance of a corrupt practice committed by foreign corporations trading securities in the US, as well as by US companies and American nationals, citizens and residents.
Even if the US law does not apply to you, other jurisdictions including the UK, Europe, Hong Kong, Singapore and China are also intensifying their fight against bribery and corruption. “There’s an escalation of enforcement in the anti-corruption area,” says Lord, noting for example that France now has a new law that is stronger than the FCPA in some respects. In China, drug giant GSK was prosecuted in 2014 for bribing local medical practitioners.
At the Department of Justice, Lord managed FCPA investigations and inspected compliance programs in the context of entering a settlement agreement. “More often than not, where they were deficient was in managing third-party risk,” he says, noting that “90% of all FPCA enforcement actions involved scenarios where third parties are paying the bribe, not an employee of the company.”
That means consultants, sales agents, distributors and other third parties that may be using incentives to get business for the company. Admittedly, these third parties could be difficult to monitor because of the geographical distance and their autonomous status as independent players. What if, despite all the company’s efforts, they go rogue and pay bribes, not least because of the handsome commissions they would earn if they win the business?
What the prosecutor looks for
It is possible for a company to escape prosecution even if an agent committed a corrupt act. The key is to prove that executives had done everything by the book. Says Lord: “If a regulator knocks on your door and says: ‘We just had a whistleblower tell us this particular agent had offered to pay a bribe so you can win work in China,’ you can say: ‘We followed all the recommended due diligence steps, so you shouldn’t hold us responsible. Go after the third party instead.’”
From Lord’s experience, regulators are likely to be persuaded to do just that if the company:
Consulted watch lists and sanctions lists. Regulators would be more sympathetic if the company can prove it had run the third party’s name through these lists and the search came up negative. This action is considered one of the ‘adequate procedures’ in the UK’s Bribery Act 2010 – having a third-party due diligence vetting process in place that’s a risk-based approach, says Lord. Showing that the third parties had undergone training on the requirements of the anti-bribery law is another such adequate procedure.
Has a culture that requires compliance with anti-bribery practices. As a prosecutor, Lord interviewed executives and employees in global management positions to gauge the tone at the top. The objective was to ascertain whether it is clear that the C-suite and the board mean what they say. Was the messaging from the boss actually that contracts must be won no matter what?
Lord also looked at email messages. “Most companies that take compliance seriously, their CEO and their CFO send out messages to their workforce telling them that they have a zero tolerance policy when it comes to paying bribes, and they’re getting that message out,” he explains.
If you have a lot of round-number financial transactions on your books, that could be indicative of bribes because most legitimate transactions have a few cents at the end
Takes whistleblowers seriously. Most countries now have laws that protect whistleblowers, says Lord. As a prosecutor, he examined the company’s whistleblower policy and determined whether the reports and complaints that come through the hotline are ignored or carefully weighed and investigated.
Has adequate internal controls. “One thing regulators focus on is whether you have sufficient internal controls in place to enable you to identify suspicious financial transactions,” says Lord. The mere presence of controls is not enough, however. “Regulators expect companies to be proactive in trying to find red flags and signs of corrupt payments having been made, as opposed to just sitting back and waiting.”
Conducts representative transactional testing. If you have a lot of round-number financial transactions on your books, that could be indicative of payment of bribes, says Lord, because most legitimate transactions have a few cents at the end. This is one example of a red flag. “As a prosecutor, you would be asking the company to demonstrate that they engage in this type of analysis as a process,” says Lord.
Engages in data analytics. A company will get extra points if it can show that it analyzes its data for red flags that could indicate bribery and other acts of corruption. “Regulators expect companies to engage in metrics, to look for trends and patterns,” says Lord. “There are software solutions out there that can make it easier to get that done.”
Help from technology
Lord sees technologies like blockchain, machine learning, artificial intelligence and robotics as potentially helping companies with risk and compliance issues. For now, he is leveraging digital technology to help companies through Dow Jones RiskAverter. This cloud-based tool lets a company’s third parties answer online compliance questionnaires and then feeds the responses to an algorithm that assigns a risk rating to each respondent.
Drawing on his experience as federal prosecutor, Lord designed 30 questions and assigned weightings to each response. Based on the classification (there are five groups from very low risk to very high risk), RiskAverter details the recommended due diligence tests that must be done.
The actions range from conducting searches of the news for negative reports on the third party to requiring the third party to demonstrate that it is conducting training on relevant anti-corruption laws to doing boots-on-the-ground interviews.
Lord designed the questions to capture the two broad categories that regulators typically focus on: geographical risk and transactional risk. To gauge country risk, RiskAverter uses Transparency International’s Corruption Perceptions Index as one resource. Thus, a third party that operates in Cambodia may end up categorized as high risk because the 2016 Index gives it a score of only 21 points (out of 100).
A third party in Singapore has a chance of being assigned to the very low risk category because the 2016 Index gives it a score of 84 points. A third party in Hong Kong may end up categorized as low risk because Transparency International gives it a score of 77 points from Transparency International. On the other hand, a third party in China may be graded as high risk because its score is only 40 points.
The biggest fine to date is US$965 million that Swedish telecom company Telia agreed to pay in September this year, in connection with FCPA violations in Uzbekistan
But geography is not destiny. “You can be in a very high-risk country but if all the transaction risk factors are very low, then you’re not going to be very high risk [in RiskAverter],” says Lord. The transaction risk factors that RiskAverter scores for include:
- the nature of the business (sales agents and customs brokers are a higher risk than distributors and resellers)
- the relationship between the company and the third party (higher risk if the relationship involves only purchase orders and invoices, as opposed to a formal contract)
- how the third party is compensated (the risk is much higher when payment is in cash as opposed to a bank-to-bank transfer)
A US$965-million fine
Typically, says Lord, the algorithm categorizes less than 10% of third parties (sometimes even less than 5%) as very high risk, based on the questionnaire responses. Companies can thus focus their due diligence on a smaller number of third parties, while conducting basic vetting on those categorized in the very low and low risk groups as a matter of course.
Enterprises do not need to use a tool like RiskAverter, of course – it should be manageable for a company with fewer than 20 third parties to conduct due diligence on all of them. What is important is that due diligence tests are done and that these tests are accepted as valid by regulators. The company must also demonstrate that it has anti-bribery systems, procedures and culture in place.
Otherwise, the cost can be massive. Under the FCPA, the penalty is US$250,000 for every instance of bribery, regardless of the amount involved. Telia's US$965 million fine, in connection with FCPA violations in Uzbekistan, is the largest penalty to date. In 2008, German conglomerate Siemens paid US$800 million in fines.
“It’s not just the US that’s behind the enforcement of anti-corruption laws,” says Lord. “There’s coordination and cooperation between international agencies now. If there is a bribe paid by a US company in Hong Kong, it’s very likely that Hong Kong authorities will get involved as well. There’s going to be a joint investigation.”
You have been warned.
About the Author
Cesar Bacani is Editor-in-Chief of CFO Innovation.