Although the initial shock of the Panama Papers and Unaoil scandals may be wearing off, subsequent details of alleged misconduct are prompting companies to change their processes in order to ensure compliance with regulators. On 27 June, Jay Martin, Chief Compliance Officer at Baker Hughes in Houston, and The Red Flag Group's Compliance Ambassador Tom Fox joined Compliance Insider® Managing Editor Stephen Mulrenan on a webinar to discuss the implications of the two scandals on the compliance world. Below is an extract form that discussion.
Stephen Mulrenan: Tom, it appears that certain assumptions were made in connection with the Unaoil scandal. Can you tell us a bit about that?
Tom Fox: There were some initial assumptions made by companies looking at Unaoil that turned out to be really fatal. One was looking at the principality of Monaco as a safe jurisdiction. One thing we have learned over the years is that there is no ‘safe’ jurisdiction. Every country is risk ranked in some manner, but simply determining that risk based on the country ranking is really not sufficient. Another was that Unaoil worked with some of the largest companies in the oil and gas industry, and that this made it ‘safe’ to use. Finally, people assumed that Unaoil was ‘certified’ as being a compliant company.
The risk ranking that Monaco had was quite good. But simply looking at the country ranking alone is turning out to be insufficient. There are many other factors that you need to consider when looking at a ranking, and you have to really consider what that ranking means for your company.
Numerous red flags arose in conjunction with Unaoil. These red flags do not necessarily mean you cannot do business with them or that they should not be a third party. But when a red flag is raised, the critical element in your best practice compliance programme is, ‘Did you evaluate and clear that red flag and is there documentary evidence that you did so?’. This documentary evidence could be as simple as a compliance officer’s notation of their investigation and their resolution of the red flag. Conversely, it could be as detailed as a ‘boots on the ground’, full-blown investigation and evaluation. The important part is that if a red flag is raised, that red flag must be evaluated and cleared. I’m not sure that this was satisfactorily done. But it’s a continued lesson that the compliance practitioner needs to incorporate, reincorporate, put in a feedback loop and put back into their compliance programme going forward.
Emphasising that there are a number of risks in each country, the Transparency International Corruption Perceptions Index, on which Monaco received a ranking as being ‘low risk’, really may not look at the plethora of factors that Unaoil and many other cases have taught us to look at.
The Red Flag Group has identified 23 risk areas. What you need to do for your compliance programme is identify the risks not only for your company but for a specific third party. There’s a wide variety of risks as broad as anti-bribery and anti-corruption, export control, whether you’re subject to the United Kingdom Modern Slavery Act or the new California Transparency in Supply Chains Act, as well as a wide variety of cybersecurity, environmental and governance issues. These things really need to be considered to give you a more robust starting point from where you need to go forward.
Jay Martin: Any time companies are dealing with third parties throughout the world, they must deal with this range of risks. It indicates that all of these risk areas come about after you’ve done what we would call ‘preliminary due diligence’. As important as preliminary due diligence is, sometimes companies may have a tendency to say, ‘Well, they passed due diligence so they’re good to go.’ To me, that’s like doing a background check on a potential employee, bringing that employee into your company, and then saying that you never have to monitor or worry about that employee again because you’ve already done a background check on them.
So one of the things that these scandals show or emphasise is that it takes a holistic approach to the management of these risks to properly protect your company, and while preliminary due diligence is important, it is only the first step in a multi-step process.
TF: ‘Industry approval’ often provides a false sense of security. In many instances, if one leader or company in an industry ‘approves’ a third party, that is given a fair to inordinate amount of weight for other companies – particularly where you know the company that’s approved the third party agent and you have confidence in the robustness of their compliance programme. Once that industry seal of approval is given, it carries more weight than it should for other companies. Yet there are reasons why you shouldn’t really accept an industry seal of approval on face value, and Jay has articulated some additional reasons for this.
JM: One of the most important aspects of a good due diligence system is ownership and accountability by people at your own company. So at the outset of setting up your due diligence structure, you have to determine who owns that process. For example, with the person who is doing the business justification, are you going to have the concept that we have at Baker Hughes where every third party agent has to have what we call a ‘business sponsor’? This is analogous to what some people might call an account manager or the way in which we might manage law firms or accounting firms that are doing work for us. So I think it’s very important to have established that accountability and ownership and the only way you can do that, in my opinion, is by making sure your organisation has a very proactive approach to each agent.
While it may give you some comfort to know that one or more companies that you respect or know something about have already taken a look at that agent, each situation is unique in terms of the actual services being provided by the agent, the way in which the agent is being compensated, and the jurisdictions in which the agent is operating.
Even with respect to your own company, the nature of the relationship with that agent could change over time. For example, at the outset of the relationship, that agent may be acting as a third party sales agent working on commission, but they may also be acting as a processing consultant helping you clear customs for your products. But then, six months or so into that relationship, they may no longer be acting as a processing consultant but instead operating as a sales agent on commission. Or, at the outset they may be intimately involved in bringing in new business or helping you formulate bids, but then over time you might build up your own sales force so that agent is no longer having as direct a role in the actual business development as they originally did. So all of these things can change over time just because of the way business works.
SM: In terms of assumptions made around Monaco, to what extent is there a growing focus on the part of compliance and business teams to regard the country of registration of a proposed third party as the initial cull mechanism to determine whether to proceed with due diligence or dispense with it entirely?
TF: Well I think that’s only one enquiry. You have to look at country of domicile, country of origin, and country of corporate formation. But you also have to look at where the services would be delivered, where your company will interact with the proposed third party, and how they will interact with the third party. And there may be relationships in other countries that you need to evaluate as well.
JM: There are multiple factors in any good risk assessment that I’ve seen, including those done by monitors and the government itself, where they will tend to put a large but not exclusive emphasis on where exactly the services are being performed. That’s because you are interacting with government officials, or the agent is acting on your behalf, in what many would consider a very high-risk jurisdiction. Every time that agent is acting on your behalf in a representative capacity with a government official or agency, there’s at least the potential for improper activity or mischief there, and that’s one of the most difficult risks for anybody to manage. Whether you’re a small or large company, I think we all recognise that some jurisdictions are much more difficult and dangerous to operate in than others. And people should take that into account in terms of how they attempt to manage the risk.
TF: So one of the key takeaways from Unaoil is that you have to look at your own risk tolerance and what the third party is doing for you. Focus on the risks to you. The overarching lesson learned from Unaoil is that even if a certification is received, or others in the industry are using that third party, or it is domiciled in a country that may have a low perception of corruption, those are all simply data points. You may need to drill down for more specific and detailed due diligence, certainly in the context of what you’re doing.
To listen to the full discussion on how the Panama Papers and Unaoil scandals have changed the way we do business.