Companies have a number of choices when deciding how to quantify and deal with the compliance risks related to their partners. For higher-risk partners, active due diligence exercises can be completed either internally or by using an external supplier. This exercise can be tailored to the types of risks expected, but will take time and will have associated costs (whether internal or external costs).
For entities or people who are lower risk, however, companies have two choices: they can do nothing (as there is no cost-effective tool to manage the perceived risk), or they can find a database ‘screening’ solution that provides immediate results at very little cost.
What information does a compliance-screening database provide?
A database should be able to provide a company with information to help determine if:
- a third party is an entity or person that the company cannot work with at all (e.g. there is an economic sanction against that partner)
- a third party is an entity or person that the company cannot work with in the way it needs to (e.g. there are specific risk factors which require monitoring and mitigation)
- there is publicly-available information about the third party that the company should be aware of which forces greater consideration of whether to engage (or continue to engage) them.
Based on this knowledge, better decisions can be made regarding whether to perform more due diligence or to put controls in place when working with the partner.
The matching process
Using a database for compliance screening starts with a process to compare a list of partners and potential partners with names in a database.
The ease of performing this process depends greatly on the quality and depth of the information on both lists. The quality of the partner list is often based on the quality and extent of the information stored in a system (such as a resource-planning, customer-relationship or sales-management system) and how easy it is to extract and manipulate that information. On the other hand, the quality of the data in the database is entirely dependent on the volume and completeness of the research performed by the vendor.
If the partner list quality is poor (e.g. if the names are misspelt or key information is missing) the matching process will always be difficult. In circumstances where there is time to do so (i.e. when the screening processes is not extremely time sensitive) it is worth putting effort into improving this list, rather than purchasing a more complete screening list. Getting better data from within the organisation might involve locating the master source of the data, or the source which is the most likely to be accurate (often records linked to payments are the most accurate due to the necessary exact nature of the banking system).
Which risks are you managing?
Before deciding which lists are needed it is important to carefully consider the risks that you are trying to address. The information needed to actually manage those risks can vary widely.
Sanctions can be defined in many ways, but are generally directives imposed by national governments to achieve public policy aims. They come in a variety of types, the choice of which depends on the aim of the country imposing the sanctions. Examples of types of sanctions include those:
- targeting assets (such as freezes or restrictions on sale)
- targeting business relationships or managing the sale of certain goods
- controlling the export of certain technologies from a country, especially those which can have a military function (whether the primary function or not)
- stopping certain individuals from travelling.
Depending on your business, it may be that your compliance programme needs to consider some, but not all, government sanctions, for example:
- you need to comply with sanctions concerning your own country (or those countries where you have a business presence), but not sanctions relating to other countries
- if your company isn’t involved in moving people you will not need to consider names on travel bans
- bans on certain goods will only be relevant if you sell those goods.
Basic sanctions lists are generally easy to find as they are published by their respective governments. The difficulty in compliance with the sanctions tends to be related to matching names, especially where the third party knows about the sanction and attempts to hide their true identity.
Money laundering is a key risk for companies in the financial services industry. It is generally a secondary crime, as it relates to the movement and cleansing of the proceeds of criminal activities or the use of financial conduits to finance criminal or terrorist activities.
A database can tell you whether a partner is known to have been involved in crimes or if they belong to a category which is more likely to be involved. Useful lists include those of:
- politically-exposed persons (PEPs), who have or have had the opportunity to have been corrupt or fraudulent on a large scale and are defined according to the Financial Action Task Force on Money Laundering (FATF) as being:
o current or former senior officials in the executive, legislative, administrative, military or judicial branch of a government (elected or not)
o senior officials of major foreign political parties
o senior executives of foreign government-owned commercial enterprises, being corporations, businesses or other entities formed by or for the benefit of any such individual
o immediate family members of such individuals (meaning spouses, parents, siblings, children, and spouses’ parents or siblings)
o any individuals publicly known (or actually known by the relevant financial institution) to be close personal or professional associates of other PEPs
- known criminals, including people convicted of drug offences or organised crime
- known terrorists
- people or entities (such as financial institutions) who have been involved in money laundering in the past (this might also include institutions that have not been certified as complying with new legislation such as the Foreign Account Tax Compliance Act).
Bribery and corruption
Bribery is a broad risk which can occur whenever an item of value is offered with the purpose of getting the recipient to perform an action they would not have otherwise done.
The primary risk factor with bribery is if the recipient is a current officer or employee of a government. While bribery can occur with corporations just as often, bribery to government officials is higher risk because:
- it is a specific offence under the United States Foreign Corrupt Practices Act, as well as being a defined offence under other legislation (such as the United Kingdom Bribery Act), even when the other legislation also covers commercial bribery
- in many countries governments have large budgets, offer low pay to their staff and hold a monopoly over the making of many decisions
- the agencies of government are generally tasked with public purposes (such as improving health or maintaining defence) rather than commercial imperatives – while a profit motive does not guarantee that bribery won’t occur, it does tend to encourage private enterprises to protect themselves.
While government officials are generally easy to recognise, issues arise when considering people working for semi-governmental bodies. The term is defined variously in different legislations, but it generally covers:
- formal government departments (such as industry, health and defence)
- regulators and agencies of governments
- inter-governmental bodies (such as the United Nations and the World Bank)
- state instrumentalities or enterprises.
Of the list above, the majority are reasonably simple to identify; however, there can be difficulties identifying state instrumentalities or enterprises. In a recent case in the United States (US v Joel Esquenazi et al.), the court had to determine whether a telecoms provider in Haiti, Telecommunications d’Haiti SAM, met the definition of a ‘state instrumentality’. The court determined that to be an instrumentality an entity must be under the control or dominion of the government and performing the function of the government.
To determine if an entity is under the control or dominion of the government, you must consider:
- the government’s formal designation of that entity
- whether the government has a majority interest in the entity
- the government’s ability to hire and fire the entity’s principals
- the extent to which the entity’s profits, if any, go directly into the government budget
- the extent to which the government funds the entity if it fails to break even
- the length of time these indicia have existed.
‘Performing the function of the government’ generally means carrying out activities which are usual for the government (e.g. providing telecommunications, public health, customs clearances or licences). In US v Joel Esquenazi et al., the court held that where a government-controlled entity provides a commercial service it does not automatically mean it is not an instrumentality.
Most companies will interact with government either by requesting the government to perform a government activity, or by selling their products and services to the government. Companies will generally know when they are asking a government to perform one of its functions, so whether the function is carried out by department or is delegated to a state enterprise, there remains a risk of bribery. Database screening is most useful when selling products or services to the government (or their agencies and enterprises), as it can identify areas where commercial activities interact with government officials. It is also where the importance of the distinction between PEPs and foreign officials becomes clear: as discussed above, a PEP is someone who is at the highest echelon of a country (or who has been in the past), and who may have had the opportunity for systemic corruption; a foreign official is anyone currently within government who has the ability to purchase goods or services.
So, in addition to screening against a list of people who have a history of actual corruption, it would also be useful to screen against a list of people who work at government departments or state enterprises.
As well as the risks above, compliance teams need to manage myriad other risks, such as:
- reputational risks from human rights abuses
- the use of conflict minerals
- data privacy breaches
- competition matters (e.g. antitrust and price fixing)
- commercial issues (e.g. counterfeiting and grey market selling).
There may be lists available of parties who are known to have been involved in these types of activities. These lists could come from media reports or non-governmental organisations who research and publish information.
When considering database screening, it is important to remember to:
- be clear about what level of risk is appropriate for the type of screening – some risks are so negligible that they are not worth screening, and some are so high that a more diligent exercise is necessary
- obtain sufficient good-quality information about the partner to make matching with a list efficient
- be clear about what type of risk the specific partner poses
- get the right data to screen against the specific risk.