In March 2012 the Financial Services Authority (FSA) published a consultation report entitled “Anti-bribery and corruption systems and controls in investment banks” (the Report). The purpose of the Report was to provide a detailed analysis of how investment banks in the United Kingdom are managing bribery and corruption risk in their business. In compiling the Report, the FSA conducted visits to 15 firms, which included eight global investment banks as well as some small and mid-size operations. Most of the 15 firms reviewed were considered to conduct business within countries, with industries, or with clients, that exposed them to higher levels of bribery and corruption risk. Whilst the Report relates specifically to the investment banking sector, the FSA insists that many of the examples it provides may be relevant to a number of firms in other areas that are subject to the FSA’s rules.
The Report sets out the details of the FSA’s findings and observations under a number of topics which relate to anti-bribery and corruption (ABC). Five of the key topics analysed include (but are not limited to):
- governance and management information
- bribery and corruption risk assessment
- policies and procedures
- third party relationships and due diligence
- gifts and hospitality.
The report also provides many examples of good and poor practice under each of these topics.
Summary of observations
Throughout their report, the FSA expressed their concern that the investment banking sector had been too slow and reactive in its management of bribery and corruption risk, with most firms only implementing significant changes to their policies after The Bribery Act 2010 (the Act) came into effect in April 2010.
Overall, the FSA’s opinion was that the investment banking sector still had “significant work” to do to get adequate control frameworks in place. However, it was acknowledged that progress had been made by firms in terms of their identification, or reassessment, of potential bribery or corruption risks and factoring them into their policies, procedures, training and monitoring.
Key findings and recommendations
The following items set out some of the key warnings issued by the FSA that the investment banking sector should be aware of, as well as some of the crucial ways of improving ABC controls.
1. Governance and management information
The FSA is of the expectation that any senior manager in a firm should fully understand the bribery and corruption risk faced by the firm, the materiality of the risks to its business and the extent to which a firm’s ABC controls are adequate and effective. To achieve this, firms must produce detailed and accurate management information in order to assist boards in understanding these issues, thereby helping decision makers to deliver effective solutions in mitigating risk. The FSA also recommends that where relevant, this management information should include information about third parties (including new third party accounts, their risk classification and even any commissions paid). Failing to establish an effective governance framework to assess bribery and corruption risk is considered to be poor practice by the FSA, and is an area that should be addressed by all in the industry.
The Red Flag Group recommends that companies address this by ensuring that:
- there is a sole person responsible for the development and implementation of the ABC compliance programme (the ABC Programme Leader)
- the ABC Programme Leader has experience in a recognised compliance standard (for example Australian Standard AS3806, a leading compliance standard recognised globally)
- the ABC Programme Leader has led the awareness of the ABC programme throughout the organisation through regular communication with all senior and middle management, and this communication has been documented as part of an overall communications programme.
2. Bribery and corruption risk assessment
According to the FSA, a prerequisite to an effective risk control framework is an accurate and comprehensive assessment of bribery and corruption risk. In its review, the FSA gave consideration to the extent to which a firm’s processes enabled them to identify bribery and corruption risks specific to their business, and assess the material relevance of these risks to the firm. Risk factors identified by various firms include (but are not limited to):
- client/project type
- country risk
- sector risk
- involvement with public bodies
- business activities
- involvement with third parties
- various internal processes such as remuneration and gifts and entertainment activity.
A cause for concern to the FSA was the timing and frequency of risk assessments conducted by firms. In many cases, a risk assessment had only been performed to coincide with the commencement of the Act. Of equal concern to the FSA was that many firms had not consulted external experts in performing their assessments. It was highlighted that where an external party is engaged, they must demonstrate sufficient anti-bribery and corruption expertise as opposed to generic external guidance. The FSA recommends that the responsibility of undertaking a risk assessment and keeping findings up to date should be assigned to individuals with sufficient expertise, and that external parties should be consulted where appropriate.
The Red Flag Group recommends that an ABC risk assessment:
- is done at least quarterly in high risk areas of the business, and at least bi-annually in all other areas
- is not limited to questionnaires or surveys but includes face-to-face discussions with senior and middle management, visits to international offices (particularly those in emerging markets), conducting of workshops, business process walkthroughs of the business engagement with government, government facing third parties, and industry peers
- includes an assessment of emerging risks which have arisen due to changes in the business, development of new products, launch into new markets, new regulations, new enforcement activity by regulators and expectations of stakeholders including customers
- is conducted in conjunction with external advisors, or, at the very least the design of the risk assessment is reviewed by external experts to ensure completeness, overall coverage and depth
- is reviewed by the compliance office, executive management and reported out to the board or a risk and compliance committee of the board.
3. Policies and procedures
Preventing bribery and corruption risks from crystallising is of paramount concern to the FSA. The implementation of robust ABC policies counteracts this crystallisation, and should cover the key areas such as expected standards of behaviour, escalation processes, conflicts of interest, gifts and hospitality, and the engagement of third parties. Frequent review of these policies and procedures is essential, and they should reflect risks to the firm proportionately. The FSA also highlights the importance of having clearly defined processes in place for dealing with breaches of firm policy, and having the mechanisms handling reports of suspect behaviour.
With regard to policies and procedures, The Red Flag Group recommends that:
- they are written in plain language and are short, practical and are full of examples
- they should be available in all languages which are the primary languages spoken in the countries in which the company operates
- they are available on the company’s intranet and linked to all employees through a web-based tool available on mobile devices
- they always include escalation points that identify exceptions to the policies, and there is a procedure to document such exception approvals
- implementations of the policies are accompanied with a communications plan that reaches all levels of the organisation
- implementation of training is specific to the policy and procedure (not the law) and that training be specifically designed for the company and not standard “off-the-shelf” training on the Act. The training should be targeted to specific groups of the organisation and should be customised to work areas and roles
- they are coupled with a focus on changing the underlying behaviour of the people to whom the policy addresses. Simply promulgating a policy and procedure is not sufficient – the underlying behaviour and motivators to change have to be considered.
4. Third party relationships and due diligence
Given the very broad definition of an “associated person” in the Act, there is an extremely wide ambit as to whom a firm might be considered to have corrupt dealings with. This can include consultants, lawyers, contractors or any intermediaries. As such, the FSA expects firms to have policies and procedures that provide a means of assessing the risk of retaining particular third parties, and adopt measures to mitigate that risk accordingly. This can include the categorisation and business use of third parties and establishing a definitive list of third parties who would be considered “associated persons” in accordance with the Act. A recommended practice is for firms to identify and understand the risk factors associated with engaging a third party, and have clearly documented procedures for taking on new third party relationships. Monitoring and reviewing third party relationships, as well as testing the quality of due diligence performed, are also considered to be essential practices of any investment banking firm. As a basic principal, any external relationship used to generate business should be subject to thorough due diligence and management oversight.
The Red Flag Group recommends that:
- a study be conducted of all third parties that are engaged by the firm, both at home and abroad
- the third parties are categorised into how they engage with their government and at what levels and how they may act as an influencer in transactions that are non-government
- the firm build a third party compliance programme around the third parties that manages the risks that they pose to the firm, and which is not limited to due diligence, but includes a range of measures and changes that manage the complete cycle of the third party from on-boarding through to termination or closure
- any payments made to these third parties are subject to additional controls for those that are engaging with government on the firm’s behalf or working with state-owned enterprises. These third parties may have restrictions placed on them regarding purchase order controls, restrictions on access to special funds for reimbursement of expenses, and additional layers of signoff on invoices
- the third parties may be subject to additional measures including review, audit, face-to-face training, additional contractual methods or audits, based on the level of risk and the work that they are doing for the firm.
5. Gifts and hospitality
Whilst it is acknowledged that the exchange of gifts can serve legitimate business purposes, this is an area where the line between bona fide business practices and corrupt behaviour can easily be blurred. The FSA observed that many investment banks are trying to implement cultural change to shed the image of bygone days of lavish hospitality in the industry. In order to alleviate any bribery or corruption risks, measures taken by firms which the FSA considered to be good practice include:
- prohibiting cash (or cash-equivalent) gifts
- not issuing corporate credit cards
- prohibiting invitations to certain clients to premier events
- prohibiting the flying of clients to major events.
In incidents of significant expenditure, firms should be implementing a system whereby employees demonstrate an appropriate business case to justify such activities, with a clearly defined approval mechanism through senior management. In light of these suggested measures, maintaining a handle on all gift and hospitality activities will be very difficult, particularly for widespread international firms. Compliance officers will effectively need to:
- monitor and assess all gift and hospitality requests with high frequency and give approval with great expediency
- keep accurate and accessible records of corporate sponsorships or donations
- continually upgrade policies to coincide with shifting business interests
- be capable of reviewing and approving requests in multiple languages
- store and track large amounts of data to effectively keep abreast of all gift and entertainment activity in a firm.
The Red Flag Group recommends that gift and entertainment policies address at least the following issues:
- an expense limit per gift or entertainment per person, per recipient person (or company), per year
- limits are designed to not allow staff to give multiple “small gifts” to fall below the policy limit
- expenses for gifts and entertainment are subject to pre-approvals before the expense is incurred and such pre-approval is given and maintained in an online searchable database
- pre-approvals should include line management as well as a “fiduciary” such as finance
- the actual expense is mapped back to the pre-approval system
- such expense approvals are monitored closely with exception reporting, spike analysis and quarterly auditing.