Risk solutions firm, Kroll, has partnered with ethical business practices firm, Ethisphere, to produce the Anti-Bribery & Corruption Benchmarking Report 2018. The Report shows that organisations continue to be concerned about third party risks with the risk factor of opaque ownership structures increasingly becoming a priority for compliance teams. New forms of payment, such as open-banking and cryptocurrencies, are but one development increasing the already difficult task of determining ownership structures and confirming the source of funds. Despite the fact that 84% of the Report’s respondents collect ownership information about their suppliers and target companies, many are still not confident that they know who the ultimate owners or controlling bodies really are. It is clear that information collection alone is not enough. Analysis and context are also required to detect potential risks hidden behind opaque corporate structures.
The Report notes the convergence of regulatory, reputational and data security risks and recommends that organisations adopt a collaborative response, with information security offerings and compliance teams working together to ensure they are addressing the issues of how they collect, process, share and store information in relation to due diligence. Data privacy and data security concerns are particularly at the fore with recent high profile cyber security breaches illustrating the potentially catastrophic consequences of such a breach. The coming into force of the GDPR on 25 May 2018 will also mean that UK and other EU companies will need to ensure they are compliant with new rules and regulations.
Ernst & Young's Global Fraud Survey 2018 also focuses on the effective delivery of compliance. The survey notes that whilst 78% of respondents state that there are clear penalties in place for breaching policies, only 57% of respondents were aware that people have been penalised for breaching policies. Whilst policies may exist in organisations, it appears that employees are not sufficiently aware of them and management initiatives are not properly reflected in firm behaviour and culture.
Jo Henley, a Trainee Solicitor in the Fraud Defence Team at Mishcon de Reya says:
The Report shows the rapidly changing landscape of ABC, as concerns increase in relation to opaque corporate structures, third parties and new regulations. It is concerning that whilst 86% of organisations in the Report collected ownership information when conducting due diligence on their own third parties, only 34% collected the same when reviewing the third parties of their targets. Organisations should consider undertaking a greater level investigation into a target's third parties and incorporating warranties, representations and indemnities from targets about their third parties in purchase documents.
It is also clear that not enough due diligence steps are being taken and that initial due diligence alone is no longer sufficient to meet the risks posed in this era of hyper-connectivity. This is especially true in light of the staggering 45% of the Report’s respondents who stated that the ABC issue they had encountered had occurred because the risk did not exist at the time of onboarding. Ongoing monitoring is critical and must constantly be updated.
Martin Shobbrook, a Partner in the Fraud Defence Team at Mishcon de Reya says:
Though companies largely understand that ongoing monitoring beyond initial due diligence is important, there is less consensus and less regulatory guidance about the right way to go about it. Whilst there is clearly no single prescriptive method that is applicable to all organisations, one area in which many organisations fall down is the disjunct between the compliance initiatives decided at a management level, and the practical effects of these on the ground. Unless employees are properly informed and trained to deal with compliance risks, and feel individually responsible for acting with integrity, firm policies will be ineffective. Codes of conduct should be backed up with clearly defined principles and standards of behaviour, facilities for anonymous employee reporting should be put in place and followed up with thorough investigation, and regular internal and external audits should be supplemented with surprise audits to increase the likelihood of detecting fraud.