Are you at risk from engaging with third parties?
- Creating a Resilient Organisation
Middle East Risk Watch - Issue 8 - December 2017
Are you at risk from engaging with third parties?
The challenges of conducting business can be compounded by the reliance most companies have on third parties. A company’s third parties may comprise vendors, suppliers, distributors, agents or joint venture partners and are integral to their business. These third parties, which are often important to a business’s success, can expose both multinational corporations and local companies to significant risks. In today’s business environment, the role of third parties is constantly changing and regulators are increasingly focusing on the business practices and conduct of third parties when assessing and investigating unethical practices. Despite the increased emphasis of local and international regulatory and enforcement bodies on holding companies responsible for a third party’s behaviour, monitoring of third parties’ business practices, particularly with regard to bribery and corruption, is still not a priority or a key focus area for many companies. Based on our experience, companies can be held responsible in one or more ways due to a third party’s business conduct, including:
- Regulatory fines
- Waste and loss of revenue
- Cyber risk/phishing exposure
- Fraud and corruption
- Human rights violations
The above risks are applicable to companies operating in any sector and in any region that are engaged with third parties, such as a distributor for a pharmaceutical company; a supplier of goods to a consumer goods company; a business partner; or a local sponsor. The actions and conduct of any of these third parties can and do affect a company’s reputation. In the last 12 months, international regulatory authorities have penalised several companies for activities undertaken by third parties. The most prominent of these are the use of different types of fraud schemes to channel bribes. Examples of such fraud schemes include duplicate or fake invoicing, charging more for services, creating a slush fund for bribe payments, charging “miscellaneous” or “incidental” expenses as reimbursements, paying a percentage of revenue as commissions, making payments for fictitious services and setting up unrelated companies and non-existent vendors to route kickbacks.
One such case involved Orthofix International N.V., a limited liability company established under the laws of Curaçao and which has its principal headquarters in Lewisville, Texas (US). Orthofix International is a diversified medical device company that develops and sells surgical and non-surgical medical products to medical professionals in various countries around the world. This case relates to Orthofix’s Brazilian subsidiary (“Orthofix Brazil”).
According to the order document of the US Security and Exchange Commission (SEC), between 2011 and 2013 senior officials at Orthofix Brazil employed four schemes with third-party representatives and distributors to make improper payments. In the same period, approximately 12.5% of Orthofix Brazil’s sales were to public sector clients and the remaining 87.5% to private customers.
Three key points noted by the SEC
- Orthofix Brazil paid doctors employed at government-owned hospitals and generated illicit profits of approximately $2mn.
- Orthofix Brazil failed to devise and maintain a system of internal controls
- Orthofix International provided reasonable assurances that it could adequately manage a similar issue in 2012. That year, it was charged by the SEC with violating the books-and-records and internal control provisions of the US Foreign Corrupt Practices Act in connecting with bribes paid to Mexican officials by its Mexican subsidiary.
The four schemes employed by Orthofix Brazil were:
Involving third-party commercial representatives
- Some commercial representatives made arrangements to pay doctors a specific amount, typically between 20% and 25% of the sales price, in exchange for using Orthofix products. According to the SEC, when Orthofix Brazil later paid those commercial representatives’ commissions (between 33% and 43% of the sales price) for the sales, the commercial representatives used a portion of the commission to pay the doctors the agreed upon amounts.
- A company related to a commercial representative sent Orthofix Brazil false invoices for services that were never performed. The SEC claims that Orthofix Brazil officials, its former general manager and former finance director, approved the fabricated invoices and instructed Orthofix Brazil employees to classify the payments as “administrative expenses.” These were also referred to as “doctor’s commissions” by other employees who were aware of such payments. The funds disbursed in connection with the approved invoices were funds created to make improper payments to customers and intentionally improperly classify them as legitimate expenses.
Involving third party distributors
- Orthofix Brazil provided high discounts (of up to 70%) on the sale of certain products to third-party distributors, allowing them make sufficient profits while also covering their overhead costs. These products were later resold to government hospitals at a mark-up. According to the SEC, the distributors then used a portion of the profits generated by the discount to make improper payments to government doctors.
- Orthofix Brazil allegedly made payments to a third-party distributor for services that were never rendered. According to the SEC, those payments were inaccurately described in the company’s books and records as “consulting for sales” payments when, in fact, the payments to the distributor were made to facilitate improper payments to government doctors.
On 18 January 2017, the SEC announced that it had resolved an US Foreign Corrupt Practices Act (FCPA) enforcement action against Orthofix Brazil for violations of the FCPA’s books-and-records and internal control provisions. According to the SEC’s cease-and-desist order, Orthofix Brazil was required to pay a civil penalty of $6,119,375 and engage an independent compliance monitor for a period of one year.
Similarly, in one of the recent forensic audits we conducted of a distributor of a multinational company operating in the Middle East, a simple data analytics and transactions review revealed high risk areas that left the company vulnerable to regulatory and cyber risks. Some of the key risks identified were that the third party was:
- Making payments to an unrelated individual on the company’s behalf
- Sending product samples to countries against local regulations
- Potentially shipping products to countries against local regulations
- Receiving and reimbursing employees’ expense claims, which were for regular and round figures
- Interacting with government organisations on the company’s behalf, without any explicit instructions from the company’s senior management
- Sponsoring related parties’ and third-party influencers’ family holiday trips
- Re-claiming extremely high marketing expenses
- Providing discounts on regulated products
- Offering disproportionate gifts to the company’s employees
Businesses cannot survive without third parties in some shape or form. Vendors, suppliers, consultants, distributors or logistics providers that are spread far and wide across the globe need to be managed by an officer at the company. The reputational damage to a business, when third parties are engaged in corrupt activity or unacceptable business conduct and this activity is picked up on and reported in the media, is often colossal and the damage is not easily repaired.
With the resources available and acknowledging budget constraints, rather than using both as an excuse, it is important that companies and their representatives ensure that they are doing enough to know who their third parties are, what role they perform and that they make sure that they are monitored. It’s not enough in today’s world, with the abundance of risks associated with dealing with third parties, to conduct a simple tick-box exercise. At the very least, a company should:
- Conduct due diligence on third parties. Different levels of due diligence should be established based on factors such as the nature of the relationship and the services being provided .
- Understand who they are dealing with and go beyond standard reputational due diligence, based on the relationship with the third party.
- Understand the supply chain to avoid surprises.
- Identify and evaluate the risks of the relationship against the company’s thresholds.
- Understand that vulnerabilities and gaps in a third party’s IT systems can make them an easy target for cyber-attacks and other related risks.
- Conduct regular “red flag” forensic reviews of transactions. Books and records are key to understanding third-party expenses and spending patterns.
- Apply proactive data monitoring to alert the company to unusual or suspicious transactions or activity on a real-time basis.
- Provide regular training and awareness sessions to both employees and third parties on anti-bribery and corruption. These should include clear details on expected behaviours and what will and will not be tolerated.
- Extend the whistleblower programs to third parties, in addition to employees.
A company’s reputation is often in the hands of their third parties. Thus, third parties must be managed and monitored through an effective compliance programme to protect and preserve this reputation and mitigate risks identified.
- Kanupriya Jain, Director