Third-party business relationships are a key compliance concern, especially for multinational companies operating in high-risk markets. Third parties are defined as unaffiliated entities doing business with a company, for example distributors and vendors. Risks related to third parties can generally be mitigated against using a robust compliance programme comprising independent background screening and stringent onboarding processes, periodic reviews and compliance training.
The pandemic and current uncertain global economic conditions have exacerbated third party compliance risks in recent years. Travel restrictions and heightened travel-associated risks have severely limited the scope and extent of onsite reviews of third parties. This, in turn, has increased the opacity of the conduct and activities of third parties, especially in high-risk markets. Economic uncertainties have raised the risk of third-party misconduct, as some resort to questionable methods to maintain or increase their business. To add salt to the wound, companies are increasingly scaling back travel spending and onsite review activities to help weather the economic storm.
The US Securities and Exchange Commission’s action against Oracle Corporation last year underlines third-party risks. In this case, employees of Oracle subsidiaries in India, Turkey and the United Arab Emirates used discount schemes and sham marketing reimbursement payments to create slush funds held at Oracle’s channel partners, which were then used to pay bribes and/or provide benefits to foreign officials. The matter resulted in Oracle having to pay disgorgement and civil penalties totaling approximately USD 23m.
Regulatory scrutiny of companies is likely to continue to intensify in the coming years. For example, since the US Foreign Corrupt Practices Act (FCPA) was enacted in 1977, there have been 259 FCPA corporate enforcement actions with an average value of USD 95.4m. Between 1977 and 2010, total FCPA settlements amounted to USD 3.6bn; however, from 2011 to June 2022, total FCPA settlements skyrocketed almost 490% to USD 21.2bn.
While it is difficult for remote reviews to replicate in-person interaction with representatives of third parties during reviews, companies are increasingly finding remote reviews to be an effective tool in addressing third party compliance risks. Pre-COVID, remote reviews were considered generally less effective than onsite reviews. However, a third-party remote review programme that uses a combination of data analytics and transaction testing is – when carried out properly – an effective substitute for an onsite review. This two-pronged approach is increasingly changing opinions about the impact of remote reviews. This, in turn, is enabling companies to carry out third party compliance review programmes more effectively and efficiently.
The Oracle case demonstrates how a combination of data analytics and transaction testing is a game-changer in remote compliance review programmes.
1. Data-driven: Data analytics aim to remove blind spots from the review process. At the beginning of a review, data is analysed to identify areas to target for further review. This has the advantage of selecting a sample from the entire population of business activity data on the basis of identified risks, rather than randomly selected samples. A compliance specialist can review the test results to help risk-rank transactions and entities to guide the next review steps. In the Oracle example, data analytics could have helped to flag the highest risk transactions, such as those with unusual pricing or exorbitant discounts compared to the rest of the transactions. Analytics will also identify changes in the diversity of distributors, irregular discretionary discounts or extraordinary sales patterns (such as channel stuffing to meet year-end sales targets).
2. Reconciliation and comparison of company data vs. data provided by the third party. This allows the reviewer to verify, to some extent, the accuracy of the third party’s data. Where discrepancies are found, these should be selected for testing. One example might be where analytics can be used to detect additional discounts incorporated outside the system, or end customer names changed in other systems. By identifying discrepancies across the dataset, we can pinpoint potentially problematic behaviour for further analysis.
3. A remote review should include a transaction testing component, wherein the reviewer should request supporting documents from both the client and the third party. As in the data reconciliation, this provides some degree of comfort regarding the reliability of the third party’s supporting documentation. In the Oracle example, transaction testing could have included checking whether justifications for exceptional discounts on sales deals made sense from commercial and compliance perspectives. Likewise, testing would try and ascertain, to the extent possible, if marketing events for which reimbursements were paid occurred as reported.
4. Background due diligence. Even though this might have been done as part of the onboarding process, a refresher as part of a remote review might provide additional clarity of the company’s activities and relationships with related parties, for example, whether the third party is known in the industry to pay kickbacks in return for business, the use of intermediaries controlled by the third party to make suspicious payments, etc.
5. Interviews conducted remotely also provide additional insight into the third party’s operations and corroborate the data reconciliation and testing work.
Notwithstanding the challenges and uncertainties of the economic environment, third party risk continues to be a significant consideration for companies. Through a combination of data analytics and transaction testing, remote compliance reviews will become increasingly effective and efficient and prove to be a valuable tool for companies in managing third-party risks.