managing third- party anti-bribery, corruption risks and ... · kpmg's 2011 anti-bribery and...

1

KPMG Global Energy Institute

Managing Third-party Anti-bribery, Corruption Risks and Investigations in the Energy Sector

© 2013 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

0

February 14, 2013

Disclaimer

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received orguarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. Comments in this document and the related presentation are not intended, nor should they be interpreted to be, legal advice or opinion.


1

2

Welcome

Mike Schwartz

Advisory Partner

KPMG LLP (U.S.)

Administrative

CPE regulations require online participants take part in online questions.

You must respond to four questions per hour.

Questions will appear on your media player.

Results are reviewed in the aggregate; no responses will be tracked back to any individual or organization.

Do not view the presentation in slide show mode; polling questions will not appear.

To ask a question, use the “Ask a Question” icon on your media player.


3

Help Desk: 1-877-398-1471 or outside the United States at 1-954-969-3342

3

Today’s agenda

Questions and answers4

Recent enforcement actions and lessons learned regarding TPI management

2

Identifying and managing TPI risk3

Recent DOJ/SEC FCPA guidance1


4

Presenters

Mike Schwartz

Principal, Advisory Servicesp , y

KPMG LLP (U.S.)

Brent McDaniel

Director, Advisory Services

KPMG LLP (U.S.)

J h R t liff


5

John Ratcliffe

Partner

Ashcroft Law Firm, LLC

4

Recent DOJ/SEC FCPA guidanceRecent DOJ/SEC FCPA guidanceJohn Ratcliffe

PartnerAshcroft Law Firm, LLC

Attorney Client Privileged ‐‐ Confidential Information

Recent FCPA Guidance Issued on November 14, Recent FCPA Guidance Issued on November 14, 2012 2012 DOJ and SEC jointly issue 120 page “Resource Guide”

Basic Overview

Guidance does include:

Compilation of examples from actual enforcement cases, hypotheticals and commentary on existing positions and interpretation including:

Definition of “foreign official”

Successor Liability

Enumerates 10 “Hallmarks of Effective FCPA Program”

Declinations

Guidance does not:

Provide anything “new”, no new interpretations of FCPA provisions or defenses

Still ambiguous benefit or credit from self‐disclosure

Debate regarding unsettled and untested interpretations of law to continue


5

2 of the 10 Hallmarks of Effective Compliance Apply to Third Parties

Targeted Risk Assessment

“DOJ & SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk based compliance program, even if that program does not prevent an infraction in a low risk area because greater resources have been given to a higher risk area ”

Guidance on Third Party LiabilityGuidance on Third Party Liability

infraction in a low risk area because greater resources have been given to a higher risk area.

Underscores “Risk Based”, not “One‐Size Fits All”

Risk‐Based Due Diligence and Ongoing Monitoring of Third Parties

“Performing identical due diligence on all third party agents, irrespective of risk factors, is often counterproductive, diverting attention and resources away from those third parties that pose the most significant risks.”

U d d h lifi i d i i f i hi d Understand the qualifications and associations of its third party partners including its business reputation, and relationship

Have an understanding of the business rationale for including the third party in the transaction

Undertake some form of ongoing monitoring of third‐party relationships


DOJ and SEC reinforce that these common “red flags” will serve as the basis

for the knowledge requirement for FCPA liability for third party acts:

Excessive commissions to third party agents or consultants;

Guidance Reiterates “Constructive” Knowledge Guidance Reiterates “Constructive” Knowledge of Red Flagsof Red Flags

Excessive commissions to third‐party agents or consultants;

Unreasonably large discounts to third‐party distributors;

Third‐party “consulting agreements” that include only vaguely described services;

The third‐party consultant is in different line of business than that for which it has been engaged;

The third‐party is related to or closely associated with the foreign official;

The third‐party became part of the transaction at the express request or insistence of the foreign official;

The third‐party is merely a shell company incorporated in an offshore jurisdiction; and

The third‐party requests payment to offshore bank accounts.

Bottom line: Still no “head in the sand” defense


6

Recent enforcement actions and Recent enforcement actions and l l d di TPIl l d di TPIlessons learned regarding TPI lessons learned regarding TPI

managementmanagement

John RatcliffePartner

Ashcroft Law Firm, LLC


U.S. v. Bourke: Business Partner (“Pirate of Prague”)

United Industrial Corp.: Agent (retired Egyptian Air Force general)

Alcatel‐Lucent: Consultant

Maxwell Technologies: Chinese agent

Recent enforcement actionsRecent enforcement actions

InVision Technologies, Inc.: Distributor

Data Systems & Solutions LLC: Subcontractor

Tyco Valves & Controls: Local sponsor


7

Lessons LearnedLessons Learned

Lesson 1

No matter the sales model…

Employee based sales force

Distributor models with discounts Distributor models with discounts

Commission based agents

…there is a bribery scheme that places you at risk

Lesson 2

You get three bites at Third Party Liability

Prevent it


Detect it

Remedy it

Knowledge check #1

How does your organization identify local representatives in overseas markets:

A Word of mouth from others in the market

B Recommendations from third parties

C

D

Independent research

All of the above


13

8

Id tif i d iIdentifying and managing TPI riskBrent McDaniel

Director

KPMG LLP (U.S.)

Setting the context

KPMG's 2011 Anti-bribery and Corruption Survey

Total respondents: 214 (United States and United Kingdom

Top three anti-bribery and anti-corruption risk areas:

1. Auditing third-party compliance

2. Due diligence on foreign agents/third parties

3. Variations with regard to country requirements and local laws (e.g., facilitation payments)


15

“Extensive preretention due diligence requirements pertaining to, as well as postretention oversight of, all agents and business partners, including the maintenance of complete due diligence records at the company …”

– FCPA Review Opinion Procedure Release No. 04-2 (July 12, 2004)

9

Setting the context

“73 percent of respondents found performing effective due diligence on foreign TPIs challenging or very challenging.”

KPMG Anti-Bribery and Corruption Survey 2011

How do you define a TPI in your organization?

How do you identify which TPIs should be included in due diligence procedures?

How do you determine the relative risk of each TPI?

How do you determine what level of due diligence to perform on each TPI?

How do you implement a comprehensive TPI management process?


16

Knowledge check #2

During which stage does your organization perform risk assessments on third-party intermediaries in the normal course of business?

A Proactive M&A due diligence

B Retrospectively (e.g., after on-boarding a third party;, a joint venture/business partner)

C Occasionally as required (e.g., when areas of concern or certain risks come to light )

D Almost never


17

10

What is a TPI?

Regulatory definitions

“…any officer, director, employee, or agent…”

§ 78dd-1 (a) Foreign Corrupt Practices Act

“The FCPA prohibits corrupt payments through intermediaries. It is unlawful to make a payment to a third party, while knowing that all or a portion of the payment will go directly or indirectly to a foreign official. The term ‘knowing’ includes conscious disregard and deliberate ignorance.”

The laypersons guide to the FCPA, U.S. Department of Justice


19

“A relevant commercial organisation (“C”) is guilty of an offence under this section if a person (“A”) associated with C bribes another person…”

“…a person (“A”) is associated with C if (disregarding any bribe under consideration) A is a person who performs services for or on behalf of C.”

Sections 7(1) and 8(1) Bribery Act 2010

11

Broad range of potential TPIs

Purchasing Agents

Regulatory Affairs

ConsultantsTravel and Joint Local

Distributors

Resellers WholesalersFreight

ForwardersCustoms Agents

Lobbyists

Product Registration

Agents

Health & Safety

ExpenseVendors

Venture Partners

Local Sponsors

Landlords


20

Sales Agents

Brokers

Shippers

Licensees

yConsultants

PromotionalConsultants

Better model for third-party management – Identification

TPI Population

Identification of Covered

TPI

Risk Ranking/S i

Due Diligence

Review Follow-up

Technology Enablement and Integration

Obtaining a complete population of third parties

Aggregation, normalization, and de-duplication of data sets:

Vendor master files:

– Consultants, lobbyists, agents, brokers, customs vendors, etc.

Customer master files:

– Distributors, resellers, etc.

Agent/distributor listing

B k fil

Customer Master

Vendor Master

Broker Files

PopulationTPIs Scoring

Diligence


21

Broker files

Distribution records

Joint venture and local sponsorship agreements

Lease agreementsAgent Listing

Distributor Listing

12

Better model for third-party management – Identification (continued)

TPI Population


TPI

Risk Ranking/S i

Due Diligence

Review Follow-up


Agents

Suppliers

Customers


Diligence

Use of data analytics to define population of covered TPIs

Application of risk criteria:

Vendor service code

Vendor industry category

Name

Expense category

Application of Filters and Grouping:

B i it ibilit


22

Covered TPIs

Business unit responsibility

Geographic

Knowledge check #3

Does your organization have a customized definition of a TPI?

A Yes, the definition is based on our business and operational understanding of the services our vendors provide to us.

B Yes, the definition was provided by external counsel/consultant.

C No, there is no definition but we historically do include certain types of vendor in our due diligence program.

D No, we do not have a customized definition.


23

13

Risk ranking and due diligence of covered TPIs

Better model for third-party management – Risk ranking and due diligence

TPI Population


TPI

Risk Ranking/S i

Due Diligence

Review Follow-up



Diligence

Risk Ranking and/or Scoring

Risks are specific to each client and are agreed in advance with management and legal

Approach is tailored to client based on responses from management and operations

Maximizes compliance resources by focusing on higher risk TPIs

Structured, documented and capable of being articulated in compliance program

Medium Priority/Risk

Low Priority

High Priority/Risk


25

Low Priority

Low Priority/Low Risk

14

Better model for third-party management

TPI Population


TPI

Risk Ranking/S i

Due Diligence

Review Follow-up


Review of compliance information can be facilitated by:

Simple and clear report

Single aggregated report

Central Repository for Due Diligence Information and Follow-up

System for retaining current and historic due diligence information

The information collected as part of the TPI management process can be used for:

Compliance decisions

Business decisions

Vendor management

Exclusion/debarment of certain vendors.


Diligence


26

diligence information

Disseminated and available to decision makers, compliance, and legal

Audit trail of requests, responses, and follow-up

Knowledge check #4

What is your typical time frame to assess your service providers, business partners, and other third-party intermediaries?

A One week to 10 days.

B More than two weeks.

C Up to a month or longer.

D We have no uniform time frame.


27

15

Technology enablement of TPI management

Better model for third-party management

TPI Population


TPI

Risk Ranking/S i

Due Diligence

Review Follow-up


Due Diligence tools enable the automation of the management, measurement, remediation and reporting of FCPA controls and risks in accordance with regulations, policies, and business decisions:

Automate FCPA processes, business rules, and controls

Identify and assess TPI risks

Manage Red Flag triggers and resolutions

Enables end-to-end visibility through real-time reporting and configurable dashboard capabilities

Facilitates central storage of TPI questionnaires, Corporate Intelligence Reports, Contracts, Significant C d t


Diligence


29

Correspondence, etc.

Enable role-based actions, notifications, and dashboards

Integrate to procurement, training, and third-party databases (D&B, WorldCheck, etc…)

Support audit activities based on identified areas of risk

Facilitates TPI research on historical data

Enables annual or configured periodic Due Diligence renewals

16

FCPA technology elements

Extract global TPI list – i.e. ERP or Procurement systems Import and analyze data source (s) Identify Third Party Intermediaries (TPIs) categories in

scope for due diligence Identify and extract full population of TPIs in scope

TPI Scope ManagementCategories of TPI

FCPA Technology Elements

Initiate Due Diligence process for individual TPIs and conduct qualitative and quantitative analysis: Business Justification, TPI Questionnaire, FMV Assessment

Identify red flags and TPI risk rating – triggers escalation and additional reviews

Determine necessity of corporate intelligence reports. Retain TPI for on-boarding or Not-Retain TPI and capture

assessment data.

Risk & Due Diligence Management

Capture training data and confirmation of completion

Capture contract related information – i.e. contract type, contract start and end dates, contract reference code (s)

Build business rules for notification of contract expiration or renewal

Training & Contract Management


30

Generate reports to capture TPI status: Retained, Not Retained, In Progress, etc…

Break-out reports by Region, TPI Category, etc… Generate reports for TPIs that are due for renewal Build dashboards to provide real-time data on TPIs, and

accommodate various user roles: business sponsors, regional, compliance officer, regional business & compliance

Reporting Management

Integrate with enterprise systems and applications for downstream or upstream data requirements – – i.e. ERP or Procurement systems

Integrate with third party vendors to capture background check data – i.e. WorldCheck, D&B

TPI Scope Enterprise Integration

Business Representative (BR) logins into TPI DD

Tool

TPI due diligence process – Sample workflow

BR Initiates New DD Process

TPI completes DD Questionnaire

BR completes DD Questionnaire

Manage Contract and DD Training

1. TPI Qualification Process

The TPI qualification process is tracked and managed within the TPI DD tool.

Identifies and Reviews Red Flags

Regional Business and Compliance Leader Reviews

Red Flags

Route Red Flags for Corporate Intelligence Risk

Assessment

Final Report Review, Approve/Deny TPI

On boarding

DD Survey may include the following sections:

Business justification

FMV assessments

Government connections

Selection criteria

Sub-TPI due diligence

Background check

Annual certification

Renewal – 3 years

Etc.


31

2. TPI Profile Review – Red Flag ID

Red Flag criteria/scoring rules are designated within the TPI DD tool, and are automatically flagged to the Compliance Officer and Regional and Compliance Leaders.

3. TPI Risk Assessment

Request is triggered to conduct corporate intelligence gathering to validate self-reported info and assist with assessment of red flags.

4. TPI DD Resolution

Acceptance or Denial of TPIon-boarding.

gRed Flags Assessment On-boarding

17

Knowledge check #5

What is your organization’s biggest challenge regarding third-party intermediaries?

A Identifying the total population of third-party intermediaries

B Determining which third-party intermediaries should undergo some level of due diligence

C Assessing the relative risk of each third-party intermediary

D Determining the appropriate level of due diligence for each third-party intermediary


32

Questions and answers


33

18

Contact us

Name E-Mail Phone

Mike Schwartz [email protected] 713-319- 2258

Brent McDaniel [email protected] 713-319-2313

John Ratcliffe [email protected] 214-871-2244


34

Closing remarks

Thank you for joining us.

Please send any questions to [email protected].

For more information,

visit the KPMG Global Energy Institute at www.kpmgglobalenergyinstitute.com.

Save the date!

2013 KPMG Global Energy Conference, May 22 – 23, 2013 in Houston, TX

www.kpmgglobalenergyconference.com


35

managing third- party anti-bribery, corruption risks and ... · kpmg's 2011 anti-bribery and...

Documents