when compliance programs go wrong…...• a low cost, high volume screening and monitoring solution...
TRANSCRIPT
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
1 Best Practices in corporate compliance ◼ Kevin Braine
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
AICP Conference – Isle of Man
March 26, 2019
When Compliance programs go wrong…
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
2 Best Practices in corporate compliance ◼ Kevin Braine
1
2
3
4
5
6
7
Introduction
Agenda
The trap of “one-size-fits all”
If it is not auditable, did it actually happen?
When ambition gets you in trouble
Keeping up with the regulators
The most important thing – is what happens next
Questions
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
3 Best Practices in corporate compliance ◼ Kevin Braine
Global Multi-Disciplinary Risk Management
Over 3,500 employees in more than 70 offices in 28 countries
▪ Sanctions Screening and
Monitoring
▪ Public Records and
Enhanced Due Diligence
▪ Remediation and Special
Research Projects
▪ Kroll Compliance Portal -
3rd Party Management
Platform
▪ AML and ABAC Consulting
– program design, reviews,
and training
▪ Investigations
o Fraud & Internal
o Financial
o Regulatory
▪ Business Intelligence
o Market Entry
o Competitive
Intelligence
▪ Investigative Due Diligence
▪ Forensic Accounting
▪ Asset Searches &
Recovery
▪ Litigation & Disputes
▪ Security and Risk
Assessment
▪ Policy Review and Design
▪ Penetration Testing
▪ Vulnerability Scanning
▪ Third Party Reviews
▪ Computer Forensics
▪ Data Breach
o Incident Response
o Notification
o Remediation
▪ Security
▪ Operational Security
Services
▪ Security Design and
Engineering
▪ Resilience Consulting
Compliance, Risk and Diligence Investigations Cyber Security Security Risk Management
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
4 Best Practices in corporate compliance ◼ Kevin Braine
Kroll’s Risk-Based Approach to Due Diligence- fixed cost reports
First View
Red Flag Review
Reputational Review
“What on-the-ground sources are saying”
• Enhanced due diligence with in-country source inquiries for insight into a subject’s reputation
• Public record review plus targeted local human intelligence to validate the risks identified during public record research,
assess reputation, as well as to provide additional services such as site visits
Investigative Due
Diligence
“The basics you should know”
• A low cost, high volume screening and monitoring solution available through the Kroll Compliance Portal
• One-time screens for sanctions, watch list and enforcements, politically exposed persons (PEPs), state-owned
enterprises (SOEs) and profile-based adverse media, ongoing monitoring to ensure visibility into any new risk events.
• Option to outsource false positive review and resolution to Kroll’s risk and compliance analysts
“What is in the media”
• A red flag review for summarizing potential compliance and reputational risks
• Adverse media and internet research performed by research analysts in English and local professional language
• Review of compliance and watch list databases
• Narrative presentation of findings
“A consultative, investigative approach”
• A consultative approach to due diligence tailored to each client, based on their specific needs
• A customized review and analysis of public records and inquiries of human sources.
“What is in the public domain”
• Analyst-driven, detailed review of certain online public records to identify potential adverse and noteworthy information
relating to corruption, money laundering, fraud, or other illicit or unethical behavior
• Includes corporate registration, individual corporate affiliations, regulatory, litigation, US higher education claims, and
global compliance, sanctions, and watch list checks
Public Record
Review
January 2019Duff & Phelps | Private & Confidential 4
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
5 Best Practices in corporate compliance ◼ Kevin Braine
The traps of “one-size” fits all
Aim for holistic risk-based assessments NOT rigid rules
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
6 Best Practices in corporate compliance ◼ Kevin Braine
The trap of “one-size” fits all
Cooking the books
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
7 Best Practices in corporate compliance ◼ Kevin Braine
If you cannot demonstrate it to a regulator
Did it happen at all?
Compliance activity must be
Documented
Easily accessible
Secure
Auditable
At your fingertips at all time
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
8 Best Practices in corporate compliance ◼ Kevin Braine
Your programme is only as good as its weakest link
Ensure your rules are applied consistently
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
9 Best Practices in corporate compliance ◼ Kevin Braine
Your programme is only as good as its weakest link
Apply your processes and controls consistently
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
10 Best Practices in corporate compliance ◼ Kevin Braine
Your programme is only as good as its weakest link
Apply your processes and controls consistently
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
11 Best Practices in corporate compliance ◼ Kevin Braine
Relying on third party’s due diligence
And you could end up dealing with the DEA’s most wanted
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
12 Best Practices in corporate compliance ◼ Kevin Braine
Political Exposure is a risk indicator
But do not neglect conflicts of interest
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
13 Best Practices in corporate compliance ◼ Kevin Braine
Make sure your programme is workable
Compliance policies ambitious but not implemented
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
14 Best Practices in corporate compliance ◼ Kevin Braine
Programme must be live and dynamic
“Keeping it fresh”
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
15 Best Practices in corporate compliance ◼ Kevin Braine
Keeping up with Regulatory Obligations
Keep up domestic and international
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
16 Best Practices in corporate compliance ◼ Kevin Braine
Implementing a risk-based approach
High risk situations only
Led by senior leadership
Extensive ad hoc due diligence
Targeted research to address a specific concern
Routine checks on large numbers of third parties
Led by in-house compliance team
Volume driven cost pressures
Focussed solely on regulatory risk
Risk-based screening of all counter parties
Involvement of all internal stakeholders
Increased use of technology
Holistic risk review including reputational risks
To detect: Financial Crimes, Sanctions, Political Exposure, Bribery, Corruption
But also: reputational risk, payment risks, business continuity risks
Having the right risk assessment in place
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
17 Best Practices in corporate compliance ◼ Kevin Braine
And lastly…
Ensure you have an efficient escalation process when something comes up
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
18 Best Practices in corporate compliance ◼ Kevin Braine
Key challenges
How to make a compliance programme work
Make the most of limited resources
Identify and focus on the highest risks
Get buy-in from your commercial teams
Learn from the financial services industry
Place more emphasis on suppliers to demonstrate compliance
And ensure that your programme is
Consistently applied throughout all group companies
Not so ambitious that it causes business disruptions
Easily auditable
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
19 Best Practices in corporate compliance ◼ Kevin Braine
Kroll Compliance Risk & Diligence SolutionsA cost-effective, high-quality, and structured approach to background checks
Since 1972 Kroll has helped to shape the compliance industry, building a wealth of in-houseexpertise and resource in the process of helping clients with their wide array of due diligencerequirements. The resulting ability to find and contextualise nuanced (often sensitive) informationenables our clients to make more informed business decisions on the basis of truly independentresearch in virtually any market, jurisdiction or language.
Kroll’s screening and due diligence solutions can help our clients to plan and execute a consistentrisk-based approach to a broad range of business needs in line with regulatory principles,including:
▪ Anti-Money Laundering (AML), Know Your Customer (KYC), USA PATRIOT Act, Foreign CorruptPractices Act (FCPA), UK Bribery Act, Financial Action Task Force (FATF) recommendations, and more
▪ Identifying and mitigating third party and transactional risks, including business and reputational risks
▪ Screening existing and potential joint ventures
▪ Screening against sanctions and government watch lists
▪ Assessing reputation through review of public records and local source inquiries
▪ Board appointments and pre-IPO due diligence
▪ Conducting market entry or deep dive investigative research in support of new and significant projects
January 2019Duff & Phelps | Private & Confidential 19
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
20 Best Practices in corporate compliance ◼ Kevin Braine
A Risk-Based Approach to Due Diligence
Depending on your
requirements,
Kroll can provide both
automated and
human-led
approaches to
conducting
Enhanced Due
Diligence
January 2019Duff & Phelps | Private & Confidential 20
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
21 Best Practices in corporate compliance ◼ Kevin Braine
A Risk-Based Approach to Due DiligenceTailored to your needs
Standard Enhanced Due Diligence
Kroll’s standard Enhanced Due Diligence offerings seek to address the most common needs of risk and compliance professionals, at a fixed cost, timeframe and methodology; however, as with all Kroll Compliance reports, we can expand and tailor the scope of this research to meet your organisation’s specific requirements.
Investigative Due Diligence
Kroll is world-renowned for delivering investigative due diligence for situations where clients need an iterative, consultative, and more tailored answer to their more complex due diligence needs.
In those situations, Kroll will devise an investigative plan specifically designed to drill down to those risk areas most relevant for your unique situation and needs.
Kroll provides answers to questions that financial and legal analyses cannot address, especially regarding integrity issues and the reputations and backgrounds of counterparties.
January 2019Duff & Phelps | Private & Confidential 21
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
22 Best Practices in corporate compliance ◼ Kevin Braine
An approach to Third Party Risk Management
IDENTIFICATION
- All types of third parties
- Sort and categorize
. nature of services, domiciled countries,
business value, business relationships
- Risk nature already identified
RISK-BASED CATEGORIZATION
- Define third party categorization
- Initial data gathering
. Questionnaires
. Nature, scope, geography
. Business data
- Criteria for risk scoring
DUE DILIGENCEDefine granularity in due diligence
LOW - LEVEL 1:
. First view screening
. Red Flag review
MEDIUM - LEVEL 2:
. Public Record review
. Reputational review
HIGH - LEVEL 3:
. Investigative due diligence
MONITOR & CONTROL
- Train operational people for:
. onboarding new third parties
. appropriate level of due diligence
- Monitor high risk third parties
- Recurrent review and approval
- Initiate random controls and audits
January 2019Duff & Phelps | Private & Confidential 22
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
23 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll Compliance PortalThe flexible online third-party relationship management platform
▪ Automated questionnaires. Collect and store the information you need from third parties and quickly process high volumes.
▪ Risk scoring. Generate scores based on your risk appetite and trigger actions accordingly.
▪ Screening, monitoring, and due diligence. Automatically screen, monitor and conduct additional levels of due diligence based on perceived risk.
▪ End-to-end digital management. Increase the consistency and efficiency of intake and review processes by extending portal functions to colleagues beyond the compliance team.
▪ Reduced False-positives. Kroll analysts will review false-positive results of initial screens to deliver only the information that matters to you.
▪ Tracking and auditing. Powerful reporting and audit capabilities.
January 2019Duff & Phelps | Private & Confidential 23
Apply consistent business-wide on-boarding and monitoring processes in line with your
company policy and board’s risk appetite. Organise and store all third-party information in one
central and secure location.
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
24 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll PortalEfficiently manage, mitigate, and monitor third party risks
As third party management and anti-bribery and corruption regulations grow increasingly complex,
the Kroll Compliance Portal provides you with capabilities designed to bring efficiency and
consistency to third party compliance programs, including:
An easy-to-use,
web-based platform
that brings efficiency
and consistency to
the challenge of
third party
compliance risk
management
January 2019Duff & Phelps | Private & Confidential 24
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
25 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll PortalFirst View Screening & Monitoring
First View Monitoring enhances your ethics
and compliance processes with ongoing, real-
time third-party risk event tracking.
Powered by LexisNexis® WorldCompliance™
and Dun & Bradstreet to provide you with
access to the most robust screening data on
the market
Access the most comprehensive and current
database of sanctions, enforcements, PEPs,
state-owned or controlled enterprises, and
adverse media content.
January 2019Duff & Phelps | Private & Confidential 25
Keep your third-party profiles up-to-date.
All the time.
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
26 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll PortalFirst View Screening & Monitoring
First View Monitoring with embeddeddatabases allows initial screening for selectcombinations of Sanctions, Enforcements,Political Exposure, State Owned Entities, andAdverse Media against:
▪ more than 2.5 million risk entities fromover 240 countries and territories;
▪ 50+ risk categories including terrorism,narcotics, money laundering, fraud, taxevasion, collateral crimes and PEP law,…;
▪ over 30,000 sources monitored in over 50native languages.
January 2019Duff & Phelps | Private & Confidential 26
Access to the most robust screening data on
the market & comprehensive risk categories
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
27 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll PortalThird-Party Questionnaires
▪ Use the questionnaire module to collect information from your third parties, disseminate
company policies and procedures, and capture certifications.
▪ Speed up onboarding processes by reducing response times through automation, tracking and
local language capabilities.
▪ The questionnaire module includes:
▪ customised questionnaires and risk scoring models tailored to each client
▪ multiple questionnaires to address different third-party processes or risk scenarios
▪ sending of questionnaires in the third-party’s language of choice
▪ effortless tracking of questionnaire status and automated reminder emails
▪ automated, risk-based scoring of responses to help you align due diligence with risk
▪ re-certifications on an annual basis
January 2019Duff & Phelps | Private & Confidential 27
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
28 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll PortalThird-Party Questionnaires
January 2019Duff & Phelps | Private & Confidential 28
Effective third-party compliance programs include
systematic processes to collect information from
third parties on a periodic basis
I. Risk Scoring
II. e-Sign-off
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
29 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll PortalDue Diligence Report – Central Repository
January 2019Duff & Phelps | Private & Confidential 29
Access Kroll’s spectrum of market-leading due
diligence reports and communicate directly with our
research experts
I. Tailored search specs
II. Interact with our Research Team
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
30 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll PortalAutomate your unique compliance process – custom workflows
▪ Our automated, step-by-step workflows
connect our screening, questionnaire and
due diligence report ordering modules
together – all inside the Portal.
▪ Enable globally consistent decision-making
on whether or not to do business with a third
party.
▪ Automate your third-party compliance
processes to accelerate onboarding of new
third parties.
▪ Easily design onboarding
January 2019Duff & Phelps | Private & Confidential 30
Customise your complete compliance process,
leveraging preset templates or by building your own
WorkflowDecisions
Identification
Questionnaire
Due Diligence
MonitorProfiles
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
31 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll PortalAutomate your unique compliance process - custom workflows
January 2019Duff & Phelps | Private & Confidential 31
Easily design onboarding, recertification, and other
due diligence workflows using drag-and-drop
technology that brings your process to life
Track activity and third party profile progress with a
visual display of your workflow
Manage internal approvals and hand-offs
automatically
Standardize your workflow automation according to
your unique business rules
Customize your complete compliance process
leveraging preset templates or by building your own
1
2
3
4
5
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
32 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll PortalAutomate your unique compliance process - custom workflows
Benefits of custom workflows
▪ Ensure staff in various internal functions and physical locations are aware of and follow established screening standards
▪ Save time and reduce human error with this controlled and automated approach
▪ Increase transparency into your workflow with tracking and reporting tools
▪ Improve efficiency leveraging the insights gained from automation and tracking
▪ Tailor your approach by creating scenario-dependent workflows
January 2019Duff & Phelps | Private & Confidential 32
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
33 Best Practices in corporate compliance ◼ Kevin Braine
The Kroll Portal Difference
Leveraging our expertise, global reach, and technology to deliver deeper, more refined, and more
contextual information that results in better decision-making.
January 2019Duff & Phelps | Private & Confidential 33
– Manage your entire program with Kroll’s Compliance Portal, designed to address your specific workflow needs, from screening and monitoring to governance, due diligence, and compliance.
– Take a risk-based approach to your program through Kroll’s full spectrum of screening and due diligence which provide escalating levels of research, from first view screening to investigative due diligence.
– Gain unique insight and efficiency from Kroll’s global presence and regional expertise, including fluency in over 35 languages as well as our proprietary research tools.
– Enhance the design, set-up, and implementation of your compliance program by partnering with our expert consultants.
Watch the video
Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice
34 Best Practices in corporate compliance ◼ Kevin Braine
Tom Hollobone
Associate Managing Director
Compliance Risk and Diligence, EMEA
T +44 (0) 207 029 5159
M +44 (0) 7500 447231
For further information
please contact
Dominic Lynch
Director
Compliance, Risk & Diligence, EMEA
T +44 (0) 207 029 5031
M +44 (0) 79 202 32 987
www.kroll.com