Know your third party and the importance of evaluating transparency
The term “third party” is frequently used to describe individuals or organisations who may act as agents, intermediaries, distributors or potentially suppliers for a business. Third parties are most frequently involved in locations where a business has limited (or no) presence and can fulfil an important role in establishing a new market.
However, third parties are often regarded as higher risk because they are external to an organisation and the third party may be operating in territories that are unfamiliar to the organisation. As a result, they have become a key focus of attention under the US Foreign Corrupt Practices Act, the UK Bribery Act, and similar international anti-corruption legislation.
Many organisations have taken steps to mitigate their bribery and corruption risk using a risk-based approach. This approach recognises that only a minority of third parties genuinely introduce bribery and corruption risk through association, and it is these third parties that warrant closer attention. A thorough understanding of the background and reputation of third parties is both an effective anti-bribery and corruption measure, but it can also address associated risks such as fraud risk or wider commercial risks.
A widely used approach to anti-bribery and corruption programmes involves an assessment of country and industry risks, much in the same way as measures used by financial institutions to counter money laundering risks (itself a consequence of acts such as bribery and corruption). Transparency International’s Corruption Perceptions Index is routinely used to gauge relative corruption risks across countries and, although arguably imperfect, it remains the leading index, given its consistent methodology. An evaluation of industry risk may involve consideration of which industry sector the third party operates in, and whether that industry sector tends to involve higher levels of corruption. For an obvious example, customs clearance agents are commonly classed as high risk, whereas the local florist is unlikely to warrant the same level of scrutiny. Other factors such as the length of the existing relationship, and whether there are any known existing risk factors (such as an agent having ties to a government official) may also determine the final risk assessment of a third party, in conjunction with country and industry risks. It is also common practice to screen third parties against relevant economic sanctions lists and commercially-available lists of Politically Exposed Persons.
Assuming your business can identify all of its third parties – which may be a complex task in its own right if records are not centralised or held electronically – an initial risk classification can be completed. Commonly, three – or possibly four – levels of risk rating may apply, including; low, medium, high and, potentially, extreme. A further, enhanced level of due diligence should then apply to higher risk third parties to gain comfort that they are bona fide. Many organisations sensibly insist that their third parties (particularly high risk third parties) complete a questionnaire to provide information about their background, experience and qualifications to act, as well as providing a declaration that they have not engaged in illegal activities, such as bribery and corruption, and will not do so in the future. At this point, and assuming that the third party duly completes and returns a questionnaire, it is appropriate to assess it against a small number of criteria that, if not adequately answered, may be a cause for concern. These issues all broadly relate to the overall transparency of the third party:
- Does the third party use corporate e-mail accounts? If the third party is using personal e-mail, it is important to understand the reason for this. Is it because they are a sole trader or a small operator? If this is case, would you be contemplating using them for a large transaction and, if so, why?
- Does the third party use landline telephone numbers that can be verified back to telephone subscriber databases, or do they only supply mobile telephone numbers? It is possible there is a legitimate reason for using mobile telephone numbers only, but it is helpful to understand why.
- Does the third party have a verifiable online presence? Most businesses now have some level of online presence, through a website and/or social media. After all, it is natural for a genuine business to promote its services this way. Further questions should be raised if the business does not have an online presence, or the online presence is largely superficial with a general absence of contact details. Equally, be alert to situations where a website or online presence has only recently been created, and yet the third party claims to have traded for years.
- Has the third party changed its name frequently? Name changes may be entirely legitimate, but frequent changes of name without any obvious underlying purpose could be a cause for concern. Equally, do not overlook apparently minor contradictions such as “mistakes” in key dates, as these can mask more serious issues of concern.
- Where is the third party located? If they are using a residential address, a PO Box or an address linked to a high-volume incorporation agent, it is prudent to be a bit wary. It might be necessary to visit a site in person to establish that the business is in fact located there and has an established physical presence.
- If the third party is a legal entity, where is it incorporated? Lower-disclosure jurisdictions have attracted significant attention recently due to the fact they are often used to disguise illegal activity. There may be a genuine reason to use a low-disclosure jurisdiction – for example, the corporate registration procedures in the relevant onshore jurisdiction may be poorly developed – but the rationale for locating somewhere other than the place of business should be clearly understood.
- Are the executives and beneficial owners clearly identifiable? Executives should not be confused with nominees, who in certain jurisdictions are noted as officers of the company but have no legal obligation towards it. Likewise, the beneficial owners are not necessarily those noted on corporate documentation, who may merely be subscribers. In more extreme cases, it has been known for fraudsters to substitute names of individuals who have sold their identity details, or had their identities stolen in place of the actual owners. The executives and owners should have a verifiable track record in their industry and it should be possible to associate them with the organisation based on their past experience.
- Does the third party have a demonstrable track record in the relevant industry sector(s) – for example, a track record of having acted for other reputable organisations? If not, or if the third party is newly-incorporated, further questions ought to be raised, and answered.
This list is not exhaustive and, for the highest risk third parties, further measures – such as gaining a thorough understanding into the way they conduct business, either through overt or covert enquiries – may also be necessary. However, some basic initial steps, such as those set out above, to assess the level of transparency will assist one in gaining a higher level of comfort that the third party is at least who they claim to be, and is not an obvious cause for concern.