Panama and Unaoil confirm demise of tick-the-box compliance

BY SCOTT LANE, Executive Chairman, The Red Flag Group

Companies use business partners all over the world. It is generally understood that some business partners form different risks to other business partners and therefore the initial reviews on their backgrounds may vary. This variation is often assessed based on ‘risk’ and is known as a ‘risk based approach’. The two recent global stories around the Panama Papers and Unaoil highlight some of the gaps in conducting due diligence on business partners.

The Red Flag Group has no doubt at all that some companies mentioned did not conduct due diligence on Unaoil, or treated it as lower risk because it was located in Monaco and somehow managed to fall out of the due diligence process. Companies often use the location of the subject third party as their first indicator to determine whether due diligence (of any kind) is ‘justified’ or necessary. In the view of The Red Flag Group, there is a fair chance that this caused several companies to not conduct due diligence on Unaoil.

There is no doubt that there are places in the world that might present higher risks of, say, corruption than others – for example, in those countries where government is closely linked to business, where state owned entities are at the heart of every deal, or where there has been a history of revolving doors involving government officials entering into business fields. Similarly, there are certainly places in the world that might give rise to a higher risk of sanctions, particularly given that most sanctions are on countries and around the export of certain product. It is not difficult to work out the countries (i.e Sudan, North Korea and, to an ever-decreasing degree, Iran and Cuba) and the sorts of products that are subject to export and import restrictions (weapons, chemicals etc.)

What is interesting, however, is the growing focus on the part of compliance and business teams to regard the country of registration (of the proposed third party) as their initial cull mechanism to determine whether to proceed with due diligence or dispense with it entirely. The ‘country’ risk occasionally extends to countries where the company actually ‘does’ business, and not just its place of registration. But, due to the complexity associated with multiple answers and trying to automatically apply a risk score to those answers, many companies resort back to one answer around place of registration. The Red Flag Group often sees companies consistently applying a country ‘slice’ to due diligence requests and using that factor to determine whether to conduct due diligence.

To make matters even more interesting, companies then use a perceived list of corruption ridden countries on which to make that risk determination. If it appears lower risk on Transparency International’s Corruption Perceptions Index (CPI), then many companies somehow give a subject company a ‘pass’ to proceed with minimal or no due diligence. But using country as a sole initial factor for sorting through a list of subjects for due diligence has some serious challenges.

Classifying a country as high risk is too simplistic. The Red Flag Group has worked on over 100,000 due diligence cases over 10 years, and the largest country risk we find for fraud is actually by far the United States. We find greater risk of collusion, price fixing, theft, fraudulent invoicing, intellectual property infringements, commercial corruption, fake invoices, and conflicts of interest in the United States than in almost any other country. Yet, most companies wouldn’t even dream of doing due diligence on their United States based partners. Go figure. Because a country is high risk in one risk area shouldn’t somehow rate that third party as high risk overall. It only is high risk if the risks that are inherent in that country and the risk of what the third party is doing for you actually overlap. It is too simplistic to rate a country as high risk and then apply it across the board. If your company is engaging a company in India (a high risk country for corruption) to provide domestic delivery services, then it is probably a low risk for corruption despite being in India. However, if the company is providing cross border and importation through customs, then it would naturally be high risk in India (because of the previously classified high risk for corruption). To use another example, if the third party is in India but you are using it to develop software, why would that third party be declared high risk just because India has been declared high risk for corruption? As set out below, there are many other factors that might declare this company as high risk, but corruption is not one of them.

Most indexes assess only one risk. While important, corruption risks are only one risk. Testing a third party for its integrity should be against more risk areas than just corruption. So, by applying a list of corrupt countries to its place of registration might actually give it a ‘pass’, yet for other risk areas the country is a very high risk. Take Monaco or Panama, for example … both very topical sources of discussion. The Red Flag Group looks at 23 different risk areas and suggests that clients ask themselves this question, ‘what can that third party do to hurt us’. While corruption is important, it is by nowhere near the only risk that should be considered. Take our example above, if you are having an Indian service provider build some software for you, you should be more worried about code quality, incorrect use of open source licences, embedded IP rights from third parties, and just general sloppiness in design and user interface, than being worried about whether the company bribed someone to get power connected to its building.

Country risk should be based on your company not an NGO guidepost. While applying a country risk seems to be part of the fabric of the compliance officer’s process, it is recommended that this be based on negative and also positive things that are actually relevant to your company. If, for example, there is a set of countries in which your company is growing and really investing heavily, then you might want to make sure that those business partners in that country are great, rather than focus on the countries that represent less than one percent of revenue. Of course, all the lawyers will say ‘yes, but that ‘one percent’ country could still give rise to a corruption issue that could lead to significant fines’. The legal team can keep arguing that as the business marches them out of the door for being uncommercial and out of touch with the reality of business. The ‘risk’ of a country should be considered based on business factors … growth, investment, legal and integrity risks of doing business in that country and industry, and, most importantly, the type of business being done by the third party. If you are a retailer and only sell to consumers and have minimal connections with government, then why should you rate a country low on the CPI (which suggests it is highly corrupt) as a high risk for your business.

If you are going to use country as a risk factor, then make sure it is one of 10 factors and is weighted accordingly. If you are going to use country as a risk factor, then it should be one of many risk factors, the most important being what the third party is actually doing for your business. While some of this can be coded into algorithms and risk scoring, a good part of it requires some brains to think about the risks and to weigh up just how likely they are to actually occur as part of your engagement. While a risk engine in onboarding software can go some way towards this assessment, it requires much more thought.

Country risk is just about priority setting. If the argument is that you really use the country risk as a factor, but it is more of a guide as to where to prioritise due diligence initiatives, then fair enough. Rolling out a programme based on certain countries is natural, practical and makes a whole lot of sense, provided that the countries have been chosen intelligently based on business objectives.

Follow @TheRedFlagGroup