In cybersecurity the received wisdom is that the weakest link in the chain will often be a third party. But with high-profile corruption allegations in the world of finance and beyond, how do Fortune Global 1000 companies with complex global footprints ensure that not only they but their third parties comply with anti-bribery and corruption laws?
Global supply chains are by nature a tangled web, and even a household name business that publicly conducts extensive corporate and social responsibility audits might not be aware of the third party businesses that they trade with.
"I think any of the stats you'll find online will say that according to the OECD, 75 percent of all corruption and enforcement actions stem from third parties," says Lee Kirschbaum, SVP of product, marketing and alliances at compliance and risk SaaS vendor Opus. "If you look at the number of third parties a company will manage, it will be – call it on average 1,000 third parties. But you'll see if they call out their vendor population in there, it may be up to 25,000 to 50,000 vendors and third parties.
"That keeps growing. We don't see that shrinking as the web of who you work with and what you do expands: we have seen growth of 25 percent a year."
Opus essentially exists as a merger of information and workflow business Alacra and third-party management Software as a Service (SaaS) business Hiperos.
It counts major, household-name financial institutions in the US and UK as customers, and also has a large customer base in life sciences and pharmaceuticals. The business brands itself as a positive spin on compliance and risk – that by automating these processes that are often viewed as a burden a company is free to focus on its actual core business.
It offers an off-the-shelf anti-bribery and corruption (ABAC) SaaS product – Hiperos 3pm – that aims to collate all of a firm's third parties, which can segment these third parties based on risk, set against its own information.
The company also makes use of third-party databases including from Thomson Reuters, C6, and Dow Jones, and then pulls this into a central platform for monitoring, audits, contract provisions and due diligence, with many of these processes automated. Opus also supports Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements.
With some extremely high-profile laundering and bribery scandals in the news over the past few years, both ABAC and AML are markets that are unlikely to wither any time soon.
"I think enforcement actions will show that 2016 was the peak of the years but 2017 wasn't a slouch – if you look at any numbers in the US, enforcement actions in '17 were pretty much on-par with the last 10 years.
"If you look at the global footprint view, you continue to see cooperation across multiple jurisdictions, you see new regulations coming up in different markets – the ABAC risk is continuing to go up."
"We are finding with ABAC – and with information security overall – just gathering the data sets, 'who am I working with', is becoming next to impossible."
Finding the Nth Party
Kirschbaum explains that the first port of call is figuring out a business' third parties overall. But Nth parties, i.e. third-party vendors that your third parties might use – complicates things further.
"Companies right now are setting up business relationships globally," he says. "Let's say you have a guy in a region who gets put somewhere, then all of a sudden you have 10 systems and you can't quite figure out who it is you're really working with as a company.
"The Nth party: there's no real, good automated technology out there that can tell you who all the Nth parties are. So the way we think about it typically is, number one: you ask a question via questionnaire out to your third party, and then number two, the best way we've seen right now, is contractual provision, giving you audit rights and the ability to actually dive deeper into who those Nth parties truly are."
One of the core reasons for that, according to Kirschbaum, is the emergence of shadow organisations: shadow IT, for example, where somebody in marketing might create a relationship with a marketing automation provider that gets set up separately to IT.
"So the majority of our clients have wrestled with: 'who am I doing business with?' and that's a big question."
Head on over to our slideshow of a Verizon PCI DSS compliance report to see just how big a problem this can be – with, for example, one business entering into a contract with a server farm in Mexico based in an apartment bathroom.
The crypto question
What about emerging technologies like cryptocurrency – with some currencies such as bitcoin having irreversible transactions as a baked-in feature?
"I think it's an emerging technology that not enough people truly understand," Kirschbaum says. "And furthermore, what's complicating it is the ability to almost mask who's doing what. So on the one hand, blockchain overall I think is going to drive a tremendous amount of efficiencies and improvements in the market. But I do believe regulations are yet to have kept up with the emerging changes and trends.
"Certainly in bitcoin – I'm not going to speculate, but you see a lot of volatility, and the volatility represents, from my perspective, a limited transparency.
"The short answer is yes: I think it complicates anti-money laundering quite a bit, it complicates taxing, regulatory bodies are trying to figure out how to keep pace and any day you'll find news of a government stepping in... I think you've still got a few years before regulations keep pace with the changes and trends in technology."
Policy and culture
So, where are the hot areas for anti-bribery and corruption regional activity?
Kirschbaum says there are a few ways to look at it. Opus' primary client base is in the US and the UK, but it also covers a couple of regions in Asia. "Our client base activity resonates in those three core markets," he says. "But the other way is to flip it and think about where you start to see trends in enforcement action.
"So even though we may have a customer or client based in the US they are using us for a global third-party programme. What I've seen from a Foreign Corrupt Practices Act enforcement actions, from a multiple jurisdictional cooperation perspective, is you continue to see Latin America pop up quite a bit. You see China pop up quite a bit. And I think those are the big areas, from an enforcement action perspective."
There are further complications in regions where gift-giving or over-the-top hospitality might be the usual way of doing business – but might breach bribery laws in other jurisdictions. Such are the complications of global business.
There's no clear answer for fighting this issue. But setting best practices from the top as part of corporate policy can go some way to help.
"I think it starts from devising or developing a set of compliance policies that can be managed across jurisdictions, at both the central and decentralised level," Kirschbaum explains. "I think the best way is, first off, you've got to take a region-by-region perspective, then set a tone from the top and a centralised culture and policy.
"It's a great question and one I was exposed to quite a bit: essentially you'd run into these investigations where someone says: 'look, this is the only way I can do business in this jurisdiction'.
"And the fact is that if you'd driven a tone from the top and a centralised culture and policy, it would have ultimately prevented that. But if you let that go, you essentially create a culture where that's OK."