Posted: 15th January 2018
Managing risk in your business is already a challenge, without adding third parties into the mix. Most firms will have some form of third-party relationship, from a company providing a specialist solution, down to single contractors.
Whatever the scale and nature of your third-party firms, having a clear view of how they do their business is vital in establishing whether they may be exposing your firm to risk.
Mitigating this risk is only effective if you have sufficient insight and control over the way third parties are doing business (and therefore, how they are representing your business).
Due diligence over third parties goes beyond collating routine documentary evidence, and requires an inquisitive mind to understand the nature of the business and its relationship to the risk involved. The increased complexity in the way firms distribute their products, or rely on third parties for the provision of services, has made managing risk more challenging. Monitoring and oversight of these third-party relationships is a key requirement for any organisation to ensure it proactively identifies and minimises risks, and demonstrates effective controls are in place – ensuring a customers’ experience and outcome is not affected.
Implicit trust in third party activity – without the right management and oversight around it to ensure that activities remain compliant – can lead to the erosion of standards; in financial services, this can relate to standards of product suitability, distribution, information disclosure, complaint handling and product governance, to name just a few areas.
Where there is over-reliance on trust, firms can sometimes veer away from performing effective due diligence. Due diligence performed on third parties should not only be carried out at the start of the relationship, but should continue for the duration of the relationship while taking a risk-based approach.
Where does the responsibility lie?
There has long been a perception that when a service is outsourced to an authorised firm, that firm has taken on the regulatory risk. The FCA has often pointed out that this is not the case – the regulated firm is ultimately responsible, which may surprise some.
If you are using a firm to provide a product or service on your behalf, no matter how far removed from the end customer, you have responsibilities to that customer. This has been a long-standing weakness in the first line of defence, and the FCA has been challenging firms across a number of sectors to address this risk more comprehensively by applying appropriate remedies where issues are diagnosed.
From a financial crime standpoint, the risk goes beyond fraudulent financial loss, and poses a significant regulatory and legal risk that attracts criminal liability. Third parties and intermediaries “are the single greatest area of bribery risks” according to Transparency International, and firms should also consider this as part of their wider due diligence processes.
Firms are legally obliged to mitigate the risk of third-party misconduct. Some key responsibilities that firms should bear in mind are:
- Senior Management and Certification Regime (SM&CR): The core themes of the SM&CR are accountability and ensuring that firms and individuals act with integrity. Firms cannot outsource their risk to third parties, and are expected to implement reasonable steps to avoid any undue risk. The integrity of your third-party partners is essential because the malpractice of others can lead to vicarious liability (legal responsibility of others).
- Senior Arrangements, Systems and Controls (SYSC) 8: SYSC 8.1.8 summarises the position succinctly by stating that “the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider”. Establishing monitoring arrangements for third parties is key.
- Bribery Act 2010 and Criminal Finances Act (CFA) 2017: The Bribery Act and CFA are structured on the same ‘failure to prevent’ model. Those firms who facilitate tax evasion and bribery are criminally liable if they fail to prevent through reasonable and adequate controls. The legislation is far-reaching, including associated persons (e.g. agents and subsidiaries) operating anywhere in the world.
HMRC and the Ministry of Justice (MoJ) have both provided guidance, with six principles for firms that will enhance the prevention of bribery and the facilitation of tax evasion. One of the principles is ‘due diligence’, which remains key to mitigating financial crime risk. Principle 4 of the MoJ and HMRC guidance highlights the value of due diligence to mitigating the risk of financial crime, with a strong focus on a risk-based approach. For example, establishing a working relationship with a third party in a foreign jurisdiction that is high on the Corruption Perception Index from Transparency International may need a high level of due diligence.
- Foreign Corrupt Practices Act 1977: The extra-territorial reach of US legislation also includes non-US based firms with US involvement. Firms must prevent corruption with third parties “to exercise due diligence and take all necessary precautions that they have formed a business relationship with reputable and qualified partners and representatives.”
Overcoming The challenge of time and cost
The management of due diligence can be a significant challenge when you consider that any person who supports your business must be subject to some form investigation. Due diligence on third parties must be consistent and proportionate to the risks faced, and staff need to be aware of the conduct and financial crime red flags when performing it.
When onboarding a third party, due diligence should be viewed as a ‘business as usual’ activity, with an ongoing process that is triggered if there is a change of circumstances or management information suggests the risk rating of the third party has changed and needs to be investigated. What enquiries are made, and what systems are checked by your firm? Many firms use a variety of sources, such as open source internet investigation; regulatory references; credit references and fraud databases. However, these checks are time-consuming and require resource. In the longer term, can your firm begin to automate these processes to ensure efficiency?
In the anti-money laundering (AML) world, most firms have now switched to technological solutions to help with high volumes of customer due diligence screening. Firms obtaining a ‘single customer view’ has drastically reduced customer due diligence costs. More firms are now adopting the concept of a ‘single customer view’ and applying it to their onboarding and ongoing management of third parties, mitigating the associated regulatory risk and achieving cost savings.
What is the immediate challenge?
Building and implementing robust controls for the management and oversight of third parties is key to maintaining effective relationships, managing risk and delivering fair customer outcomes. With the introduction of the Senior Managers and Certification Regime (SM&CR), the need for robust and effective third-party oversight has never been greater; individuals will be held personally responsible for the actions of their third parties. The focus on financial crime and conduct risk should underpin your due diligence activity.
Some tips for building your third-party integrity risk framework include:
- Ensuring you understand your operating model and the scale and complexity of your third-party arrangements
- Ensuring you have a robust risk assessment of third parties that covers all areas of the business and categorise the level of risk
- Reviewing your service level agreements to ensure that they are appropriate, drive the correct behaviours and enable you to conduct sufficient oversight
- Promoting your business standards with third parties through joint training and oversight
- Identifying the highest risk third parties and ensuring that audits are conducted on an appropriate basis, alongside associated due diligence activity
Having a robust framework in place is a vital starting point to help your firm mitigate associated third-party risks and allow you to conduct business with continued confidence. An effective third-party risk framework will demonstrate to the regulator – and to senior management – that controls have been implemented and are operating effectively.
Issues with the activities of your third parties will be identified earlier, preventing your firm from being exposed to further regulatory risk, reducing the risk of poor outcomes for customers and ensuring your business’s reputation in its marketplace.