Managing emerging bribery risks for financial institutions
Despite financial institutions in the UK and many other jurisdictions being required to have in place sophisticated bribery and corruption (ABC) systems and controls, there has been a recent increase in the number of major ABC enforcement actions involving financial institutions, as well as a significant uptick in civil disputes alleging bribery.
Looking ahead, as many financial institutions prioritise growth in regions presenting higher ABC risk, we will continue to see an increase in bribery-related investigations and litigation. In this article we:
- explore the implications for financial institutions of bribery issues, including the recent rise in civil disputes arising out bribery issues;
- summarise mitigation steps in relation to ABC risk areas for financial institutions (incorporating the findings of our recent survey on ABC compliance programmes); and
- explain the importance of conducting a risk assessment and putting in place a risk-based compliance programme.
If you would like to discuss how best to manage ABC risks, please get in touch.
Implications of bribery issues for financial institutions
In addition to the recent focus on sanctions and money laundering, the last three years have seen a significant rise in criminal and regulatory enforcement against financial institutions in relation to bribery, and in particular banks and firms in the insurance industry. Large fines have been issued by the FCA in recent years for firms’ systems and controls failings in relation to bribery, as well as failing to exercise due skill, care and diligence when assessing relevant risk factors, or when managing allegations of bribery. The FCA may take action against a firm with deficient ABC systems and controls regardless of whether or not bribery or corruption has taken place, and also – as has been seen recently – against a firm where the FCA considers it has failed to ensure that the risks of other entities in the group facilitating bribery are adequately managed.
We have also seen increased enforcement of the UK Bribery Act 2010 (UK Bribery Act) by the SFO against financial institutions, including deferred prosecution agreements and reported SFO investigations in the insurance industry.
Financial institutions are also now facing a significant increase in litigation arising out of bribery issues, including:
- claims from counterparties alleging transactions were induced by bribery (this is part of broader trend of an increase in fraud claims in banking litigation (see here));
- shareholder claims under s90A FSMA 2000 against financial institutions alleged to have failed to disclose ABC issues adequately (either by misleading statements or omissions);
- Quincecare claims against financial institutions who have processed allegedly corrupt payments; and
- claims by financial institutions against third parties and employees involved in bribery.
The interrelationship between civil bribery claims and criminal/regulatory enforcement requires careful management. Settling a regulatory or criminal enforcement action, for example, may provide ammunition for civil litigants, and equally steps taken to mitigate or settle civil disputes may trigger an investigation. See further our article here.
What are the key risk areas?
Financial institutions need to ensure that their ABC compliance programmes are tailored to their corruption risks, and developed as their risk profile changes (as well as in responses to any issues or weaknesses identified). Three key risk areas for financial institutions come up again and again.
A. Third parties
Third parties are at the heart of ABC risk for financial institutions. Under the UK Bribery Act, a bribe paid or offered by a third party providing services for or behalf of a financial institution with the intention of benefiting the organisation may give rise to an offence (and equally secret commissions may provide grounds for transactions to be unwound). UK authorities expect risk-based due diligence on and monitoring of a company’s associated persons.
The importance of conducting due diligence on third parties before they are engaged cannot be overstated (but we see varying levels of sophistication in this area). Due diligence should focus on the substance of the engagement, i.e. what the third parties are being paid to do; why those services are needed; and any relevant connections the third party has which may present additional risk. The process and outcome should be carefully documented.
Contractual terms should be carefully considered at the outset so as to give the business greater room for manoeuvre in the future. In particular, the firm should seek (and enforce):
- contractual rights to audit and investigate issues, and to suspend payments while doing so; and
- rights to terminate or withhold outstanding payments on the basis of non-cooperation (e.g. with information or audit requirements).
In addition to due diligence, regular ongoing monitoring of third parties is crucial, but often lacking. In our recent survey, only one third of respondents indicated that ongoing monitoring of third parties is conducted on a regular basis. While for lower risk third parties less frequent monitoring may be appropriate, regular monitoring is crucial for medium and high risk third parties. The FCA, for example, provides the following self-assessment question:
“To what extent are third-party relationships monitored and reviewed? Is the frequency and depth of the monitoring and review commensurate to the risk associated with the relationship?” (Financial Crime Guide 6.2.4)
B. Interactions with Government officials
Transactions with government entities can raise corruption issues; there have been various investigations and civil claims relating to gifts and entertainment, hiring practices, winning business through the use of brokers, and bribery allegations around winning regulatory approvals/licensing.
In addition, gifts and entertainment are a particular risk in relation to government entities. There have been various civil claims and investigations arising out of hospitality and gifts provided to government officials. Great care is required in this area because hospitality which may be typical for commercial counterparties may be viewed in a different light when provided or offered to government officials.
Financial institutions should ensure that transactions with government entities are subject to thorough risk assessments and due diligence and monitoring. The precise role and ownership of any third parties or local partners should be understood.
In addition to the risks of “big ticket” bribery in relation to major transactions, day-to-day interactions with government officials (e.g. in relation to permits and licences to operate a business) must be carefully managed in higher risk jurisdictions.
C. Non-UK subsidiaries and joint ventures in higher risk markets
The UK Bribery Act has a broad jurisdictional reach and a UK financial institution could find itself liable for the actions of a non-UK subsidiary, joint venture, or joint venture partner. In our recent survey, however, most respondents said that there was not a great deal of oversight of joint ventures (JVs) and subsidiaries in relation to ABC.
This is surprising given that the actions of subsidiaries and JVs give rise to a significant proportion of bribery cases globally (for example as associated persons under the UK Bribery Act). While the degree of centralisation that is appropriate varies, it is important that there is sufficient oversight and management of ABC risk in subsidiaries and joint ventures. The FCA highlights as an example of good practice “Corruption risks [being] assessed in all jurisdictions where the firm operates and across all business channels” (Financial Crime Guide 6.2.4).
Risk-based due diligence on JV partners and M&A targets is crucial prior to investment, including assessing ownership and connections, existing compliance programmes (and broader approach to ethics compliance) and any historic or ongoing issues. As with third parties, appropriate contractual provisions are required (see further our article on managing ABC risks in relation to joint ventures here).
What’s often missed, however, is post-acquisition due diligence: in our recent survey, only one third of respondents said that they conduct any form of regular or scheduled post-acquisition DD reviews following acquisitions or JVs. Post-acquisition due diligence is crucial: firms need to get under the hood of newly acquired subsidiaries and new JVs to ensure that ABC risks are being managed appropriately, and any issues can be remediated quickly.
The importance of conducting an ABC risk assessment
Risk assessments are the starting point of an effective compliance programme, ensuring that compliance resources are focused on the most significant ABC risks faced by the business. The consistent message from enforcement authorities around the world is that an ABC compliance programme needs to be demonstrably risk-based, i.e. designed, implemented and enhanced on an ongoing basis in line with a detailed, documented and ongoing risk assessment.
A genuinely risk-based compliance programme helps to achieve both the primary objective of a compliance programme (preventing ABC issues occurring) and the secondary objective (providing a potential defence to liability or mitigation where ABC issues do arise) – and seeking to meet applicable regulatory requirements (e.g. to maintain financial crimes systems and controls).
In our recent ABC survey, respondents said that when performing their risk assessment process they focused mainly on addressing risks relating to (i) the involvement of third parties; (ii) specific transactions; and (iii) the geographical location of their business activities. Whilst those areas are important, an evaluation of issues facing peer firms should also inform the risk assessment (and this is emphasised in recent DOJ guidance). In our experience, this is crucial for financial institutions because many peer firms face similar issues in similar jurisdictions (for example in relation to particular government entities).
Moreover, for the compliance programme to be truly risk-based, resources must be deployed in accordance with the risk-assessment. Interestingly, only half of respondents in our recent survey could provide evidence that this was the case.
In our experience many financial institutions benefit from taking a fresh look at their ABC risk assessment to ensure it covers all relevant risk areas, as well as assessing the effectiveness of systems and controls to manage the risks identified.
We have set out the four key steps in conducting an effective ABC risk assessment in a recent article: Conducting an ABC risk assessment: 4 key steps | Regulation Tomorrow.
If you would like to find out more about implementing or testing an ABC compliance programme, please contact us.