Beneficial Ownership: Identification and Mitigation (Part IV of IV)
We are finally reaching the end of the road on the beneficial ownership path.
In this last posting on the issue (for now), let’s start with a third-party population (third parties, vendors, suppliers) which have been classified into three categories, the first two of which fall into high-risk (foreign government interaction/representation and government ownership). The bulk of the population, usually around 80 to 85 percent or more, falls into medium and low risk. As a consequence, it is important initially to develop meaningful mitigation strategies applicable to high-risk third-parties (and customers, if any).
Initial Protocol
To address the beneficial ownership issue as part of the onboarding process, companies have the following tools:
- Several automated intelligence/screening services include beneficial ownership information (e.g. BVD) on a large number of entities. Such services are relatively more expensive than competitor programs but are very valuable. Depending on your budget and need, these services can be a very helpful solution to identify beneficial owners as an initial step for further investigation.
- Documentation – whatever initial questionnaire or information request is required to onboard a third party, vendor or supplier, a company should include a specific question requesting beneficial ownership information. In high-risk situations, in order to verify the accuracy of such information, many companies require third parties to provide current documentation of ownership interests. Each of the beneficial owners should be screened through whatever automated service is used by the company.
- Enhanced due diligence investigations and reports can be ordered for high-risk third parties and their beneficial owners in the high-risk category. Depending on your company’s service, such reports can be easily ordered and reviewed on the automated platform.
These initial three steps should be applied to your high-risk population. From these sources of information, further investigation steps should be applied, if needed, to resolve red flags and confirm information or representations from the third party candidate.
Controls
Based on the initial analysis from the onboarding process, a range of controls can be applied depending on resources and tools available. These include:
- Monitoring strategies – for high-risk third parties and beneficial owners, a high-risk monitoring program should be applied, including regular internal meetings with the business representative to monitor the third party’s activities.
- Contract-Invoice-Payment Process: The SEC and other regulators have underscored the importance of contract to invoice to payment processes. A company has to impose and maintain detailed financial controls governing the process of contracting, approval and review, invoice review, and payment procedures. Companies that implement robust controls in this area have to test and audit this procedure to ensure that the controls are working effectively.
- Transaction testing – if the third-party is an agent, distributor or other representative, the company should test sampled transactions. If a distributor, rebates, marketing allowances and discounts have to be documented, controlled and subject to consistent scrutiny and testing.
- End User certifications to mitigate third party sanctions risks in high-risk geographic areas. As part of contract negotiations, companies have to secure third-party end-user certificates and subject them to sampling and audits as needed to ensure that the third-party does not distribute products to prohibited entities or countries.
- Contractual provisions should be tailored to include specific risk mitigation strategies, including FCPA, sanctions and other legal issues, certification to absence of government ownership, requirement for end user certifications, sampling of transactions, due diligence refresh requirements, site visits, and other monitoring requirements. As part of a monitoring program, a contractual provision should be added to include response to monitoring issues and change in circumstances, including a response to fresh adverse media or intelligence information.
- Site visits and due diligence refresh procedures to collect updated information, verify operations and ownership and control. Again, for high-risk third parties, site visits (potentially unscheduled) can be a valuable source of information for verification. A due diligence refresh can be used to confirm the continuing accuracy of initial onboarding information and can be conducted at regular intervals.
These are only some basic tools for addressing high-risk investigations, confirmation of beneficial ownership and mitigation strategies. Companies are developing new and innovative tools, along with third-party risk management vendors. Data analytics, artificial intelligence and machine learning capabilities are on the forefront of new tools that will enhance third-party risk management strategies.