Last year, companies from all over the world had to pay regulators a record US$2.9 billion in penalties in respect of the Foreign Corrupt Practices Act 1977, with several of their officers and directors being punished as well. Meanwhile, 43% of third-party relationships are not subject to any form of background checking. So says the data provider Refinitiv, having conducted a wide-ranging survey.

Nearly 1,800 compliance people, risk managers and "third-party relationship professionals," whatever they might be, at various corporations took part in the survey. Refinitiv, somewhat confusingly, describes all these people as 'global.' They numbered about one hundred apiece from the USA, Brazil, Canada, India, Australia, the United Kingdom, Germany, France and Singapore and were drawn from all sectors of the economy but especially finance.

The report is entitled Hidden Threats within Third-Party Relationships. Refinitiv, which was, once part of Thomson Reuters and whose headquarters are in Manhattan, defines a ‘third-party’ as any person or organisation that is connected to a supply chain or is executing business on an organization’s behalf. This can be a supplier, distributor, agent or partner. In its parlance ‘third-party risk’ includes anything that could expose a company to threats and risks through involvement with third parties including bribery, corruption, slavery, environmental crime, wildlife trafficking or 'conflict' minerals. The term ‘third-party due diligence’ refers to assessments of third-parties that companies such as banks do when they take them on or monitor them as a continuing exercise with the aim of gauging their risk profiles.

With an average of nearly 10,000 third-party relationships to deal with, many organisations are not completing full ‘third-party due diligence’ at any stage. Risks that relate to green and environmental crime are rising but require more accurate analysis. Refinitiv's answer to the problem is unsurprising - better data, better IT and new forms of collaboration are the order of the day.

43% of third parties across the board are not subject to background checks. This is an appalling figure but Refinitiv says that it is nonetheless six percentage points higher than in its survey of 2016. 60% of respondents are not fully monitoring third parties for continuing risks. 63% of respondents agree with Refinitiv that the economic climate is encouraging organisations to ‘take regulatory risks’ - which could be code language for bending the rules - in order to drum up new business. Only 53% of respondents say that they would report a ‘third-party breach’ (an undefined phrase, used only twice) internally and only 16% would report it externally.

Refinitiv, using the word 'onboarding' to mean the establishment of relationships with third parties and not customers, asked the question "what steps does your company current take [sic] in regards to managing the third-party onboarding process?" 41% said fully, 39% said partly, 14% said not at all and 6% did not know.

Reporting problems

The breakdown by country of the likelihood of firms reporting third parties that break regulations is fascinating. China stands clear of the field with internal reports, with its firms saying that they are 78% likely to report the problems internally. When it comes to external reporting to the authorities, however, the figure stands at only 8% - the lowest except for France, which has a figure of 4%. No other countries approach these low figures and it is therefore evident that Chinese and French firms are exceedingly furtive.

In the graphic at the top of the page, the top blue and black bars are the average totals for reporting breaches internally (blue) and externally (black). Then the countries, in descending order, are China, Singapore, Hong Kong, Germany, India, the USA (likelihood of reporting internally 54%, likelihood of reporting externally 14%), Australia, Saudi Arabia, the UK, France, Holland, South Africa, Russia, Canada and Spain.

High risk, low risk

Sub-Saharan Africa has the highest level of ‘third-party risk’ according to all who responded to the survey, with 45% of them saying that it is highly risky. This seems spot on, as it was also rated highly risky by 46% of firms with third-party relationships in the region. Australasia (20%) and Western Europe (20%) were rated the least risky, just ahead of North America (22%) and Eastern Europe (22%). Generally speaking, large banks and other companies considered all regions less risky than their smaller competitors. The biggest exception to this was for Russia, which 28% of small firms considered a low-risk region, compared with only 19% of large enterprises.

SEC or DoJ?

When one looks at the US figures for enforcement actions, one sees some by the Securities and Exchange Commission (typically 10-15 per annum) but many more by the Department of Justice (many years with 10-15, but sometimes with peaks in the late 20s and early 30s). The figures are never large.

Elswhere in the world, the survey makes regulators seem less supine, with 50% of respondents saying that they know of enforcement actions against their own companies in relation to third-party risks. However, this has decreased by 2% for the countries surveyed in 2016, suggesting that although regulation has become tougher, so has the size of the problem. China was once again in the lead, with 77% of its companies saying that they had themselves been the subject of regulatory action, with 39% saying that they know of peer organisations that had been so. The figures for Hong Kong were almost identical. In Germany, France, the UK and Australia the figures were more or less equal for both types of occurrence and were much lower, hovering around the 20-30% mark. Meanwhile, 54% of all financial firms said that they had suffered from enforcement actions in relation to third-party risk and 24% of them said that they knew of peer organisations that had. The average worldwide figures for other industries were very similar.

The vast majority of companies (61%) say that they use such laws of world importance as the FCPA (77%), the European Union's fifth Anti-Money Laundering Directive (69%) and the UK's Bribery Act 2010 (67%) to influence their decisions about third-party risk management, but many do not.