This article is focused on capital markets participants’ operational resilience and increasing reliance on third parties, the reasons and challenges of group-wide compliance programmes to maintain a sound risk management.
Since the COVID-19 pandemic, and with intensification of the trade war between China and the U.S. the supply chains’ future is uncertain. Organisations from all industries across the globe are deeply affected, allocating additional resources to managing disruption, responding to the immediate challenges. Some organisations are better prepared than others to respond to the heightened need to assess their supply chain, particularly their IT infrastructure to adequately support operations stability, network robustness and data security. The geographies of the supply chain become of vital importance. Third party risk exposure is increasing however Due Diligence is not keeping pace. Cost effectiveness is even more relevant in today’s environment, meaning that already relaxed on-boarding and monitoring practices of a complex, multi-tier supply chain due diligence is further compromised, inadvertently subjecting the business to a further financial and operational risk. In such environment, suppliers tend to engage in fraudulent practices knowing that the risks of detection within an organisation are low. Naturally, competitors will gain an advantage either by exploiting vulnerable points within an organisation that has failed to take adequate safeguards or by advertising services with better controls and systems for client protection.
Prior to COVID-19 disaster, Refinitiv conducted an interesting survey (published Feb 2020), involving a total of 1,794 participants across 16 countries (899 large & 895 SMEs) with a total of over USD17m in third party relationships, an average of 10,000 per organisation.
According to the survey results, despite greater regulation and stronger enforcement action, organisations are struggling to gain visibility of all third party risks to enable appropriate action to be taken. A staggering 61% of respondents stated that prosecution would be unlikely if they breached third party related regulations.
Many have reported that they are not completing full third party due diligence at their on-boarding or ongoing monitoring stages. Why? Competitive pressures, greater globalisation and increasingly complex supply chains.
Seeing the survey’s results, we wonder how the organisations in Singapore are doing. The reported percentage of due diligence on third parties done is underwhelming, dropping from already low 62% in 2016 to 48% in 2020. Alarmingly, Singapore’s drop was the highest of all 16 countries.
The effects of rule based rather than risk based approach adopted by organisations, particularly cost-conscious SMEs, could see them facing disruptions on different levels. Hope that compliance with a bare minimum reporting obligations will suffice is rather reckless and must be re-considered.
We are aware that MAS is particularly interested in material outsourcing arrangements. MAS is clear about growing exposure to country risk, an overlapping risk, touching everything from cloud and reputation risk to transaction and operational risk. Specifically, MAS raised its concerns about IT supply chains, defined as a weak link in Financial Institutions’ cyber defences.
Failures can occur in a variety of forms but generally they fall into two categories: systems or procedural failures and human failures. It is clear that there are a variety of causal risk factors, but it is possible to categorise them into external risks (threats) and internal risks (errors and culture).
To prepare for the unexpected, the FFIEC says that organisations should establish strategies for:
2. Service Continuity
3. Exit Strategies
Understanding the environment the third parties operate in is a crucial starting point. When assessing the service provider, it is mandatory to be familiar with:
1. Scope of the services to be rendered
2. The specifics of your product distribution channel vulnerabilities, such as internet, telecommunications zoom, google teams, mobile phone provider; private entities engaged as Introducing Brokers (IBs) or Appointed Representatives (ARs) – licensed or not?
3. Contract T&C: Have clear compensation structure
4. National and international rules and guidance
5. Industry best practice
The supply chain can have direct or indirect distribution channels. Direct channels include more traditional face-to-face interactions. Some organisations also adopt multi-channel distribution methods. From a compliance perspective, all potential risks and requirements must be considered for each channel adopted. This is a key consideration in the development of products of services as the requirements and obligations can vary enormously.
The organisation must have a full picture of third Party profile prior entering into a transaction, however this proved to be a common challenge especially when the 50% rule is concerned. It is imperative that financial institutions understand from whom they are acquiring services, as well as with whom their third-party vendors might be interacting.
OFAC’s Cyber-Related Sanctions Program specifically mentions the 50 Percent Rule, and the FFIEC’s recent Joint Statement on the same warns that, “continued use of products and services from a sanctioned entity may cause the financial institution to violate OFAC sanctions.” A download of a software patch is enough to merit such a violation. Before dismissing this as irrelevant to your organisation, keep in mind that technology firms from sanctioned countries span across the globe, and their connection to their subsidiaries is often opaque.
Naturally, the Due Diligence is not limited to sanction screening. It incorporates Anti-Bribery and Corruption policies, procedures and processes as part of a ‘holistic’ financial crime compliance risk frameworks.
With regards to compensation arrangements, some red flags should be raised if the third party compensation is to be based on performance i.e. success fees, bonus fees, introducing broker fees for certain sectors. For example, in 2019, Australian OTC FX & derivatives industry took a major hit as ASIC disallowed brokerages to compensate their IBs, instrumental partners to most retail brokers worldwide. That rule is most challenging for brokers which do not have their own infrastructure and are reliant on IBs for their trading volume, especially if that revenue comes from a self-directed region. Australia’s authorities clearly do not approve of this method of doing business. Similarly, in other jurisdictions, the IB model has been phased out. The method of remunerating today’s IBs could be a fixed fee rather than commission.
Other contributing factors indicating a High Third Party Risk:
1. The third party role is to enhance the organisation’s chances of winning commercial and/or government contracts.
2. The third party requests discretionary authority to handle local matters, in a region, especially if contracting organisation has no presence or little expertise in a jurisdiction dramatically different to its Head Quarters.
3. Industry: Usually checked against Transparency International’s Bribe Payers Index (BPI). In accordance to OECD, most corrupt industries are considered to extraction & construction (due to bidding processes), transportation (organised crime, corruption is at the enforcement level), and finance – we all remember 2018 case of 1MDB fund and corrupt bankers, Goldman Sachs.
4. Selection of the party: Recommended by a customer or retention of a specific third party is encouraged or required by a government official.
No matter if your organisation is a traditional bank, money service business, insurance firm or other entity, here are some ways to more effectively handle the burden:
1. Review counterparty on-boarding and ongoing due diligence policies and procedures to ensure that entity ownership is initially identified and continually monitored for changes.
2. Conduct routine risk assessments of your third party exposure. Incorporate the 50 Percent Rule into your Compliance Program. In addition to screening entity names against the SDN List, screen entity officers, directors and contract signatories of counterparties.
3. Upgrade your watch list screening process to cross reference a database, that identifies entities that are owned by sanctioned persons or jurisdictions.
4. Outsourcing scope: Regularly re-evaluate the economic and operational benefits of the third party against raised red flags, if any.
Better data, greater innovation and new forms of collaboration hold the key to reducing third party risk. Building greater transparency and resilience into an organisation’s counterparties is crucial. Perhaps a proactive, smart cost-effective actions supported by a better and more comprehensive data will improve the effectiveness of the organisations’ Due Diligence efforts?
Our role is to add to your in-house Compliance efforts when you assess your counterparty before your engagement, advise on best on-going monitoring practices, support your due diligence and screening efforts, offer best practical Compliance Solutions relevant to your organisation’s size, business model and industry.
Resources / Notes
3. MAS Guidelines on outsourcing, Oct 2018
RHT Compliance Solutions comprises experienced and certified professionals with extensive regulatory, compliance and risk management experience from Singapore, Hong Kong and the region. The team aims to provide clients with insightful, risk-focused and cost-effective solutions through their extensive experience in serving a wide spectrum of clients across diverse financial sectors from regulators, asset managers, fintech firms, insurance agents and brokers, remittance to commodities and corporate services.
For further information, contact:
RHT Compliance Solutions
1 Paya Lebar Link #06-08
PLQ 2 Paya Lebar Quarter