Originally published in NAVEX Global's Top 10 Ethics & Compliance Trends for 2019 eBook.
Prior to 2019, the rules for dealing with third parties were simple: perform due diligence, implement sanctions screening software, use reputable cloud providers, and ensure that everybody stays out of politics. But in 2019 and beyond, the risk of third-party relationships is no longer limited to the wrath of the Department of Justice and Serious Fraud Office. Reputational risk has gone up exponentially with respect to third-party behavior.
Aggressive new sanctions actions by the Office of Foreign Assets Control (OFAC) have raised the bar, and the fallout from data breaches post-European General Data Protection Regulation (GDPR) means that third parties holding customer data have more power than ever to topple the public’s trust of a company.
Third-party risk has broadened in three substantial ways:
- Expanded risk of prosecution for sanctions violations
- Increased reputational risk of association with controversial companies and CEOs
- Heightened risk of a data breach exposure
The Rising Risk of Working with Sanctioned Parties
In late November, shockwaves went through the compliance community when Cobham Holdings Inc. reached a settlement with OFAC for $90,000 because of a sanctions violation. The settlement was the second recent OFAC action relying on the “50 percent rule.” In Cobham Holdings’ case, the underlying violation was not triggered because the person or entity was on the Specially Designated Nationals and Blocked Persons List, but instead because the company’s former subsidiary allegedly sent goods to a blocked Russian entity. What contributed to this failure? Cobham Holdings’ third-party search software failed to raise red flags that would have caught the compliance issue before it was a problem.
Multinationals may have tens of thousands of third parties, especially if they cater to members of the public that need to be screened before services can be provided
Regulatory agencies such as OFAC are upping their game when it comes to catching violators. Companies have long relied on automatic sanctions screening software. In most cases, they have to. Multinationals may have tens of thousands of third parties, especially if they cater to members of the public that need to be screened before services can be provided. But the Cobham Holdings’ prosecution is a reminder that software alone cannot be the answer. Review protocol designed by humans and implemented consistently is required to reduce risk and to provide a barrier to what is often a strict liability offense.
The Rising Reputational Risk of Association
For decades, most companies have tried to steer well away from politics – at least publicly. But the rise of social media, shareholder activism, and the 24-hour news cycle have led to pressure for companies to react to politics as never before. That reaction can have a ripple effect, especially on other companies closely linked to the target of such activism.
In 2018, numerous companies all asked for their campaign contributions back after a candidate for U.S. Senate made controversial comments caught on tape. Also in 2018, several companies announced that they would stop selling the AR-15 firearm after shootings at a Florida school. These days, companies are taking a public stance on controversial issues – and that creates a whole new kind of reputational risk for the entities working with them.
Even our blue-chip companies are not immune to the reputational dismantling that results from catastrophic culture failures.
Publicly announced decisions that are made in response to controversy will frequently create passionate polarized responses. Statements of internal policy, such as companies announcing they will no longer reimburse meat-based meal expenses, has created a media storm. Even our blue-chip companies are not immune to the reputational dismantling that results from catastrophic culture failures.
When it comes to reputational risk from third parties, not all relationships are created equal. For instance, if a company uses a bank that incurs a billion-dollar fine, the controversy at the bank will likely have no effect on the company whatsoever. However, if a company has a joint venture with a third party that makes an unpopular proclamation or has a CEO scandal, the negative halo effect can be extremely destructive.
The Rising Risk of Third Parties Holding Personal Data
Perhaps the most spoken phrase this year in compliance and privacy departments was, “Fines can go up to 4 percent of global turnover.” Although the big GDPR deadline passed in May 2018, enforcement is just starting. Indeed, many European data protection authorities are beginning to show their teeth, with prosecutions and huge fines taking hold.
It’s not just Europe where data breaches create cause for alarm. Nearly every state in the U.S has some sort of data breach notification law, and California’s new Consumer Privacy Act will up the ante further for compliance requirements.
Regardless of regulatory jurisdiction, your customers don’t care if your third party was careless with their data. If you have a data breach, the customer will be angry with your company. Your company will also likely be the one providing solutions. Some solutions, such as credit monitoring, can be very expensive if extended to thousands of people.
Key Steps for an Organization to Take
Implement a Sanction Screening Protocol that Involves People
While your sanctions screening software is a critical safeguard, a system needs to be in place to review problematic or potentially problematic third parties. Check the settings on your software. Is it set to allow you to review fuzzy matches? Do you have an escalation protocol that allows the compliance team to review potential matches? Does the compliance team perform a regular spot check to ensure the software is working as it should? Have you separated third parties or customers from high-risk countries (those currently under sanctions) for deeper-dive screening than those in lower-risk countries?
Review your protocol to ensure you’ve got a system in place that works. A good system will utilize software and humans to ensure compliance.
Have a Back-Up Plan for Critical Third Parties
For business-critical third parties, try to find a back-up that can be implemented should a political statement or other scandal threaten the company.
Perform a risk assessment to determine which of your key suppliers, joint venture partners, and other high-profile relationships are most exposed to reputational risk. For business-critical third parties, try to find a back-up that can be implemented should a political statement or other scandal threaten the company. Forward thinking can protect your company from being drowned by another company’s bad actions or ill-thought-out political statement.
Check Your Contracts with Companies that Have Personal Data
If you target or sell to Europeans, or if you have a European presence, you probably prepared for GDPR. Now is the time to make sure those third-party processor contracts have the required terms from Article 28.
Whether your company is in Europe or not, Article 28 terms can be very useful for all of your contracts with third parties that process personal data on your company’s behalf. Make sure you include the requirements that the company notifies you without delay if a data breach occurs. Put in safeguards requiring minimum levels of data security. Add in the requirement to delete or amend data that is no longer active or accurate.
Third-party risk must be managed. By expanding your viewpoint from “bribery risk” to a holistic review of each third party, you’ll be able to protect your company in all of the ways required in 2019 and beyond.