The following is taken from a special paper produced for the In-House Community™ by Dr Justine Walker, Director Financial Crime (Sanctions and Bribery) at the British Bankers’ Association, which was presented to delegates at the recent Hong Kong Outbound Risk & Corruption Symposium, which took place on May 30th, 2013
The UK Bribery Act 2010, which came into force in July 2011, means the UK now has the most comprehensive anti-bribery legislation in the world. To help support banks in their ongoing efforts to comply with the Act, the British Bankers’ Association (BBA) published its own guidance to assist in the implementation of adequate procedures to prevent bribery and corruption. The BBA guidance was published in December 2011 and is currently undergoing a process of up-dating so as to reflect the emerging practice that has developed since first publication. This article gives advance insight into the main changes that industry can expect to see.
The BBA has always been mindful that the anti-bribery and corruption (ABC) responsibilities of banks do not stop with implementation of the UK Bribery Act alone. Regulatory expectations have increasingly come to the forefront of how banks have approached the development of robust safeguards. Recent thematic reviews and enforcement action by the Financial Services Authority (and now its successor the Financial Conduct Agency) have served to stimulate the importance of regulatory risk.
To support members in understanding their obligations, the BBA in 2011 established a dedicated ABC working party of member banks. Along with developing strategic thinking on ABC matters this group is also tasked with producing industry guidance. As part of the process a series of informal bench marking sessions have been held covering issues such as ABC risk assessment methodologies; implementing gifts and entertainment thresholds and procedures; management and due diligence of third party risk; the provision of senior management information; and key performance indicators.
Our work has clearly highlighted that the practical implementations arising from legal and regulatory obligations in the ABC arena can be an onerous affair. Pragmatic and risk-based responses are the only viable solution and at the very heart of this will be an ABC risk assessment. What constitutes an adequate risk assessment will vary enormously depending on the size of an organisation, its activities, customers and the markets in which it operates. Operational risks will exist throughout all elements of the business and have the potential to impact on the breadth of ABC controls. For example, ineffective due diligence procedures or inaccurate and missing data can all result in key risk information not being identified resulting in an incorrect risk assessment. Consequently, and not unsurprisingly, information validation is a central topic for ABC officers.
Many UK banks have now moved to using some form of risk assessment linked to ‘heat maps’ which drive ongoing monitoring arrangements, frequency of reporting and identification of activities which need further testing. ABC dashboards are now commonly used as a risk management tool. What is included in such dashboards will vary between banks but may include areas such as: volumes of internal staff bribery investigations; recommendations from monitoring visits; training completion rates (new joiners and refreshers); compliance statutes with gift and hospitality policies; and, oversight of third party arrangements (i.e., volume accepted and declined, red flags raised, due diligence process followed etc.).
Both legal and regulatory obligations place significant importance on the management of third party relationships, such as suppliers, consultants, finders, agents, brokers, introducers, joint venture partners etc. Given the sheer volume of such relationships and payment flows this is an area where the BBA’s working party has focused considerable attention. It is also an area which exemplifies the vital need for a well founded risk-based approach in determining what level of due diligence and monitoring will be necessary and appropriate. Examples of how banks approach this mammoth task will be expanded within the revised BBA guidance. For larger organisations the use of bucket categorisations, such as separating out third parties into varying risk groups of high, medium or low remains the only viable way forward. Options for overcoming some of the most common challenges surrounding identification, management and approval procedures for third parties will also be highlighted. Throughout this theme a stronger focus can be expected on the importance of drawing upon existing payment controls and audit functions so as to ensure the level of payment is reasonable and consistent with the agreed contract. Basic safeguards such as prohibitions on cash payments, restrictions to non-approved bank accounts and ensuring there is a clear connection between the payment details and the country of incorporation should all be common place. As a staff communication tool, banks may find it helpful to set out a flow chart of the third party due diligence process from engagement of sourcing, business rational, level of investigation, sign off procedures, payment controls and review processes.
A further facet of the BBA dialogue with members has been on mechanisms for achieving and demonstrating top level commitment and tone from the top. Experience within banks has shown that for different organisations the appointment of one person, or solely putting reliance on the board, may not be the most effective way to instil zero tolerance towards bribery and corruption. As a consequence the trend for some organisations – and particularly large global ones – has been towards the introduction of nominated senior managers within individual business lines or champion-type figures who have anti-bribery responsibilities.
In 2012, the then FSA published revised anti-bribery and corruption guidance within its amended ‘Financial Crime: a guide for firms’. On the whole BBA members felt that the majority of themes identified within the guidance were areas where they had been actively implementing systems and controls. That said a number of issues were identified as requiring further deliberation as to practical implementation. For instance, experience in implementing group wide gifts and hospitality policies by the use of open registers may at times have unintended consequences in exposing clients, or may even provide an indication as to forthcoming mergers and acquisitions. On the whole, the issue for future discussion with the regulator is ‘what is a proportionate and risk-based’ response? Training of every third party is not appropriate, or indeed required. What is important is that banks can demonstrate that they are serious and committed to addressing bribery and corruption. This will require demonstrating integrity throughout the organisation and that the culture is sufficiently robust to forego unacceptably risky business opportunities. In reality evidencing this will only be achieved through an end-to-end process which includes, tone from the top, risk assessment, allocation of resources to the areas of highest risk, monitoring, review, record-keeping and importantly, the provision of appropriate management information.