Despite a world-leading compliance regime, firms risk another 1MDB scandal by failing to assess malpractices of external links.
In an exclusive interview, Julia Salmond, global head of Client Delivery & Operations, Risk & Compliance, Dow Jones, talks about Singapore’s anti-corruption approach, the risks of Singaporean companies with overseas operations, and strategies for companies’ compliance requirements.
Can we say that Singapore has arrived at the global financial stage of regulation? How does it compare with other countries that are already prominent?
Julia Salmond: Whilst subtler in approach, Singapore is probably second globally in terms of enforcement, only behind the US. The local enforcement in Singapore is not overly punitive but takes into serious consideration the context in which an offense was committed. The context includes the business benefits gained from the corrupt act, the organisation’s size, and the civil impact. We have seen Singapore uncovering and prosecuting a carpark firm’s employees taking regular small bribes to secure car parking spaces, reinforcing its stand that corruption is unacceptable at all levels.
Many fines for corruption come after a Foreign Corrupt Practices Act (FCPA) or Serious Fraud Office (SFO) investigation, where these international legislators are the forerunners. With the FCPA or SFO having hit the guilty organisation with a substantial fine, another large fine on the local front isn’t necessarily constructive. Singapore, therefore, complements smaller fines with deferred prosecution agreements. This encourages self-policing.
Having established a strong reputation globally for anti-corruption policies, Singapore does not need to be a frontrunner in implementing fresh regulations. Compared to other countries, compliance processes are already baked into Singapore’s ethos of ethical business. Rather than invest finite resources exploring new codes of conduct, Singapore rightly focuses on identifying and prosecuting the few companies that are not living up to current standards.
From a risk and compliance standpoint, what are the pressures that could threaten Singapore's status?
Salmond: Organisations cannot make assumptions on where they think the problem is or only conduct stringent investigations in places that have a history of corrupt practices.
Where Singapore is concerned, what an organisation is doing locally is important, but it is also important to consider the impact of operating through other units, offices or third-parties in other countries. In a case like 1MDB, an organisation in Singapore was partnering with an external party in Malaysia and it is possible that it did not have enough oversight over that party’s practices.
On the flipside, there can be an assumption that in a place like Singapore – where there is a strong ethos of non-corruption – that the problem is elsewhere. We have worked with an organisation that assumed their bribery issue was stemming from a neighbouring country. However, after a comprehensive audit investigation, it found that the inconsistent application of controls had allowed employees in the neighbouring country to channel bribes through the Singapore business unit.
Organisations must implement a consistent, evidence-based risk assessment approach to their anti-bribery controls across all geographies they operate in.
What issues are you seeing in organisations' compliance requirements and due diligence? What are firms doing to meet these requirements, and where are they lacking?
Salmond: Organisations cannot afford to think “it is not going to happen to us”. When compliance is not baked into its business as usual, it eventually falls foul during challenges by auditors, regulators and potential customers. To compete in a global marketplace, there is an expectation that a company has the evidence-based governance in place that a third-party will ask to see.
The board of an organisation would not want to spend time discussing compliance lapses. Any investigation is a huge cost in business time, especially when the management must conduct internal investigations and compile documentation to defend themselves when the case goes to court. Businesses overlook this when they walk the tightrope of “do we implement anti-corruption practices, or don’t we”.
How are compliance requirements growing and becoming increasingly demanding? What trends should firms watch out for when chasing these requirements?
Salmond: From a regulators’ perspective, they must ensure that the companies operating within their jurisdictions understand the penal and reputational implications.
International regulators have started to realise that no company is too big to be penalised. The size or influence of the company no longer stops the FCPA from making an example out of them.
One key consideration for regulators, especially when dealing with institutions with deep pockets, is that financial penalties alone won’t cut it. If an organisation is guilty of corrupt practices, the person on the street would be unaware and it won’t impact the consumption of the guilty organisation’s services.
Regulators must ensure communication channels are in place to make the public aware when big brands are failing. This reputational repercussion could pose a greater deterrent than the financial penalty itself.
Can you give the basic strategies for companies so that they can meet requirements for:
Anti-money laundering and counter-terrorism financing (KYC and due diligence);
Third-party risk management (anti-bribery and corruption);
and Trade-based money laundering compliance?
Salmond: We work with institutions to understand their current view on anti-corruption – what policies and procedures they have in place (or the lack thereof), what standing does compliance and risk management have among their C-suite, and what their risk appetite is. Some companies must engage third-parties to do business locally, so their risk appetites would vary. For example, a multinational financial services firm will need to engage government officials for permission to operate locally. We help these companies understand what factors will make something high risk vs. low risk, such as contract value, the type of third-party and which country they plan to operate in.
Once their risks are defined, we develop and implement a procedural document via our software platform. The software combines the organisation’s risk assessment with world-class industry risk-specific data, from anti-corruption to money laundering, before delivering a ‘risk-level’ for every third-party. This risk level determines what further due diligence needs to be carried out before transactions through the third-party can take place.
This creates a single source of truth on the risks a company has identified and what action was taken. Through the platform, all employees can then input, access and adequately respond to the associated risks from engaging any customer, distributor or joint venture partner etc.
This consistent and evidence-based approach, known as Know Your Business Partner (KYBP), enables organisations to embed comprehensive and consistent third-party risk management procedures and is equally applicable whether an organisation operates in one or 50 locations.
Do you know more about this story? Contact us anonymously through this link.