Minimize regulatory compliance risks as activity ramps up
Maintaining vigilance over fraud, bribery and regulatory risks (together, “Fraud Risks”) has never been more important for companies doing business throughout the world, including in the Asia Pacific region (APAC). As pandemic-related travel restrictions have been lifted, conditions are becoming increasingly favorable for companies to reach pre-pandemic levels of production, distribution, import/export activity, and overall economic output. However, at the same time that business operations expand, regulatory scrutiny from the U.S. Department of Justice (DoJ), the SEC, and other regulators is expected to increase in response to the elevated and arguably pent-up risk of fraud, bribery, and corruption.
To help manage those risks, we offer our perspectives on how the pandemic has impacted the business landscape in APAC and what companies should consider moving forward. Our observations are sourced from performing dozens of fraud investigations, regulatory compliance monitoring projects, and investigative due diligence engagements throughout APAC in the past two years. The themes are sourced from both our work with outside counsel and directly with multinational corporations operating in the financial services, life sciences, consumer packaged goods, construction, technology and media industries.
- New operating models lead to more opportunities for internal fraud. The pandemic shifted business models (i.e., remote work), which created gaps in companies’ abilities to proactively manage employee fraud, asset misappropriation and embezzlement. Companies should re-assess their internal policies, procedures, training and monitoring protocols to deter internal Fraud Risks.
- Reliance on downline third parties results in latent regulatory risks. Supply chains continue to be fragmented, leading to a high degree of reliance on second-, third- and even fourth-tier suppliers, contractors and vendors that operate with minimal governance and compliance controls. Companies need to be mindful of their end-to-end third-party ecosystem to effectively mitigate Fraud Risks.
- Increased regulatory and external scrutiny on the global supply chain. Political and regulatory factors have resulted in increased scrutiny on the global supply chain, regional import/export logistics processes, and associated compliance requirements with various regulatory expectations. These external forces require careful consideration to effectively manage legacy business operations in a new external environment.
“The world has changed in the past three years. In traditionally higher-risk markets such as APAC, companies will be subject to greater regulatory attention.”
Alex Koltsov, Managing Director at Grant Thornton LLP, has spent a considerable amount of time investigating allegations of fraud and bribery in APAC during his career. He takes a pragmatic approach and says, “We all recognize the world has changed in the past three years. In traditionally higher-risk markets such as APAC, those changes are even more pronounced. That will lead to greater regulatory attention as business activity accelerates and companies try to patch internal controls and compliance efforts with growth targets in a different landscape.”
New operating models enable internal fraud
The COVID-19 pandemic was met with an unprecedented shift in business models that left gaps in controls and opportunity for employee theft. New remote working arrangements fundamentally changed the ability for companies to oversee their employees and deter fraud and theft. For example, one of our technology clients proactively increased their original equipment manufacturing (OEM) inventory levels in regional warehouses. However, as the OEM inventory levels significantly increased, the company was forced to hire more production-level staff to manage the workload, but did not invest in supervisory roles. This unfortunately led to a perfect oppotunity for fraud due to the increased inventory levels and the reality that transient hires are not all fully invested in the long-term success of the company. The result was a significant increase in inventory shrinkage and theft due to inventory processes that didn’t scale and monitoring limitations within their inventory management system.
Reliance on third parties increases regulatory risks
The Resource Guide to the U.S. Foreign Corrupt Practices Act published by the DoJ and SEC states that liability can be imposed not only on those with actual knowledge but also on those who purposefully avoid knowledge (the head-in-the-sand theory). Although the DoJ and SEC provide extensive guidance on the level of due diligence and oversight that is expected of a company with respect to its direct third parties (to presumably guard against a company’s strategy of avoiding actual knowledge), there is limited guidance on the expected level of diligence and oversight, and the associated potential liability related to the actions of a company’s “downline fourth parties” where there is no direct contractual relationship.
Our recent experience in the APAC region has demonstrated that companies are relying more and more on downline fourth parties for critical business imperatives such as sales and distribution, obtaining key regulatory approvals, and assisting the import/export process. The general structure for business conducted through a fourth party is as follows:
- The subject company hires third party (X) to provide a core service (e.g., secure distribution, obtain a critical business permit, or act as a logistics expediter).
- X then subcontracts all or a portion of the core service to downline fourth party (Y).
- Y performs, coordinates or assists with securing the service directly with a government agency or official on behalf of the subject company.
In this above structure, the subject company is only directly aware of the service and fee with its contractual third party. However, as the subject company benefits from the ultimate service, there is a growing perspective that the subject company should understand how the sale, permit or other regulatory approval came to pass and ensure that the manner is consistent with applicable regulations. At these junctures, the use of downline fourth parties poses a unique compliance challenge for companies.
“Companies that outsource key supply chain activities require a comprehensive understanding and a thoughtful response for which business processes pose the greatest regulatory risk.”
“Most mature companies generally recognize the importance of due diligence and strong contractual terms with their direct third parties,” said Nitin Talwar, Partner in the Forensics Practice at Grant Thornton India. “However, it is difficult for companies to balance the oversight across their supplier ecosystem against being perceived as ‘hard to work with’ by important partners. The key focus needs to be on prioritizing which business processes pose the greatest regulatory risk and addressing it accordingly.”
Regulatory scrutiny on the global supply chain
The supply chain volatility of the past several years led to dramatic swings in the direct cost of freight and the end-to-end logistics and customs clearance process. The logistics chokeholds and focus on “getting the job done” regardless of the increased costs resulted in less pricing transparency as well as increased risk related to sanctions and on-the-ground customs corruption. In the past two years, we have seen various fraud, bribery and regulatory issues arise throughout the supply chain process in APAC, including the following representative examples:
- Sanctions risk. Our client relied on a network of shipping companies to import various materials and supplies throughout APAC. The limitations of available vessels, delivery demands and other “business-first” factors led to a shipping company commissioning a sanctioned vessel as designated by the Department of Treasury’s Office of Foreign Assets Control. Our client was unaware of the sanctioned vessel until the shipment was delayed at the port while an investigation was initiated.
- Bribery risk. A client who regularly distributed products through APAC had to expand their network of shipping, logistics and customs clearance consultants to address an increase in demand. Unfortunately, when the product was held at the port by a customs official, there was documented evidence that indicated the logistics consultant obtained additional fees due to pressure from a customs official.
As the supply chain returns to some resemblance of normalcy, companies need to be aware of the potential operational changes enacted during the pandemic and how to root out associated Fraud Risks.
“Identifying procedural controls, performing effective diligence, and reviewing high-risk transactions are key factors for companies to stay on the right side of the law.”
Dr. Tim Klatte, Head of Grant Thornton Shanghai’s Forensic Advisory Services, says, “We have observed an increased lack of transparency throughout the supply chain and import/export process. Operations are returning to pre-pandemic norms, but there is growing concern that a risky precedent was set during the pandemic that will be hard to break.”
Combating Fraud Risks in APAC
As global companies continue to work throughout the APAC region, we propose the following recommendations to mitigate fraud, bribery and regulatory risks.
Balance local market operations with ERM expectations. We all recognize that doing business in the U.S. or UK is markedly different from doing business in APAC. This reality extends to compliance and general risk management protocols as culture and systems and the ability to obtain detailed information from internal employees and third parties may be limited. As such, it is important to identify and prioritize the key fraud, bribery and regulatory risks of a specific operation and develop a risk management program that proactively incorporates the compliance constraints of the local operation against enterprise-wide expectations. Use a cross-functional and cross-geographical approach to ensure that policy and process expectations can be met without undermining operations.
Update country-specific risk profiles throughout the region. Companies should understand the risk profiles of their business units throughout APAC based on the current landscape and not rely on risk assessments that were applicable prior to or during the pandemic. Refreshing the risk assessment process at the geographic and business unit levels should incorporate financial, operational, legal, human resources and third-party information as inputs (via data and surveys). Companies can then use the revised risk profiles to prioritize initiatives to increase the level of deterrence and quick detection of potential fraud, bribery and regulatory violations.
Train local employees on corporate expectations. Companies should collect and analyze quantitative and qualitative data to understand the likelihood of internal fraud risk. Based on the findings, policies and procedures should be enhanced, communicated to the entire workforce through a combination of business unit and legal/compliance leaders, and monitored for follow-through. The following are examples of ways companies can understand their internal employee fraud risk:
- Collect and compare trends of internal speak-up or whistleblower programs in the past five years.
- Survey employees across functional areas on fraud-related topics to understand themes or discrepancies between business areas.
- Calculate and assess key factors for retention rates throughout operations and the level of new hires in production-level roles against those at managerial levels.
- Analyze year-over-year changes to variable compensation models tied to business growth and financial reporting goals.
- Assess whether employee onboarding documents require disclosure of any vendor or government official conflicts of interest.
Catalogue and risk-rank third parties. During the pandemic, many companies throughout APAC experienced a considerable change in business operations. In many instances, this resulted in hiring new third parties and/or relying on others for new services previously performed in-house. Although the reliance on third parties will likely be a requirement, those same third parties also pose the greatest Fraud Risk to multinational companies. To properly balance this risk with business requirements, it is important to: (a) identify all active third parties for a specific business unit or region, (b) catalogue each third party by the type of service provided; and (c) risk-rank each third party based on company/business-specific factors. The following are examples of risk factors that companies should consider and customize to assess the potential and likelihood of Fraud Risk associated with a third party:
- Reasonable expectation that a third party is acting as an intermediary or agent on behalf of the company with a government entity
- The reliance on a third party (versus internal employees) for core business functions such as new business development, sales and marketing, and logistics/product inventory management
- The ability of and actual reliance by a third party on downline fourth parties in the execution of their core services on behalf of the company
- Changes to the third parties’ ownership structure, funding sources, overall financial health and key leadership positions.
Strengthen contractual billing terms. For third parties that are considered higher risk (based on the factors described above), companies should consider revisiting the contractual billing expectations to receive more pricing transparency. Improper payments made by third parties (especially in APAC) are often unknowingly funded by companies due to inflated invoices billed in a fixed fee or lump sum nature that do not provide details on the specific services provided or billable hours worked. These scenarios expose companies to enhanced risk as the manner in which those parties met their billing requirements, or milestones, may have involved improper payments and/or inappropriate behavior. Companies should consider the following:
- Due to the volatility in the labor market, inflation and other factors, commercial pricing agreements should be reassessed and potentially renegotiated. The pricing negotiations should be performed in conjunction with a competitive pricing process to assess the fair market value of certain services.
- As companies revisit and rebalance pricing terms, we recommend companies require a traditional time-and-material billing model that requires detailed receipts to reduce the risk of inflated, improper payments (and subsequent regulatory interest).
- The revised vendor agreements should include strong audit rights. Companies should also develop a framework for when third-party audit rights will be called on and ensure follow-through when certain risk factors are present.
Take allegations seriously and ensure local investigative presence. We have seen an increase in the number of corporate investigations and fraud/bribery claims with our clients throughout APAC. As companies uncover allegations or risks, it is important to properly triage, manage and remediate findings. We recommend the following as key steps when a fraud, bribery or regulatory allegation has been made:
- Assess whether the engagement of a qualified outside counsel to maintain privilege throughout the process is required.
- Forensically secure electronic and physical data that may be relevant/necessary for review.
- Properly scope any investigative steps to address the allegation that will provide answers to the key what, how, who, when, where and why questions.
- Perform the investigation in a fact-finding and lead-driven manner by a qualified team that understands the industry, local market protocols and subject matter at hand.
- Communicate and update regional and/or corporate legal, ethics, audit and/or other committees on a regular basis to ensure alignment.
Effective fraud prevention starts with an overall risk assessment to understand where fraud, bribery and regulatory risks exist within the business, third-party network, and throughout the supply chain. Understanding the current risks and strategically shoring them up is simply a business imperative, especially in a traditionally higher-risk environment such as the APAC region.
Our featured forensics, investigations and disputes insights
No Results Found. Please search again using different keywords and/or filters.