Allan Matheson (Blue Umbrella): "Controls and processes are as important as outcomes"

First off, Blue Umbrella is a compliance research company.  Can you tell us a little bit more about the company’s activities?

Blue Umbrella is a risk management company specialising in third-party due diligence and technology, meaning we investigate our clients’ potential business partners prior to our clients signing a contract. This process involves conducting due diligence, monitoring new and existing third parties and providing evaluations of a third-party’s risk. Our approach is extremely global: we have over 250 research analysts fluent in more than 40 languages, located worldwide. STATUS, our research and disruptive third-party compliance technology, helps implement a system of internal controls focused on the Sapin II, FCPA (Foreign Corrupt Practices Act), UK Bribery Act and other regulatory and reputational risks to meet compliance needs.

Blue Umbrella has a strong presence in America and Asia. Would you consider these territories as places of choice for compliance activities?

America and Asia are certainly places of choice for compliance activities. In America, the FCPA (Foreign Corrupt Practices Act) has an extraterritorial reach that prohibits bribery and corruption to foreign officials. A great many US based multinationals have significant business operations, and therefore third parties, in Asia.

However, we notice a trend of increasingly sophisticated third-party compliance programs emerging in Europe as well. Although legislation such as Sapin II feed this trend, we see compliance being focused upon and resourced properly globally.

You notably investigate (conduct due diligence on) a third party with whom your client wants to do business.  How do you go about these types of investigations? Do you only use information in the public domain?

We collate information that is both publicly and legally available, including both private brand-name databases and public records. These may include major international sanctions lists, litigation checks and official source information, as well as results from newspapers and other media sources. Our in-house researchers work through these dense amounts of information in both English and the local language for potential risks a client may face in onboarding the third-party, such as a third-party’s political exposure or corrupt activities. The researchers then compile all relevant information and distill it into a report.

“We collate information that is both publicly and legally available”

Are third party non-compliance situations common?

For us it’s not necessarily a matter of being in or out of compliance, its about ensuring that high quality research methodology has been applied to help ascertain whether there is a risk or not. The controls and the process are as important as the outcomes. While we encounter companies with programs that range from very robust to the bare minimum of controls, most seek programs that are in the “middle of the pack” with their peers.  There is no glory in overspending on compliance, and there can be plenty of risk by not doing enough to comply with regulations, depending on the industry and regions in which the company operates.  For example, for companies operating in Brazil, Russia, India, or China (BRIC Countries) and other similarly high corruption indexed countries, in pharmaceuticals, medical devices, technology, industrial manufacturing, defense, and energy, the risks are high and their third-party compliance programs should have the controls in place, utilise a compliance technology, and rely on professionals to provide the global due diligence on their medium and high risk third parties.  Conversely, a domestically operating healthcare company will have very little FCPA or ABAC risk and similarly, their third-party compliance program would reflect this. In both situations, it is crucial to establish the controls and processes around the third-party program. This is where we find compliance technology invaluable.

What type of non-compliance situation do you encounter the most?

There are several common missteps or misperceptions made in implementing a third-party compliance program. 

1) Not having a risk model to segregate third parties into risk classifications, and therefore not conducting the appropriate due diligence in vetting them. 

2) Relying on database screenings as due diligence.  Automated database screenings have their place in a compliance program but the likelihood that a third-party will show up on a 10 Most Wanted List or a Russian Sanctions List is very low.  However, if the third-party was accused of facilitating a bribe in a local news article or on a blog, it would be found in human conducted due diligence, but not in a database screening. 

3) Relying on information provided in third-party questionnaires or though business data reporting services without verifying its accuracy.  This information is largely self reported by the third-party.  If that third-party is the type that engages in bribery or corruption, do you think they would hesitate to answer a questionnaire or report their business information in a fraudulent way? 

4) Not engaging a due diligence provider who has “in region” research analysts, who are employees of the due diligence firm, not subcontractors or freelancers, who conduct the due diligence in native (local) language and English, and who only collect legally obtainable information. 

5) Not implementing a purpose built, third-party technology, rather than disparate systems, or worse a procurement tool, to onboard, vet, manage, monitor and audit their third-party population.  Third-party technology platforms should be calibratable to each company’s compliance workflows, have a myriad of automations to relieve administrative burden, and integrate the due diligence that is performed on the third party, within the platform to create a single source of truth on that third party.

Compliance is a growing market, and an increasing concern for companies.  How do you explain the recent rise of compliance legislation/obligations? (If you believe there has, indeed, been a rise) 

Compliance legislation is not recent, in fact the Foreign Corrupt Practices Act (FCPA) turned 40 years old last year.  The interest in the FCPA, UK Bribery Act, and other Anti-Bribery and Corruption regulations has been on the rise for the last ten years, as the U.S. Department of Justice, the Securities and Exchange Commission, and similar foreign government regulatory bodies have dramatically increased their investigation and prosecution activities. 

Beyond these more established pieces of legislation, there is also a clear trend of more jurisdictions adding their own, usually extra-jurisdictional legislation with their own dedicated enforcement agencies. Because of the increased regulatory scrutiny, multinationals operating in high risk jurisdictions, in certain industries prone to bribery and corruption, have followed suit and are putting much more attention and resources to develop third-party compliance programs that align with the regulatory guidelines for an effective compliance program. Because of the proliferation of legislation to comply with, most programs are rising to the highest standards from their infancy.

What are the new obligations that companies must cover?

The greatest ABAC compliance risks remain in the higher risk third-parties such as:  agents, intermediaries, distributors, franchisees, and high-risk vendors.  Many companies are starting to look at their supply chain vendors but with a slightly different lens.  Supply chain risks can include the obvious disruption to production but also reputational risks and many programs now including screening against modern slavery or human trafficking databases. 

With the onset of new privacy laws like the GDPR, and the combination of the proliferation of extra-jurisdictional anti-bribery laws, companies will also need to reconcile competing interests among privacy, data security, data localisation, process differences and reporting requirements.

How would you like to see international legislation evolving? 

Rather than evolve, international legislation will likely catch up or mirror the legislation already in existence with the FCPA, the UK Bribery Act, and a few of the other larger known ABAC regulations.  Most practitioners, aka compliance officers, would prefer it if the regulating agencies would take a less ambiguous stance on what is in fact, a compliance program framework that they would sign off on.  There are many guidelines, and much is left for the legal profession to interpret and advise their clients on.

There may also be more conflicts of legislation, data privacy and anti-bribery, for instance, that will need to be reconciled.

You offer technological solutions to help companies meet compliance requirements.  How does technology serve those emerging requirements?

Most compliance departments face a very challenging environment; evolving legislation, dynamic business environments, growth in overseas markets, and limited resources with which to handle these challenges. Technology can help not only lay down a system of controls, but also automate elements that are labour intensive but only need to be dealt with if they uncover risk. We have invested hugely in the capability to set up customisable automations so that compliance departments can concentrate less on administering processes. Instead, once these processes have been designed, officers can then focus on exceptions and risks.

In compliance, there is also an increasing need for documentation, risk-based evaluation of third parties and ongoing evaluations through monitoring, as well as a growing focus on data security measures. Using technology for third-party compliance provides a means of accountability and transparency because you have a record of user actions for audits. The ability for technology to integrate due diligence scores and risk scores together to provide a holistic view of a third-party’s risk also helps companies evaluate, overall, whether it is appropriate to proceed with a relationship.

While it is possible to manually monitor third parties that have been onboarded, technology can automate monitoring and alert companies of potential red flags directly into the platform to keep companies aware of risks that need remediation or other actions, eliminating that administrative burden and allowing companies to focus their energies on other demands.

There is also the issue of security that is accommodated by proficient platforms. Whereas a manual compliance process may use various programs and information sent over unsecure networks, leading to lost items or undocumented actions, a platform secures all information in one place and can host information on servers that are in locations that allow them to be compliant with data privacy legislations like the GDPR.

Can all companies benefit from adopting these products? 

I would say any company that is involved in dealing with third parties can benefit from adopting these products. Not only does technology help meet legal and compliance needs, but also provides relief for administrative frustrations such that users can concentrate on higher level decision-making. Automations, for example, are now commonplace, relieving repetitive, manual tasks such as sending questionnaires to third parties. Similarly, using a platform that centralizes and integrates all necessary information eliminates the need to transfer information across multiple programs, potentially leading to lost or undocumented items. In that sense, it is really about the convenience of technology to save time, resources and streamline workflows and processes.

Interview by Camille Guével