Despite an increased focus on anti-corruption risk in Brazil, a recent global fraud survey reveals that even though 96% of Brazilian companies believe that bribery and corruption continue to occur widely as a part of usual business dealings throughout the country, only 52% of these companies apply a risk-based approach to their due diligence practices to minimize exposure to this type of misconduct. Recent high-profile anti-corruption investigations of Brazilian companies and their vendors show that choosing the right compliance and investigations expert can help a company cut costs, operate more efficiently and reduce corruption, regulatory and reputational risks. Unfortunately, only 35% of Latin American companies conduct complete third-party due diligence on an ongoing basis, according to a 2018 Refinitiv report: Revealing the True Cost of Financial Crime.
The good news is that when third-party vendors are adequately screened and operate under contract-driven controls, a company can significantly reduce its risk profile.
Why Third-Party Vendor Relationships Matter in Brazil
Brazil’s Clean Company Act (Law No. 12,486/2013) establishes the accountability of private companies, regardless of fault, for acts of corruption committed by third-parties. A third-party vendor is defined as any individual or organization that performs business on the company’s behalf, including consultants, suppliers, distributors, and subsidiaries. In addition, Brazilian federal government bodies and companies doing business with them are subject to public sector regulation, following “Portaria 57/2019 of CGU,” and are required to establish procedures for structuring, executing and monitoring programs to prevent, detect, remedy and punish fraud and acts of corruption.
Gerdau, Brazil’s largest steelmaker, serves as a high-profile example of the consequences a company can suffer for failures surrounding its third-party due diligence process. Gerdau was alleged to have violated Brazil’s Civil Code in order to receive favorable tax decisions by engaging outside attorneys between 2011 and 2014 to pay about US$13 million in bribes to council members of the Administrative Council of Tax Appeals (CARF). Although Gerdau and its employees proclaimed their innocence, and even if proven that the company was unaware of the attorneys’ acts, both the company and its leadership face liability under the Clean Company Act for the alleged acts of these third-parties, demonstrating the risk posed by an apparent lack of internal controls and proper, effective third-party vendor diligence.
Mitigating Third-Party Risk with Due Diligence
A recent compliance study conducted by LEC and VITTORE Partners found that 59.7% of Brazilian compliance officers surveyed were concerned with third-party risk as an immediate threat, underscoring the importance of proper due diligence procedures. Further, The Clean Company Act introduces the concept of Integrity Plans as a critical component of a company’s anti-corruption program, which brings implications for third-parties. Both before entering into and during the business relationship, effective third-party due diligence should identify, address and investigate any red flag indicating risk related to each vendor. A company should always perform this due diligence in alignment with the company’s risk-based approach to operations, and relevant aspects of the company’s Integrity Plan should also be incorporated into the effort.
Essential components of a sound vendor due diligence process include:
- Risk Classification
By placing vendors into categories by risk level, the company will be able to discern the depth and breadth of essential and effective due diligence. Classifications will vary by industry, the nature of the vendor relationship, its size and geographical footprint, as well as other considerations.
- Due Diligence Questionnaires
Due diligence questionnaires can aid a company in establishing a baseline understanding of the third-party and any risks it may present. A questionnaire can also reveal any conflicts of interest or politically exposed person (PEPs) with links to the vendor. In the case of an audit or a downstream issue, such a questionnaire can further be used to demonstrate the company’s good-faith efforts and the representations made to it by the vendor.
- Preliminary Vendor Classification
Based on the basic knowledge gathered about the vendor, the company should assess the relevance and volume of the vendor’s activities, relationships with public agents, success fees, and the vendor’s physical access to the company’s facilities and/or business-critical data.
- Due Diligence Search
The vendor’s risk classification will determine the scope that the due diligence search covers. For example, a vendor in the lowest risk category may only be subject to confirmation of proof of establishment, a watch-list and sanction database search, identification of governmental ties and PEPs, and a news alerts review. In contrast, a vendor in the highest risk category may be subject to additional screening, such as an intensive review of the vendor’s litigation and operational histories through public records and court and regulatory documents. For entities established or doing business in Brazil, databases maintained by the Ministry of Transparency and the Comptroller General (CGU) could prove useful to identify any history of anti-corruption violations.
- Investigating Red Flags
The company should immediately address any potential issues revealed by the due diligence search. Depending on the severity of the issue, an investigation into the matter conducted either internally or by external compliance professionals should occur. Moreover, this investigation should be broadened to any other associated activity so as to examine all possible risks.
- Continue to Monitor
If the company elects to move forward with a vendor after completion of the initial due diligence process, the company should continue to perform ongoing due diligence, contemporaneously with vendor-related activities.
Continuous monitoring can take many forms, including:
- The creation of a Due Diligence Dashboard to effectively track risks by vendor and category. Also, a risk map will help the company to understand its greatest risks and identify the vendors and activities that increase those risks.
- The development of a transaction monitoring tool to flag for review in real-time any high-risk transaction involving the third-party to ensure legitimacy of the transaction
- Periodic updating or confirmation of the Due Diligence Questionnaire by the vendor
- Subscriptions to news alerts to stay informed of any instance that a vendor in mentioned in the media, and
- A periodic review of databases for new sanctions or litigation.
Should a review of a company’s due diligence practices reveal a backlog of active vendors that have not undergone proper screening, it is crucial that the company develop a risk-based approach to tackle the backlog separately from regular, ongoing due diligence. In this instance, outsourcing the due diligence review may be a time-effective option. Generally, a company should perform low risk due diligence reviews internally and engage an external compliance and investigations expert to address high-risk vendor due diligence. In the latter group of vendors, a more complex and thorough review will be required, often spanning geographic and language barriers.
Beyond the Vendor Review Process
Once an effective due diligence program is in place, an organization should establish and monitor the relationship between cause and effect on an ongoing basis. Specifically, it is essential to consider the structuring of data analytics parameters for ongoing transaction analysis, implementation and periodic review of internal controls, and transaction testing to combat fraud and corruption.
Additionally, thought should be given to programs designed to ensure proper third-party conduct long-term. For example, the company should provide integrity training to third-party vendors and obtain a code of conduct acknowledgment that includes an audit clause. Internally, the company should also review its master data to deactivate any privileges for third-parties that have not engaged in a business relationship with the company in the past 12 to 24 months.
As Brazil’s federal and state governments continue to focus on prosecution of companies for violations of its anti-corruption laws, companies should recognize and address their liability for acts of their third-party vendors. To most effectively mitigate the risk of exposure to a third-party’s illicit acts, it is essential that companies implement rigorous due diligence procedures and remain assertive with third-party risk management procedures throughout the course of the business relationship.
Carrie Meneo, a Consultant at StoneTurn, contributed to this article.