Shared Assessments’ Continuous Monitoring Working Group recently convened to examine the risks from financial crime that a vendor manager must understand. Ken Wolckenhauer, head of vendor due diligence and review for the New York branch of Finland-based Nordea Bank, led the discussion around this serious topic. Wolckenhauer’s insights from his career experiences illuminated key considerations to integrate into vendor risk assessments. This blogpost describes what a vendor manager needs to know about sanctions and money laundering, offering resources for the management of this risk.
Key financial crime risks include:
Sanction Risks are important to understand because just as you do not want to do business with a sanctioned organization yourself, you do not want your vendors doing business with sanctioned parties. In order to screen your vendors and their associated parties, you can use the US Department Of The Treasury website to search relevant organizations. Remember, you are ultimately responsible for compliance across your supply chain; Office of Foreign Assets Control (OFAC) risks cannot be transferred by outsourcing. High-risk organizations for this area include fintech outsourcing, wire payment outsourcers, card processors, lockbox/cash management, settlement/clearing institutions, broker/dealer partners, and foreign banks providing treasury accounts.
Politically Exposed Persons (PEP) Risks are increased by a vendor’s association with people who have held major political positions and or family members of someone who has held these positions. PEPs can be owners, directors or individuals with any sort of control over a vendor. In many countries, these PEPs are at high-risk for corruption thereby making the vendor itself more susceptible to corruption. And…once a PEP, always a PEP!
Bank Bribery is a crime that needs to be understood in risk management as bribery to or through 4th parties can implicate the organization using the vendor. You should screen for bribery in third parties as a part of the essential due diligence process especially for international third parties or for vendors who conduct business internationally. Check negative news and history to understand if a vendor has violated the Foreign Corrupt Practices Act (FCPA).
Export risk is a timely set of issues given the current political and trade climate. In regard to third-party risk, you must consider this from a technological perspective – for example, do your encryption keys or other such information shared to vendors enable access to software, and in turn the reverse engineering of software? Addressing this risk prevents piracy and theft, protecting intellectual property and security. The Bureau of Industry and Security within the US Department Of Commerce deals with issues involving national security and high technology, overseeing exports to foreign individuals and entities. Regulations around export risk can be found on the Bureau of Industry and Security website.
Money Laundering is a risk you want to be able to identify in your screening of vendors. Consider corporate social responsibility and the past histories of your vendors. As you screen your vendors, understand whether they have violated the Bank Secrecy Act (BSA), which emphasizes proper record keeping by Financial Institutions for currency and foreign transactions to control money laundering. The BSA racks large currency and monetary instrument transactions and other suspicious activity. Also, note whether the vendor has violated the US Patriot Act which prevents terrorist financing by tracking the registration of financial institutions and prohibition of shell banks with the cooperation of various agencies including law enforcement.
Fraud risk is elevated in the work from home environment caused by COVID. Risks in this realm include bogus invoices, collections calls to accounts payable, similar email addresses to vendor being used to scam organization, social engineering, startup companies making false claims and data theft.
In light of all these risks, what can and should a vendor manager do? A vendor manager needs to know the risks inherent with services performed or goods acquired from vendors. This means proper due diligence of vendors.
The checklist includes:
•Screening vendors for OFAC, PEP and negative news
•Evaluating vendors’ compliance with US Export regulations
•Evaluating risk-ratings of foreign countries by referencing the anti-bribery index
•Understanding whether the US has authority to examine a vendor
•Understanding whether the vendor complies with US privacy, bribery and anti-money laundering (AML) laws
•Knowing who the vendor’s owners are, understanding their paths and whether they have financial crimes associated with them