Third Party Risk Management

Featuring Due Diligence as a Managed Service

    Program Services Provided

  • Watchlist and Politically Exposed Party (PEP) Screening Analysis and Match Resolution

  • Third Party Desktop (Level II) Due Diligence Reports

  • Extended / Affiliated Party Identification & Screening Analysis

  • Third Party Enhanced (Level III) Due Diligence Investigations

Why Specktrum for Third Party Risk Management

PROVEN SYSTEM: 

With over 10 years of experience managing hundreds of thousands of third parties; Specktrum has developed and perfected a proven system for assessing, classifying and clarifying risk related to third parties. Our process is a methodical highly disciplined approach designed to provide assurance that counterparty risks are managed appropriately, in full compliance with at a minimum Office of Foreign Assets Control (OFAC) and global anti-bribery regulations, including the Foreign Corrupt Practices Act (FCPA) and UK Bribery, and adhering to guidance offered by US Sentencing Guidelines, World Economic Forum’s Good Practice Guidelines on Conducting Third-Party Due Diligence and ISO 37001.

THOROUGH & COMPLETE ANALYSIS: 

No matter how strong and efficient your screening software, it cannot be relied on in its entirety for your business specific risk assessments and for narrative summaries that will enable your business to make risk appropriate decisions. This is why we have selected analysts with either legal or equivalent degrees, certifications and training, which are of the finest caliber. They are selected not only for their education, skills and for their experience, but for their passion in conducting research. Our analysts not only love to read, but enjoy reading between the lines, and identifying evidence or relevant information that may link to red flags of risk. Thus Specktrum analysts dedicate themselves on conducting a thorough review of all screening alerts and matches to watchlists.

DEFENSIBLE DECISION MAKING & RECORD KEEPING:

All false positives or overrides are given a clear and discernable reason code and narrative to justify the clearing of a match to a watchlist. Difficult to resolve hits (> 90%) are reviewed in a joint resolution session with a veteran manager.  Any match that is dismissed will include clear explanations which justify the decision in order to create a complete compliance record.

DUE DILIGENCE REPORTS WITH PROFESSIONAL RISK ASSESSMENT: 

Specktrum performs analyst led comprehensive entity research on a risk basis using the most up to date aggregated resources to generate a complete Level II Due Diligence Report that includes; 1) company’s complete corporate structure, including beneficial owners, 2) company’s board members and directors, 3) restricted party screening results  4) results against politically exposed parties, 5) enforcement actions that may have been taken  6) litigation filed  7) Criminal records; 8) media and reputational information; culminating in a risk assessment and conclusion.  Our reports do not merely regurgitate information provided by our subscription based or other resources; our reports includes analysis that relate to specific bribery and corruption risk that could impact your business.

On the Road to ISO 37001 Anti-Bribery Certification:

Our program, coupled with GAN Compliance management software is closely aligned with guidance provided by UK Bribery Act and FCPA as well as requirements for ISO37001 certification.  Using GAN and Specktrum can lead to a more efficient external audit process; thus saving your business valuable resource time and money.

Level I Desktop Due Diligence

  1. Restricted Party Screening (RPS) Case Management
  • False positive resolution (manual analysis) with documented rationale for false positives
  • Difficult to resolve hits resolution
  • Escalation of watchlist matches and relevant adverse media news

Specktrum analysts carefully review all hits against customer entities to determine legitimacy. Although screening software classifies a hit based on settings on a percentage basis; each hit will be reviewed and if not a true 100% match, will be labeled with a reason code for its dismissal and if applicable a short narrative description designed to add more clarity around justification of the match override.

Due Care Taken:  Matches of =>90% are reviewed by a trained manager in a joint resolution session.

Joint Resolution sessions also include difficult to resolve matches (often at 100%) in which analysts may find it more difficult to determine whether a hit is legitimate or not. Difficult to Resolve hits may require additional research. All difficult-to-resolve-matches that are eventually determined to be false positives will include narratives justifying the decision.  If Specktrum analysts and management determine a match is legitimate or that contacting the entity would be necessary as a means of distinguishing the third party from the watchlist match, Specktrum would contact its customer immediately for appropriate action.

  1. Political Exposed Party Screen

Identify entities and related entities with connection or government ties

  • Government contacts and organization’s access to public officials
  1. Extended Screening

Expanded screening and risk assessments of partners and organizational structure. Smaller private companies and law firms are managed by partners so the risk may likely be revealed with them as opposed to their trading entity. So it’s a best practice to identify and include these individuals to level I screening and if a red flag is raised, conduct Level II Due Diligence Report on the person(s).

      • Legal name and business formation (parent, subsidiaries, affiliates)
      • Ultimate Beneficial owners (UBO’s, BO”s, managers, partners, directors profiles and backgrounds
      • High risk entities will have future continuous level I screening on extended parties

Specktrum not only identifies beneficial ownership, corporate family entities, officers and directors on companies when conducting Level II Due Diligence, it does so on certain high risk affiliated parties in order to include these entities to future watchlist screens.

Specktrum’s process requires trained legal resources to analyze results, make determinations based on pre-selected reason codes, and escalate entities that either match a watchlist or in which a media reported event has changed the entity’s risk profile.

Even though your company’s risk profile will determine the extent of due diligence which is required, more often than not, a second level due diligence will be sufficient, depending on what information is uncovered or not.

 Formal Entity independent research reports or Second level due diligence is designed to look at a third party wider and deeper.  This means gathering enough information to provide reasonable assurance that there are no red flags or issues that can may lead to regulatory or reputational risk for your company. In this instance a formal report is issued to your compliance group and/or business for review.

To perform this research effectively requires expert, skilled researchers, analysts, or paralegals who will utilize expert search software such as Lexis Diligence to interrogate a vast global database of free available and subscription based public records.  The goal is to conduct thorough but not necessarily exhaustive research for relationship assurance purposes.  The beauty in conducting this level of research on an entity is the capability of leveraging these level II activities for non FCPA and UK Bribery purposes; covering data protection, modern slavery, export control and commercial risk detection for instance.

So how much is enough and what should we be looking at? 

This is what our Level II research consists of:  

Company Profile:  Company name and known trade names are researched. What business the target entity engages in and how it relates to your company. Locations, employee base, and industries, among others, of target, factor in to the over-all risk assessment that is being built.

 

Corporate Structure:  This means the identification of subsidiaries which may include acquisitions. Key Directors or C-Level executives would also be identified for research. Business registration requirements would be checked for compliance. For instance several years ago a client vendor in Australia was acquired by a US company, thus changing how our client would be able to manage work for its non US customers going forward given US sanction trade restrictions varied from those in the UK and EU. Although not an FCPA issues it was a sanction compliance matter that was raised to the business for immediate action which included client customer notifications.

Beneficiary Ownership: Often a critical element when looking at small private firms in that an undisclosed beneficiary owner could be a money launderer or involved in other corruptive activities. This can require looking at corporate registration in the jurisdictions where the third party conducts business.  This can sometimes be performed remote via desktop, but could depending on country, require feet on the ground walking into a government office.

Enforcement actions, and Litigation:  These clearly let you know whether your target is officially involved in either of these two legal actions; the latter could be criminal but also civil involving claims by the target or against them.  We once had a company on a level III on site audit tell our auditor they had no litigation over past 3 years, but research determined there had been a settled case.  We of course had to include this as an integrity concern on the report.

Watchlist and PEP screening:  Formal results are included in the report for assurance purposes.  This screen though will include extended parties identified in steps 1 and 2 above.

Negative Media and Social Media:  Anything formally published in all print publications that have been digitized or web based reports are screened for any red flags of corruption. Because in some countries the available media is in another language, you may have to use a source to translate.  Some services do this for you.  Doing this level of research is necessary if there already is a red flag of some sort, the entity is small and the only available media is in the local language. Depending on risk level, 1 to 5 years of media reports is required. This can be the most time consuming exercise, especially on UK, EU, US public companies where there is a wealth of information available.  Social Media can be useful but you must consider the source of the information provided. Usually patterns of negative chatter may be worth noting and can either lead to increased monitoring and more frequent level II reports.

Location: Corruption Perception Index:  This can just as easily be included in the company profile section. We elected to break to look at location risk in relation to Corruption Perception Index published by Transparency International separately because it’s a risk not related to the company itself and centered on the location(s) the firm is based or operating in. Although location element often drives the initial overall risk rating higher; the results of a due diligence report could be used to reassess the overall level going forward. 

The finished product is memorialized in a Due Diligence Report whether it be on a person or any sized or organized company, that’s demonstrates a thorough review using the best resources to capture available public data that will either give assurance that there are no needs for concern or that red flags exist that require compliance and or business action.

Specktrum’s Level II Due Diligence reports are designed for easy digestion of facts which begin with an executive summary and risk assessment using a 5×5 risk grid. All reports are reviewed by an experienced Specktrum supervisor.  If the risk is greater than moderate, we will alert your compliance department or designee(s) for a determination of course of action.

It’s not unusual outside of the US and EU, to have difficulty at least finding evidence of a private entities’ existence, outside of their own website; and sometimes even that is a challenge.

Identifying that the target entity has a web site that has addresses and names of partners and personnel that coincide with the company records is useful, however independent data sources are more desirable. At the very least an analyst expects to find business registration, articles of incorporation, profile, ownership information, or local news, or commentary of a target third party outside of the company web site. 

If lacking this foundational information; a decision needs to be made in the absence of any other internal red flags whether to obtain third party assurance by conducting a local visit to the third party’s headquartered or satellite location to gather this confirmation thru enhanced due diligence. 

A company’s risk profile may call for this activity to be conducted periodically after initial vetting has taken place, if it has taken place. Or a lack of Level II assurance may be the trigger.

But when we have, we have been fortunate enough to engage an internal auditor who is skilled and experienced in conducting local research and while on site to conduct a bribery and corruption audit to ensure integrity in what has been presented to our firm from the point the relationship was developed.