Updated Wolfsberg Guidance on Anti-Bribery and Corruption: Are your ABC controls up to par?
Last week, the Wolfsberg Group released a revised version of the 2017 Anti-Bribery and Corruption (ABC) guidance. Amongst updates to the red flags and the customer and transaction corruption risk sections, the paper has been realigned to meet current and developing regulatory expectations for Financial Institutions (FIs). Recommendations made in the paper promote a culture of ethical conduct and really lay an emphasis upon the importance of operating in conjunction with a proper risk-based compliance programme. The updated guidance further includes outcomes from recent enforcement cases as a stark reminder of the human costs associated with bribery and corruption.
Institutions should follow a risk-based approach to adequately develop their ABC Compliance program to prevent, detect, mitigate, and report bribery and corruption (B&C) instances. As the guidance indicates, a successful ABC compliance framework should include the following:
A risk assessment periodically assessing the nature and extent of B&C risks they may be exposed to (incl. third parties, gifts and entertainment, customer related transaction risks (including reputational risk), etc.) and the effectiveness of controls currently in place. Notably, and for the first time, the guidance acknowledges the value in assessing emerging risks;
A firmwide ABC policy applicable to all employees, client base and third parties located in the UK and internationally. Consideration should be given to procurement and sales processes and public officials exposure to ensure policies and procedures proportionately reflect associated risks and mitigating controls;
Robust governance arrangements with distinctive roles and responsibilities and access to Senior management / Board. Is there appropriate segregation of duties and approvals across first and second line of defence, subject to sufficient check and challenge?;
Training and awareness including lessons learned from enforcement cases to date, as well as any internal or external events, to further evaluate the adequacy of the compliance framework. For example, an analysis of identified adverse events should be carried out to understand the root cause of the event and the control failure and share remedial actions and control enhancements across the organisation;
Monitoring and testing to assess if compliance controls are working effectively, appropriately embedded within the organisation, and in line with applicable regulations, best practice, and internal policies / code of conduct. Organisations should carry out risk-based testing of employees’ activities to identify any examples of non-compliance with procedural requirements, including checks for claimed expenses, sponsorships, etc.
Institutions should communicate their ABC programme on a regular basis to their employees and third parties through policies, procedures, code of conduct and audit visits as appropriate. Tailored training must be offered to employees having greater exposure to public officials and wider B&C risks, as well as to third parties.
The guidance contains updated red flags which cover the identification and escalation process, and how those processes fit within different aspects of a risk-based compliance programme. The new red flags warranting Enhanced Due Diligence (EDD) are:
No obvious added commercial value added by the person or entity of concern;
·Use of third parties (e.g. vendors and consultants) who serve no clear purpose, or strongly recommended to use third parties not meeting procurement standards;
Use of nominees or proxies with no obvious commercial purpose;
Use of entities with names mirroring more reputable entities with no connections to those reputable entities;
Key contacts’ use of non-official communication channels such as personal email, text messages, or communication apps;
Deviation from standard procurement practice especially for public projects;
Unusual involvement of Public Officials in commercial matters;
Sudden unexplained resignations of key professionals (e.g. members of the Board, lawyers, or auditors);
Recommendation(s) to rely on the customer’s and/or Intermediary’s due diligence without written evidence of what the due diligence has been undertaken;
High-value and/or complex deals or transactions that do not involve Compliance involvement and oversight.
Practical takeaways
The updated guidance alongside emerging regulatory focus as seen on recent final notices (e.g. Credit Suisse, JLT Speciality Limited) showcase the requirement for institutions to revisit their ABC Compliance Framework and ensure it is fit for purpose. Consideration should be given to the following:
Do you have a defined risk appetite with zero tolerance for B&C?
Do you have clear thresholds for gifts, entertainment, and hospitality? Are these appropriately recorded, and where necessary approved by Compliance?
Are you clear on what your EDD processes require?
Do you have adequate and proportionate controls around charitable donations and the identification of those linked to public officials?
Do you have a clear intermediary definition? Are these subject to appropriate due diligence, approvals, and monitoring?
Are third parties onboarded in a way which is transparent and based on objective criteria?
Are you subject to independent audits to test the effectiveness of your ABC Compliance Framework? Do the outputs drive change in the compliance framework?
How do you manage risks linked to mergers and acquisitions, joint ventures, etc? Has appropriate level of due diligence been applied, with clearly defined pre- and post-merger or acquisition checks and balances?
Do you carry out any lobbying activities? If so, are your controls fit for purpose?
Getting a risk-based framework right requires a meaningful understanding of what your risks are. This is where we tend to see firms struggling. Too often the risk assessment does not tell you anything new or provide insight into the real risks which you need to control. We’ve worked with a range of firms to build insightful bribery and corruption risk assessments which form a basis for an effective framework.
So, whether you need a better understanding of risk, need to improve your controls, or are looking for an independent review – give us a shout to see how we can help.
