In a global marketplace, third-party relationships are a crucial component of day-to-day business. However, while those relationships bring operational advantages they also pose an array of potentially significant risks. In order to address those risks and ensure compliance in an increasingly complex regulatory environment, organizations must think carefully about their approach to third party risk management (TPRM), implementing appropriate measures and controls to protect themselves against threats.
Accordingly, an organization’s third party risk management solution should be built on an understanding of best practice, and incorporate automated tools and technology to increase accuracy and efficiency.
What is Third Party Risk Management?
While most organizations develop a reliable understanding of the risks that they face directly, when they enter into relationships with third parties those risks may be more difficult to understand or predict. The complexity of third party compliance regulations exacerbates that risk, and requires organizations to carefully monitor the behavior of the third parties with which they do business, including examining their prior business relationships and historical actions.
Third party risks are diverse, reflecting factors such as business sector, internal policies and controls, and the level of regulatory oversight applied in a given jurisdiction. A third party may have connections to or involvement in criminal activities, may be subject to international sanctions, or may have inadequate cyber-security measures in place to protect customer data.
With those factors in mind, TPRM essentially involves the identification, mitigation, and reduction of the risks of doing business with third parties. An organization should seek to develop standardized policies and controls to facilitate TPRM, as part of a wider risk management solution that is calibrated to their operational environment.
The Risk Based Approach
TPRM requires organizations to collect and analyze vast amounts of data – a process which can be time consuming, costly, and adversely affect customer experiences during onboarding and throughout a relationship. In order to reduce the negative impact of risk management, most regulatory authorities require organizations to implement a risk-based compliance response.
The risk-based approach is required by regulatory compliance in jurisdictions around the world and is fundamental to the anti-money laundering guidelines set out by the Financial Action Task Force (FATF). Under the risk-based approach, organizations must adjust their compliance response based on an assessment of the specific risks that they face. Accordingly, following a risk assessment, an organization would deploy an enhanced compliance response for third-parties that present a higher risk, and a simplified response, for lower risk third parties.
The risk based approach enables organizations to economize the resources they deploy in response to third party risks, tailoring their response on a case-by-case basis rather than deploying comprehensive and costly compliance measures and controls for every third party relationship.
Third Party Risk Management Best Practices
To optimize your compliance solution, it is important to understand TPRM best practices:
- Onboarding focus: Third party risk must be established prior to the beginning of a business relationship, which means conducting suitable screening and due diligence processes during the onboarding process. The due diligence process should capture a range of third party data, including names, addresses, company incorporation documents, beneficial ownership, industry certifications, and contractual obligations.
- Risk priorities: The risk-based approach relies on organizations being able to efficiently determine the level of risk that specific third parties present. With that in mind, following a risk assessment, third party relationships should be grouped by their risk profile, with higher risk third parties prioritized over medium risk third parties, and so on. Organizations should develop a suitable internal policy to calculate and assign risk, based on industry benchmarks and other contextual data points.
- Standardized processes: When different departments develop siloed risk management strategies, an organization’s collective third-party risk response may develop redundancies and inefficiencies, with frequent failures to share crucial data and insight. Accordingly, organizations should seek to standardize their third-party risk management strategy, setting out consistent, defined screening and due diligence procedures, and establishing a centralized repository of third-party risk data which all departments may access.
- Ongoing monitoring: The level of risk posed by third parties will inevitably change over time. To manage changing risk levels, organizations should ensure that they perform ongoing risk monitoring procedures to maintain accurate risk profiles ideally, that monitoring should be conducted in real time, and involve suitable Know Your Customer (KYC) measures, such as due diligence processes, sanctions screening, and adverse media screening. TPRM solutions should also be tested for efficacy on an ongoing basis.
- Adverse media: One of the best indicators of third party risk is involvement in adverse or negative news stories. Those stories might set out, for example, a third party’s financial difficulties, connections to criminal activity, or involvement in government investigations (amongst other types of risk) – all of which may be reported by news sources prior to any official confirmation. Accordingly, organizations should implement an adverse media screening solution capable of capturing data from traditional screen and print media sources, and from online sources.
TPRM Automation Solutions
Effective third party risk management requires the collection and analysis of vast amounts of data. To optimize that process, organizations should seek to leverage technology as part of their TPRM solution wherever possible.
Practically, this means implementing a suitable TPRM software solution that fits both the business and risk management needs of a given operating environment. Technology tools add automated speed, efficiency, and accuracy to risk assessment, monitoring, and screening processes, reducing reliance on ad-hoc data collection and the potential for costly human errors. The advantage of technology to TPRM is significant, and regulators around the world expect organizations to implement suitable software solutions in order to meet their compliance obligations. The US Office of Foreign Assets Control (OFAC), for example, now mandates “technology solutions” as part of TPRM where those solutions “address the organization’s risk profile and compliance needs”.
There is no one-size-fits-all approach to TPRM and, beyond its practical data handling benefits, automation enables organizations to purpose-build and calibrate their compliance solution to the specific business environments in which they operate. Automated TPRM solutions also allow firms to better apply the best practice principles outlined above, including the need to share important data between departments, to monitor adverse media channels, and to centralize and standardize the collective company response to third party risk.
TPRM Applications: Working in collaboration with Accenture and Royal Dutch Shell, Ripjar recently demonstrated the effectiveness of a TPRM solution powered by technology. Leveraging Accenture’s industry experience, Shell integrated Ripjar’s AI screening solution to enhance risk screening across its third party supply chain transactions. The technology is intended to deliver accuracy and efficiency benefits to Shell’s risk screening process and to reduce data-reporting errors by around 80% in comparison to legacy systems.
Accenture managing director Adam Markson emphasized the importance of tackling third party risk challenges, including criminal activity, cybersecurity, and fraud, as reasons for integrating Ripjar’s solution but also pointed out that the AI technology would add valuable data insights and “give management complete audit capabilities and accountability over the entire screening process.”
Want to learn how Ripjar can help with Third Party Risk Screening? Please get in touch.
We live in a global society. The rapid changes in technology, infrastructure, and international business have meant that people are able to interact across the planet at a scale never before seen in history. The flow of goods and services around the world has become a vast interconnected web of commerce, allowing markets to operate seamlessly, competitively, across almost any border. Factories in China ship the latest smart phones to consumers in Chicago. Oil refined in Kuwait is turned into plastics and fuels for consumers in Kuala Lumpur. Gas from Siberia heats homes in Slovenia. In turn, these supply chains depend intimately on one another, making it virtually impossible to see where one begins and another ends.
The COVID-19 pandemic has only highlighted the fragility of this web. Like the fabled butterfly effect, restrictions at a factory in China, national stay-at-home orders, and curfews on international travel sends shockwaves all around the world; almost every industry has been significantly disrupted in one way or another. For instance, the dramatic rise in home working and home entertainment has been one factor in a global shortage of high-performance semiconductor chips, the kind found in laptops, game consoles and TVs. This in turn has led to huge production issues in disparate industries like car manufacturing where production lines and entire factories have even had to be shut down.
This complex web however has a darker side. Hidden within the legal and legitimate systems are vast networks of illicit networks of billions of pounds of trade, where criminals, terrorists and rogue states seek to take advantage for their own nefarious goals, which can come at immense cost to human safety, security and wellbeing. The pursuit of limitless cash fuels the worldwide trafficking perhaps as many as 50 million people into the horror of modern slavery. Black markets in exotic wildlife create billions in revenue while devastating our ecological habitats and vastly increases the risk of biological threats like viruses and pandemics.
These unconscionable acts sadly are highly profitable. Money, properly laundered, may fund lavish lifestyles of organised criminal gangs – fast cars, luxury travel and sprawling beachfront mansions. But money can buy more than jewellery, and other nefarious actors have used illicit finance and black market trade to further their own agenda of international terror, proliferation of nuclear weapons, and even to wage war itself.
At their height in 2014, the so-called Islamic State or ISIS which controlled swathes of Iraq and Syria were earning as much as $3 million per day from the sale of oil from the refineries of northern Iraq and Syria. ISIS used the funds and fuel for control and influence, allowing them to maintain a stranglehold on the people of the region, fuel for cars, trucks, factories and even hospitals, as well as to radicalise and recruit those to conduct deadly attacks on civilians in France, Germany, Egypt and the United Kingdom. Inevitably, oil from ISIS-controlled refineries and wells ended up throughout neighbouring countries via middle-men controlling old smuggling routes inherited from the Baathist era government (who used the routes to evade international sanctions) and Al Qeada. While allied air strikes eventually cut off most of this revenue, black market oil that directly funded terrorism would be readily available through places such as Turkey and Syria, who may haven even used state-owned companies to acquire and profit from this illicit resource.
War by other means
To combat these illicit networks and their corrosive effects, worldwide governments acting either independently or through shared governance and agreements in the EU and the United Nations have organised and communicated a series of international sanctions.
The use of such sanctions goes back at least as far as the ancient Greeks, blocking trade between nations could send a powerful political message and compel an adversary into changing their behaviour. But it was not until the 20th century that sanctions became institutionalised within the foreign policy toolkit. In the aftermath of World War I it was easy to think that sanctions (or even the threat of them) may be enough to deter states from another future conflict, but the on-set of World War 2 soon proved otherwise. More targeted efforts were needed and the modern system that focused on smart targeting of individuals and organisations was enshrined in the creation of the United Nations Security Council. Over time these were expanded, and influential governments such as the USA, UK and EU all developed their own lists of criminal and national security threats.
Modern sanction lists consist of highly specific and legally targeted entities – involved in everything from arms trafficking, nuclear proliferation, human trafficking, money laundering, terrorism, narcotics, and now even cyber attacks – which are consolidated and distributed to help organisations enforce them. Without enforcement they are meaningless lists, simply a summary of those who society collectively merely hopes would change in order to create a more peaceful and prosperous world.
Blocking these entities access to finance, energy, fuel, or other commodities is critical if they are to have any kind of coercive power to change. However, this is increasingly difficult, and we see three key challenges for managing the risk of these entities trading within global supply chains:
Complexity and Scale– the increasing complexity of global supply chains means that there is more chance for criminals to bypass control frameworks that are put in place. Companies operating at a global scale may have hundreds of thousands of counterparties involved in millions of transactions in many different jurisdictions. Understanding if any one of these suppliers, or a supplier of their suppliers are involved with an illegitimate entity can only occur with complete mastery of data.
Counterparty Detection – Even with consistent data, matching whether a specific counterparty in a supply chain to a specific entity on a sanctions list can be difficult. Abu Sara Zahrani, a Saudi national based in Syria was a member of ISIS tasked with buying and selling its oil and commanding an entire division of 7 oilfields at their peak. Enforcing sanctions requires not only spotting his name but also any other permutations or variants, Faysal Ahmad Ali al-Zahrani, Abu Sarah al-Saudi or even فيصل احمد بن علي الزهراني. (for more, please see our blog on entity resolution).
Escalating Criminal Risk – Criminals go to great lengths to obfuscate and hide their illegitimate activities within legitimate trades and supply networks. This means sanction lists are often an incomplete view on risk. Data from other sources can help expand the understanding of risk, including that derived from news and open source intelligence (OSINT) to build up a more complete picture. (For more see our blog on exploiting open source news data).
Toward Artificial Intelligence Powered Enforcement
This blog has discussed the ways in which criminals and terrorist groups have exploited supply chains for their own gain and some of the challenges that global organisations have to enforce the international set of sanctions as laid out by the international community.
In order to overcome these challenges and to support leading companies to detect risks more effectively and efficiently within their complex and disparate supply chains, artificial intelligence and smart technologies are playing a significant role in ushering in a new generation of supply chain risk management.
Entity resolution technology developed by Ripjar uses millions of data points to derive more accurate search and matching logic than any other solution on the market. Compared to legacy solutions this reduces false positive matches by between 50-80% and increases accuracy and recall by 100%, meaning risks are more efficiently discovered and less time is consumed researching incorrect matches.
Natural Language Processing (NLP) also promises to expand our understanding of risk. This is a type of artificial intelligence that can read unstructured documents like news reports, documents or emails just like a human. We are using NLP to detect a far wider set of risks from open source news articles to augment watchlist-only matches and increase the ability for corporates to spot criminal activity.
Combined, these technology breakthroughs can scale to ensure that millions of transactions and counterparty dealings every day are screened, and help the teams tasked with preventing criminal abuse of resources, goods or services are able to conduct their investigations in a more efficient manner with overall more effective outcomes.
For more on our Supply Chain Screening Solution please click here: https://ripjar.com/client-screening/
Or download our whitepaper here: https://ripjar.com/resources/whitepapers/client-screening-next-generation-approach/
As President Trump heads towards the end of his single term of office, one of the most important changes to beneficial ownership rules, which has made its way through both the House and the Senate with such a huge margin of votes that it is now “veto proof” and almost certain to be enacted, despite recent social media activity by Mr Trump indicating he will veto the encompassing National Defence Authorization Act within which it sits.
“Surely Trump can have nothing against corporate transparency?” I hear you asking. But the threatened veto is nothing to do with the act at all but simply a quid pro quo for the house failing to repeal section 230 of an entirely different piece of legislation (The Communications Decency Act) which protects social media companies from prosecution for libel on the basis that they are not “publishers”.
Both Democrats and Republicans have indicated they would vote to override the veto should such an event come to pass.
Notwithstanding this seeming fit of pique by the outgoing president, the changes to Anti-money Laundering laws are both extensive and profound (with some reservations as explained below). And, for the sake of clarity, the enactment of this legislation, whilst occurring at the point of Trump’s departure, has little or nothing to do with the president himself.
It is the culmination of years of effort by a small group of campaigners both within the government and in advocacy organisations to ensure that corporate registers contain meaningful beneficial ownership information.
Let me start with the ”why” – transparency is our best weapon for fighting financial crime. To launder the proceeds of crime, to embezzle funds, to peddle corruption, almost always relies on creating entities where the ownership structure is opaque or hidden. These entities, often registered offshore to further hide ownership, are the lifeblood of the criminal world. To wit, if all company ownership was visible, who owned which companies, which companies owned which assets, and ultimately in whose back pocket money ended up– criminal finance would be extremely difficult indeed.
And it is worth noting, before highlighting some of the important aspects of the new legislation, examples from the currently situation. In, say, Delaware for example, to create a Limited Liability Corporation you have to complete a one-page form identifying the proposed name of the company, the registered address, and the name of the registered agent responsible for overseeing the process. And that is it!
The Anti-Money Laundering Act 2020 means all of that is going to change very soon. Here are some of the key points (both positive and potentially negative):
- FinCEN (the US Financial Crimes Enforcement Network) will be required to own and maintain a full beneficial ownership registry for legal entities registered in the US.
- According to the legislation, the registry will be “highly useful” to various arms of national and federal agencies including national security, intelligence, and law enforcement as well as federal regulators.
- The act will only allow financial institutions access to the registry with the permission of the entity whose details are being queried.
- This is likely to be a significant aid in the onboarding process
- But it is unlikely to be of help when performing investigations raised by transaction monitoring alerts, internal SARs or other control measures designed to identify potentially suspicious actors utilising a financial institution’s products or services.
A key difference between the US approach and, say, the one here in Europe is that the US has decided to maintain its current definition of a beneficial owner, which is someone who owns or controls at least 25% of the entity. Here in the UK and also in the EU it is more than 25%. Whilst in practice this might only be a difference of 1 share, it also means the difference between having, effectively, a maximum of either 3 or 4 beneficial owners.
In addition, there are other jurisdictions around the world which use different percentages (5%, 10%, 20% etc).
It is certainly true from my own research, albeit across a relatively small population, here in the UK, that the commencement of the Person with Significant Control (PSC) regime in April 2016 saw a significant migration of shareholdings of “suspicious” entities from what was, prior to that, the common sight of 100% owned by a company based in a secrecy jurisdiction, to four 25% shareholders (often in very different jurisdictions around the world) which then precluded the requirement to place them on the PSC register.
It does not make the job of the banks and other financial institutions any easier, particularly when they have a multi-jurisdictional or global footprint, when the rules relating to beneficial ownership vary country by country.
What is a bank to do if it has a relationship with a company in, say, the US and Germany, where the company has four equal shareholders? Does it perform the necessary due diligence in the US (where they meet the criterion for beneficial ownership) but not in Germany (where they do not).
Would it breach the German privacy laws if additional due diligence was sought when it was not strictly required by law?
And what happens if, as a result of performing the correct level of due diligence in the US, the firm discovers that one of the 25% shareholders is a PEP when they would have made no such discovery if the client was solely onboarded into Germany and they would not have been required to check?
There are many other changes being brought in by the legislation which will make their way into the public domain over the coming weeks and months but the changes to the beneficial ownership regime is likely to be the most far reaching, provided that the momentum created by this first tentative “toe in the water” is maintained and there is sustained campaigning to ensure the register is ultimately open to public scrutiny.
In respect of this piece of legislation then, the end of term report might well read “a good effort but more work needed to complete the task.”
Graham Barrow
Ripjar Strategic Advisor
18th December 2020
Dow Jones Risk & Compliance has launched an advanced solution for adverse media screening, which will enable financial institutions to conduct realtime, automated risk-screening and monitoring.
The tool is powered by AI-enabled Natural Language Processing technology from Ripjar, a global leader in data intelligence software. The tool continuously monitors premium content from Dow Jones, including structured risk data and a collection of news articles from over 17,000 licensed sources available within Dow Jones Factiva. The integration of additional data sets is also supported, providing a significant advancement of financial institutions’ anti-money laundering, Know Your Customer (KYC), and third-party risk screening programs.
It enables continuous, real-time screening of customers against news relating to financial crime or reputational risk, as well as the identification of sanctions risk and politically exposed persons.
The application of Ripjar’s technology allows for faster assessment of the risks posed by individuals and entities, while reducing the occurrence of false positives that can waste time and resources.
Jeremy Annis, CEO of Ripjar, said: “Money laundering and terrorist financing are serious threats to financial institutions. Through this partnership with Dow Jones we can empower financial institutions to take a proactive role in preventing those crimes which exploit their vulnerabilities and carry the highest human cost. This is a critical partnership for Ripjar’s development and strategy of creating collaborations with leading global companies that can help us scale our business.”
ENDS
About Dow Jones Risk & Compliance
Dow Jones Risk & Compliance is a global provider of third party risk management and regulatory compliance solutions. Working with clients across the globe, it delivers research tools and outsourced services for on-boarding, vetting and investigation to help companies comply with anti-money laundering, anti-bribery, corruption and economic sanctions regulation in mitigating third party risk. The Dow Jones Risk & Compliance business grew 24% in Fiscal Year 2019, exceeding $130 million in revenues. Dow Jones is a division of News Corp (Nasdaq: NWS, NWSA; ASX: NWS, NWSLV).
About Ripjar
Ripjar is a data intelligence platform company whose mission is to accelerate the time for companies and institutions to identify and manage threats – from across the world.
Founded by former members of the UK’s Government Communications Headquarters (GCHQ), Ripjar develops software products that combine automation, artificial intelligence, and data visualisation to help companies solve the most complex risk and security management problems at scale.
Media Enquiries:
Dow Jones
Andrew Robinson [email protected]
Elsa Makouezi [email protected]
Ripjar (Brunswick Group)
Caroline Daniel [email protected]
Sarah Sklar [email protected]