Beyond Compliance: The Growing Importance of Third Party Risk Management
by Charles Haryott, Head of Proposition and Product, KYC and Client On-boarding Solutions, and James Swenson, Global Head of Operations and Delivery, Enhanced Due Diligence, Thomson Reuters
As corporations of all sizes expand internationally, their supply chains are becoming increasingly complex and geographically diverse. At the same time, the regulatory environment becomes more challenging. This combination of factors creates a major new set of risks that many corporations have only limited ability to monitor and manage. Organisations today are being held responsible not only for their own activities but also for the actions of customers, suppliers, vendors and partners.
Treasurers are caught in the middle of this risk and regulatory dilemma, with two sides to their compliance and monitoring requirements. Firstly, the onus is typically on treasury to provide the information that allows their banks to fulfil their own regulatory obligations, such as increasingly stringent know your customer (KYC) requirements. Secondly, corporations need to conduct the appropriate level of due diligence on their own third party relationships to help them manage the risks that these relationships present. Treasurers’ expertise in both due diligence and risk management equips them to take a role in this process, but what is becoming clear, is not only the importance of supporting compliance and third party risk requirements from both perspectives, but also the need to achieve this without adding significantly to the administrative burden, or interrupting business operations.
The regulatory burden
For companies working with a single bank, in a single jurisdiction, supporting the bank’s KYC process by providing the necessary company, shareholder and officer information is relatively straightforward. For multi-banked corporations operating internationally, however, the documentation and resource implications for treasury can be very significant. Not only do KYC regulations differ across countries, but banks also adopt their own risk management procedures, which may also vary across jurisdictions. Furthermore, compliance challenges are not restricted to supporting banks’ regulatory requirements. With a raft of new and emerging regulations having a direct impact such as the Foreign Corrupt Practices Act, Conflict Minerals Rule (US Dodd Frank Section 1502) in the United States, and the Bribery Act and Modern Day Slavery Act in the United Kingdom, the regulatory burden is becoming heavier for a large number of organisations resulting in higher compliance costs.
Companies with long, complex, and global supply chains in particular face challenges associated with large numbers of diverse suppliers, distributors and partners. Conducting due diligence on these third parties to satisfy anti-bribery and corruption (ABC) regulations, for example, can be lengthy and labour-intensive, particularly given the lack of transparency and inaccessibility of information in many jurisdictions. As officers and shareholders become more keenly aware of the potential financial and reputational damage caused by environmental, financial or ethical failure or malpractice by third parties in their supply chain, there is growing pressure to conduct adequate due diligence.
Treasurers’ involvement in supplier risk management will vary across organisations, depending on the degree of treasury centralisation and the scope of its activities. The nature of third party risk will also vary across businesses, which will determine whether it is best managed at a business unit or country level, or on a more centralised basis. For lower risk suppliers, due diligence may be part of the procurement process, or managed by contract owners; however, for higher risk businesses, senior managers may demand greater oversight which is typically easier to achieve centrally. While procurement and contract negotiators are likely to play an important role, treasury’s expertise in identifying and monitoring counterparty risk globally is a compelling factor in engaging treasury in this process, whether at an operational or oversight level.
As the compliance and third party risk burden increases, financial and non-financial organisations alike require a systems infrastructure that streamlines compliance and due diligence processes to provide regulators, investors and stakeholders with the information and transparency they need, without compromising business efficiency.
Looking at KYC, for example, many treasurers have expressed their concerns that banks are asking for different information in different formats and at various frequencies throughout the year to comply with the same regulations. This is heavily impacting their workload and only looks set to continue as regulations change, and new ones are introduced, such as new tax rules, MiFID II etc. As a result, there is growing pressure to standardise the KYC process across banks, and across markets wherever possible, to reduce the administrative burden and avoid the costs of doing business spiralling upwards.
Leveraging technology and data assets
As KYC checks and on-boarding requests for information proliferate, it is taking longer to open new bank or trade accounts, while routine data requests are also becoming more frequent and onerous. This is leading to demands amongst corporations for banks to standardise the timing and nature of data requests. The largest multinational corporations with considerable influence on their primary partner banks are inevitably more persuasive in encouraging their banks to support greater standardisation; even so, many will also have accounts with a far wider pool of banks where they might lack the same level of influence. Inevitably, smaller organisations that may also hold a large number of accounts across multiple banks might find it more difficult to be persuasive as their larger peers.
To support these growing demands, banks are increasingly turning to financial utilities and shared service processing platforms in non-competitive areas such as compliance to cut their operational costs and to improve customer service. For example, financial utilities such as Thomson Reuters Org ID KYC managed service are being introduced to meet the needs and demands of a large body of corporate customers in discussion with banks. The Org ID solution offers a platform to simplify counterparty due diligence and the distribution of KYC documents, thereby supporting the development of a common standard that meet the needs of both the corporate and banking community, reducing the administrative burden on treasurers. Org ID acts as a custodian and conduit with the ability to collect, classify and verify a customer’s identity efficiently and accurately. Org ID also enables banks to obtain much of the routine data they require for KYC purposes from external sources in an automated way, such as corporate actions and changes to shareholdings, limiting the amount of information and frequency of information requested from customers.