The Panama Papers scandal should serve as a wake-up call for every organization—and it should prompt compliance officers to closely scrutinize the third party vendors they do business with.
The Panama Papers are made up of millions of documents pulled from the law firm Mossack Fonseca files and leaked to the media. While it may seem like “karma” for Mossack’s clients who may have been trying to obscure shadowy financial transactions, it’s a catastrophic breach for the firm—and for its clients, many of whom may be ethical, law-abiding organizations that have also had their confidential information compromised.
As I recently wrote in reviewing our Third Party Risk Management Benchmark Report, released in March, compliance officers are struggling to deal with the risk of third party misconduct. In the wake of the Panama Papers, the compliance lesson for organizations is that it is more important than ever to take steps to ensure you’re managing that risk.
In any relationship with a third party organization, risk management should begin before engagement and it should begin with due diligence. When an organization considers engaging a third party to represent it, the mindset should be that the third party often stands in for an employee. A risk-based due-diligence evaluation will include looking for past issues, such as negative publicity, placement on a watch list or other publicly discoverable information. If your organization values and maintains strong compliance and training programs (especially around anti-bribery and corruption) any third party you engage should also be expected to support and visibly demonstrate a similar commitment.
After making the decision to pursue engagement with a third party, it’s important to remain vigilant for things that are “red flags” or otherwise out of the ordinary, and to investigate or mitigate before engaging or contracting with the third party.
In the Panama Papers case, Mossack Fonseca has been accused of backdating and destroying documents for a fee. If true, those allegations indicate that the firm maintained a culture that valued protecting its clients and collecting fees over following legal and ethical rules.
But even if you don’t sniff out questionable or illegal behavior by a third party, you want to at least be able to demonstrate and document to your organization’s leadership, board of directors, stakeholders and possibly regulators that your organization made reasonable efforts to watch for it.
The leaking of millions of documents, dating back decades, also spotlights the importance of data protection. If a third party possesses data that you expect to remain confidential, then compliance employees must ensure that the third party and its data protection company understand and meet those expectations and standards. It’s also critical to test the protections, particularly for information such as personally identifiable data and your organization’s confidential or proprietary information.
View original article at Ethics & Compliance MattersTM
