I recently listened to the Great Courses series of lectures entitled, Crashes and Crisis: Lessons form a History of Financial Disasters, hosted by Professor Connel Fullenkamp. It was so entertaining that this week I am going to consider some great economic disasters from history to see what lessons they might impart for the compliance professional. I will consider the Dutch Tulip Bubble from the 1630s, the South Sea Bubble of 1720, the Mississippi Bubble of 1720 and the 1907 Panic. Today we begin with the Dutch Tulip Bubble.
Tulips had been imported into what became the United Provinces of Holland in the late 1500s from Turkey. They became quite fashionable with the smart set at the time (i.e. royalty and the aristocracy) and by the early 1630s prices in Holland were already quite high. Then two things happened to create the bubble of 1634-1637. First the small group of tightly knit Dutch traders who bought and sold tulips were overrun by speculators.
Second and perhaps more significantly, a type of formal futures market was created where contracts to buy bulbs at the end of the season were bought and sold, beginning in mid-1636. But this market was sanctioned or regulated as their trades were not made on formal Dutch exchanges. Different groups of traders began to meet together in taverns where they did not have to put much money down and the contracts were not legally enforceable. This significantly lessened any downside in not getting carried away in bidding.
Traders were required only to pay a 2.5% “wine money” fee, up to a maximum of three guilders per trade. Neither party paid an initial margin, nor a mark-to-market margin, and all contracts were with the individual counterparties rather than with the Exchange. The entire business was accomplished on the margins of Dutch economic life, not in the Exchange itself.
The Dutch Tulip Bubble informs today’s theme of internal controls for third parties. Internal controls are a key tool to operationalize your third-party risk management program. The basic internal controls, that should be a part of any financial controls system. There were four significant controls the compliance practitioner can implement immediately; they include: (1) Delegation of Authority (DOA); (2) maintenance of the vendor master file; (3) contracts with third parties; and (4) movement of cash/currency.
A DOA should reflect the impact of corruption risk including both transactions and geographic location so that a higher level of approval for matters involving third-party fund transfers and invoice payments to countries outside the US would be required inside an organization. Often, a DOA is prepared without much thought given to Foreign Corrupt Practices Act (FCPA) risks. Unfortunately, once a DOA is prepared it is not used again until it is time to update for personnel changes. Moreover, it is often not available, not kept current, and/or did not define authority in a way even the approvers could understand it. Therefore, it is incumbent that the DOA be integrated into a company’s accounts payable processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. To achieve this, you should identify the vendors within the vendor master file so payments are flagged for the appropriate approval beforethey are paid.
Furthermore, if a DOA is properly prepared and enforced, it can be a powerful preventive tool for FCPA compliance. For example, a wire transfer of $X between company bank accounts in the US might require approval by the finance manager at the initiating location and one officer, however a wire transfer of $X to the company’s bank account in Nigeria, should require approval by the finance manager, a compliance professional, and one corporate officer. In this situation, the DOA should specify who must give the final approval for engaging third parties. Moreover, the DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US and those who travel from the US to work outside the US.
The vendor master file can be one of the most powerful preventativecontrol tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Next manual controls are needed over the submission, approval, and input of changes to the vendor master file. These controls include verification that all vendors have been approved before their information (and the vendor approval date) is input into the vendor master. Finally, manual controls are also needed when “one time” vendors are requested, when vendor name and/or vendor payment information changes are submitted.
Near and dear to my heart as a lawyer, contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. I would caution that for contracts to provide effective internal controls, relevant terms of those contracts (commission rate, whether business expenses can be reimbursed, use of subagents, etc.,) should be extracted and available to those who process and approve vendor invoices. If there are items such as nonconforming service descriptions and commission rates, etc., in a contract those terms must be approved not only by the original approver but also by the DOA. Unfortunately, contracts are not typically integrated into the internal control system but are left off to the side on their own, usually gathering dust in the legal department file room.
One FCPA enforcement action, involving Hewlett-Packard Inc. (HP) had an excellent example of the lack of internal control over the disbursements of funds and movement of currency because you had the country manager delivering bags of cash to a government official to obtain or retain business. All situations where funds can be sent outside the US (accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances, etc.,) should be reviewed from a compliance risk standpoint. Further, within a company structure you need to identify the ways in which a country manager (or a sales manager, etc.,) could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.
All wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose.
Never forget that internal controls are simply good financial controls. Internal controls for third parties in the compliance context will help to detect fraud, which could well lead to the prevention of bribery and corruption.
Once the Tulip Bubble burst, it became impossible to buy or sell tulip bulbs. People simply walked away from their contracts or paid a few percent of what they supposedly owed. Moreover, as Professor Fullenkamp noted “Because the trades were almost all hot air [i.e. no tulip bulbs actually changed hands], with very little cash behind them, not much was lost when the bubble burst. Tulip prices for standard and broken bulbs soon returned to about what they had been before the bubble, so the bubble didn’t damage the traditional market for tulip bulbs either.” If you have robust internal controls around your third parties you to may well escape any serious losses.
