Managing Third Party Risks in a Global Supply Chain

Baker & McKenzie Amsterdam N.V. is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm.

Managing Third Party Risks

in a Global Supply Chain

William Marshall, Hong Kong Ross Denton, London

Jasper Helder, Amsterdam

2013 Global Supply Chain

Survey: How to manage

third-party risk?

Why focus on third-party risk?

– Historically, companies have rarely been held accountable for the actions of their business partners:

 The majority performed many of the processes they now outsource;

 Concerns associated with terrorist funding and human rights were less significant;

 Governments around the world have been passing and enforcing an ever-expanding list of laws forcing companies to scrutinize and police those acting on their behalves.

– Third-party relationships are not only a source of cost-savings and greater efficiency, but also a major stress.

High-level findings

– Corruption, product quality and general compliance among the top risks.

– Insolvency of third parties and data/cyber security also identified as significant areas of risk.

– Companies are more concerned than ever about the reputations of the vendors

with whom they partner. Reputational risk placed above cost when assessing a

potential third-party supplier or service provider.

– 80% of the respondents confirmed that the risks of using third-party suppliers or

parties are higher in emerging markets, due to increased concerns with

corruption and political and legal instability.

– Third-party risk is highest in China, followed by India, Africa, Russia, South

America and the Middle East.

– Training identified as the best strategy for reducing third-party risk, followed by

having better processes for monitoring their compliance with contractual

terms and having better protocols for screening suppliers/partners.

– Ultimate responsibility for managing third-party risk is increasingly shifting to

End-to-end framework to help assess and

address third-party risk

Education &

Training

Monitoring &

Evaluating

Remedying

Reacting &

Structuring &

Documenting

Vetting &

Customs

–

Incorrect entries can result in additional duties, penalties and

delays

–

Customs brokers



File im/export entries (on your behalf)



Are your liason with Customs in countries you may not be

familiar with



Are in a ‘volume’ business & rely on unilateral T&C



Can not verify correctness of data provided

–

Vendors, suppliers

: provide you with key data



Origin

Getting Customs Declarations Right



Import declarations



Responsibility for complete and accurate

information



Tariff classification, valuation, origin etc.



Export declarations required for



Export compliance verification



VAT refund claims



Trade statistical purposes



Relationships with, and allocation of responsibility

between, importers and Customs brokers

Issues raised by Incoterms

–

According to Incoterms, who is responsible for customs declaration



On import? On export?

–

Who is responsible for physical shipment of the goods and will file

declaration on importer/ exporter’s behalf? (e.g. Ex-Works)

–

Who owns the goods at the time of export?

–

For valuation purposes on import, what is included in the price?

 Customs Value is ‘Price paid or payable’ (invoice)

 with certain additions (e.g. transport/ insurance costs to the EU)

 with certain deductions if shown separately on invoice (e.g. import duties)

Who is legally responsible for filing customs declaration?

Legal position will override Incoterms (or other contractual

provisions)

Dealing with your Customs Broker

–

Outsourcing customs clearance to a broker



Direct



3rd party makes customs entry in the name of Co.

and on its behalf (Co. liable for customs debt)



Indirect representation



3rd party makes entry in its own name (broker is

jointly & severally liable with Co. for customs debt)

–

Problems with reliance upon freight forwarders and Customs

brokers



Recordkeeping



Accuracy of information submitted to Customs



Providing clear instructions/delegation of responsibilities

and accurate data to customer broker is vital

Dealing with your Customs Broker (2)

–

What is your current position?

–

No agreement – are services governed by 3rd party’s

standard terms?

–

Many 3rd parties are freight-forwarders, and

use standard terms

–

Standard terms drafted for logistics and

freight-forwarding – not necessarily appropriate for customs

work

Customer Nominated Customs Broker

–

What controls can you put in place to check accuracy

of declaration, compliance with recordkeeping

obligations etc?



Contractual protection



Most Customs Brokers will apply unilateral standard terms

& conditions



Review declarations for accuracy and request

amendments where required

Information given & received

–

Is the information you receive or give complete?

–

Key risk area: country of origin information



Certificates or invoice statements



Relevant also for product marking



Challenge with changes in supply chain

–

Similar risks equally apply in other areas

 Classification

 Valuation

–

What information do you generate yourself, what is obtained from

third parties?

–

Do not forget risks re information you provide to your customers

Export Controls &

Sanctions

Export Controls & Sanctions

–

Distributors & resellers

:



Who and where do they sell to?



Are you and they aware of export controls/restrictions for

your products in their country?

–

Vendors, suppliers, consultants

:



Do they tell you what the control status of their products

is? Is that information correct?



Did they obtain the appropriate licenses?

Risk Assessment

_{ What are you supplying?}

Item included on a control list (dual-use, military, sanctions)? Any US content?

 What will the item be used for?

Controlled activity or end-use? Suspicion/red flags?

 Where are you supplying to (directly or indirectly)?

Country subject to sanctions or embargo (or diversion risk)?

Which other countries are involved in the supply route?

 Who are you transacting with?

Counterparty or related party subject to sanctions?

Method of payment/funds flow? Blocking or freezing of funds?

Who is responsible for export compliance?

 Who is the “exporter”?

 For the purposes of sanctions, who is selling, supplying, transferring the items?

 Which party is responsible for obtaining a licence?

 Which is the competent

Who is the “exporter”?

– For example: defined in EU Dual-use Regulation:

 person who holds the contract with the consignee in the third country and has the power for determining the sending of the item

 person who has the power for determining the sending of the item

 the contracting party established in the Community.”

– Sanctions product controls apply to the “sale, supply, transfer or export” of prohibited items thus wider than the issue of “exporter” for the purposes of export controls

– Is there a clear understanding between seller, buyer, carrier, customs broker etc? Do all parties have the information they need?

Key Risks: What is your product and what is

it used for?



Regulatory:

 Dual-use controls (which laws apply to items? US origin/technology?)

 Military controls (including “specially designed or modified”)

 End-use controls (WMD, military, human rights, US AT)

 Product controls under specific sanctions regimes



Supply Chain:

 Do you know what the intended use is?

 Does the tech profile of the end user match the item?

–

What destination & shipping information has been

provided to you? (forwarders addesses, logical

shipping routes, FTZ?)

–

Who is responsible for organising shipment? Up to

where?

–

What country is the customer/end user based in?

–

What intermediary countries are involved?

–

Does this raise diversion concerns?

Key Risks: Who are you transacting with?

–

Designated Persons/Specially Designated National

–

EU Freeze on funds and economic resources belonging to, owned,

held or controlled by DPs

–

EU Prohibitions on making funds or economic resources available,

directly or indirectly, to or for the benefit of DPs

–

US prohibitions to transact with SDN

–

DPs/SDNs can include wide range of parties (e.g. entities, banks,

individuals) so they can be everywhere in your supply chain

–

Due Diligence:

 to exclude DP/SDN involvement

Third Party Screening

– End-use/end-user restrictions require customer screening

 Military or weapons proliferation activities

 Restricted and prohibited end-users

– Screening of multiple parties

 customers

 agents, distributors

 freight forwarders and other service providers

– Screening at multiple moments

 Order intake/customer registration

UK Bribery Act 2010 – Liability for Third

Party’s Actions

–

Introduction of new corporate offence as of July 2011:



Quasi-strict liability offence of failure to prevent bribery; no

intent, knowledge or suspicion required by corporate



Offence can be committed by corporate where an “associated

person” bribes another person intending



To obtain or retain business for the corporate; or



To obtain or retain a business advantage in the conduct of

business for the corporate



No limitation on meaning of “

associated person

”; may included

employees, agents, and distributors

FCPA – Liability for Third Party’s Actions

– FCPA covers payments made to “any person, while knowing that all or a portion of such money or thing of value will be offered, given, or

promised, directly or indirectly” to a foreign official

– A person acts knowingly with regard to conduct/a circumstance/ a result if (a) aware that he is engaging in such conduct, that such

circumstance exists, or that such result is substantially certain to occur or (b) has a firm belief that such circumstance exists or that such result is substantially certain to occur

– “Conscious avoidance” doctrine: “Management officials [can] not take refuge from the [FCPA’s] prohibitions by their unwarranted

obliviousness to any action (or inaction), language or other ‘signaling device’ that should reasonably alert them to ‘high probability’ of an FCPA violation”

FCPA Accounting Provisions

–

Books and records



Issuers are required to make and keep detailed books, records, and accounts that fairly and accurately reflect transactions and

dispositions of assets

 Note: this extends to majority-owned foreign and domestic entities including joint ventures

–

Internal accounting controls



Issuers must devise and maintain internal accounting controls to ensure that financial records and accounts are accurate for external reporting, that access to assets is permitted only in accordance with management instructions, and that the books are audited at

Third Parties – Red Flags

– Excessive commissions to third-party agents or consultants

– Unreasonably large discounts to third-party distributors

– Third party “consulting agreements” that include only vaguely described services

– The third party consultant is in a different line of business than that for which it has been engaged

– The third party is related to or closely affiliated with a foreign official

– The third party became part of the transaction at the request or insistence of a foreign official

– The third party is merely a shell incorporated in an offshore jurisdiction

Risk Ranking

Nature of Relationship Higher

Risk

• Sales (and marketing) agents

• Introducers, representatives, consultants • Lobbyists, government affairs consultants

• Agents, representatives, consultants that assist in obtaining required governmental, regulatory or other mandated permits or licences

• JV or other partners that Company formally collaborates with

Medium Risk

• Distributors appointed by Company to make sales in their own name • Freight forwarders, customs agents

Lower Risk

• Outsourcing providers, sub-contractors or other suppliers that provide manufacturing or other services (such as IT, communications, security, cleaning, catering, warehousing etc.)

• Suppliers of goods on standard commercial terms

• Lawyers, accountants and other providers of professional services (unless operating in a capacity, such as an introducer, described elsewhere in the table)

Delivering an Effective Third Party Process

–

Process must be clearly defined

–

Consider who needs to input, ownership and structure of the

process



Business



Legal / Compliance



Finance

–

Ensure consistent application of standards (e.g. third party

rejected by one part of the business must not be approved by

another part)

–

Defined process for monitoring and reviewing/auditing third party

relationships

–

Thorough documentation of process; “adequate procedures”

–

Effective verification of payments to third parties through back-end

financial controls

© 2012 Baker & McKenzie

Risk Based Due Diligence

1. Risk Classification

Higher Medium Lower Due Diligence lower risk Due Diligence medium risk Due Diligence higher risk

2. Due Diligence

C la ss if ic at io n o f T h ir d P ar ty A ll T h ir d P ar ti es

Higher

Medium

Lower

Due Diligence Lower Risk

Compliance clauses included in agreement

Due Diligence Medium Risk

- Compliance clauses included in agreement

- External questionnaire completed by Third Party (optional)

- Internal questionnaire provided by responsible company employee

- External sources (number of sources and depth/scope of review to be defined)

Due Diligence Higher Risk

- Compliance clauses included in agreement - External questionnaire completed by Third Party

- Internal questionnaire provided by responsible company employee

- External sources (number of sources and depth/scope of review to be defined) - References

Issues for Third Party Screening

– Necessity

 “Do we need the third party?”

– Qualification

 “Is the third party qualified?”

 “Is the third party competent / experienced?”

– Reasonableness of the compensation

 “Is the compensation in line with the services provided?”

 “How does the compensation compare to other benchmarks, such as industry

practice or our practice in comparable situations?”

– Integrity

 “Who is the third party?”

Third Party Agreements – Discussion Points

– Content of compliance clause:

 Address: behaviour; compliance with laws; record keeping; audit rights; rights of termination and indemnification

 Reference to compliance with the Company’s Policy or Code of Conduct?

– When should a compliance clause be included:

 For all relationships? Short form vs. long form?

– When is the Company willing to negotiate the content of the compliance clause?

 What procedure should be followed in respect of variation requests? What if a third party outright rejects the inclusion of an anti-bribery clause?

– What is the Company’s stance regarding an obligation to comply with a third party’s policy?

 What should the standard response be? Is it ever acceptable to contractually commit the Company to adherence to a third

Questions?

Ross Denton London [email protected] Jasper Helder Amsterdam [email protected] William Marhsall Hong Kong [email protected]