Incoming rules from the EU, UK, Singapore and Hong Kong highlight the need for banks to gain a better understanding of the third party and supply chain risks their customers face.
If large multinational companies were under the illusion that regulators were ‘all bark and no bite’ when it comes to third-party risk management, the first half of this year should have dispelled this perception.
In late January, Airbus agreed to pay fines in excess of USD 4 billion to US, UK and French authorities after the airplane manufacturer effectively admitted it had paid huge bribes on an “endemic” basis to secure contracts in as many as 20 jurisdictions, including China, Japan, Malaysia, Sri Lanka, Indonesia, and Taiwan.
Over eight years of investigations, the US Department of Justice, the UK’s Serious Fraud Office, and France’s Parquet National Financier concluded that third-party companies tasked with bringing in deals for Airbus breached anti-bribery and other laws. The size of the penalties reflected both a systematic lack of controls in place to monitor the activities of Airbus contractors, and the seriousness of regulators to tackle issues involving third-party relationships.
“It’s a very big deal,” remarks Charles Minutella, Head of Enhanced Due Diligence at Refinitiv. “Until companies that are global in nature ensure that their third parties act in a responsible way consistent with how they are expected to act in their own home jurisdiction, then you are going to have these situations.”
Recent research released in May by Refinitiv found that 43% of third parties within global supply chains are not subject to any form of due diligence checks, and that 60% of respondents are not fully monitoring third parties for ongoing risks. This is despite 65% of respondents indicating they know or suspect the third parties they deal with to have been involved in illegal, environmentally damaging activities.
Minutella believes that non-financial corporations are about ten years behind banks in terms of their focus on KYC and due diligence. “It’s now finally getting through to corporates that they need to do more to ensure their third party due diligence programmes sufficiently meet the standards expected of regulators, who are increasingly focusing on human rights, environmental risk, corruption, and sustainability.”
The EU in particular has committed huge political capital towards tackling supply chain due diligence. In April, European Commissioner for Justice Didier Reynders announced a plan to introduce new legislation early next year which will require businesses across all sectors regardless of size to carry out due diligence in relation to human rights and environmental impacts of their operations and supply chains.
Post Brexit, the UK is likely to face calls to impose similar legislation of its own. In March, Members of Parliament proposed an amendment to the Environmental Bill already close to being finalised, to require the government to publish a separate draft bill on mandatory environmental and human rights due diligence.
New legislation of this nature in either the EU or UK, or both, would be widely expected to have a significant impact on companies across the globe, either directly by virtue of where their operations or subsidiaries are located, or indirectly due to their position within the supply chains of EU and UK companies. Companies in Asia that have well-established due diligence processes will be best placed to adapt to any compliance obligations that trickle down from third party due diligence requirements, Minutella says.
The European Commission’s announcement came a mere three months after the January release of a study it commissioned on due diligence requirements throughout the supply chain. The study found that 30% of large businesses (1,000+ employees) said they undertake a level of due diligence which “takes into account all human rights and environmental impacts”. Another 27% of these companies already undertake human rights due diligence, but “only in certain areas”.
While it may be considered a promising indicator that a majority of big businesses undertake some level of human rights due diligence, more than half of these businesses (51.8%) admitted to only conducting due diligence on their first-tier suppliers.
“For a corporate, if the monetary value of the relationship isn’t high, companies won’t typically apply a high level of care to due diligence, even if the third party is located in a well-known corruption hot spot,” says Minutella. “For a bank, on the other hand, if you’re doing business in a high-risk jurisdiction, you’re going to apply high-risk due diligence regardless of the monetary value of the business relationship.”
According to Minutella, more objective due diligence requirements will come into play for corporates over time, and there is broad recognition from compliance directors that it is happening. “Just like banks have firm AML/KYC policies, corporates need to have a third party risk policy that outlines their philosophy and expectations in terms of third party assessment and conduct – not only to assess the risk upfront, but to be able to mitigate risk that is found.”
Lessons from banking
It is clear that corporates can learn something about risk assessments and due diligence from financial institutions. “Compliance directors within corporates are beginning to say the same things that banks were saying ten years ago,” Minutella says. “They’re saying they need to have a risk-based approach to due diligence, and one that has to look outside the normal set of factors they would typically look at.”
The role that banks and other financial institutions can play in helping corporates shift to more sustainable business models is a fact that the Monetary Authority of Singapore (MAS) appears to have recognised in new guidelines on environmental risk proposed last month.
In a set of consultation papers for banks, insurers and asset managers, MAS said the new guidelines were aimed at enhancing the financial sector’s resilience to environmental risk, while also strengthening its role in supporting the transition to an environmentally sustainable economy in Singapore and the rest of Asia.
Once the guidelines take effect, banks, for instance, will be expected to assess each customer’s environmental risk as part of the assessment process for credit facilities or capital markets transactions. Further, banks will be expected to “engage each customer that poses higher environmental risk”, to help them improve their environmental risk profiles and support their transition towards sustainable business practices.
Under the proposed guidelines, banks may also require customers with higher environmental risk to take steps to manage these risks, using time-bound financing conditions or covenants in loan agreements as incentives. Where customers do not manage environmental risks adequately, banks can consider mitigating options, including to reflect the higher risk in premium loan pricing, apply loan exposure limits, and re-assess customer relationships. Such measures, while seemingly harsh, could serve to incentivise compliance with the bank’s terms.
Similar expectations to identify environmental risk and engage with non-financial companies to address such risks will be imposed on insurance companies in relation to underwriting assessments, and on asset managers in relation to portfolio construction.
Meanwhile, the Hong Kong Monetary Authority (HKMA) outlined in recent guidance that some banks were starting to embed climate considerations, including those related to supply chain disruptions, in their existing risk management frameworks, seeking to control climate risk exposures through concentration limits and other mechanisms.
Like the proposed MAS approach, some Hong Kong banks are supporting clients to transition their business and build resilience to climate events, whereas others are reducing financial exposures to clients who do not fulfil the requirements of the bank’s climate risk policy, the HKMA notes.
Although the journey for corporates will be a challenging one, this year has already delivered enough evidence to prove that failing to uncover threats within supply chains will land some businesses in hot water. For banks, this means higher credit risk, market risk, and possible economic losses.
As the Singapore and Hong Kong examples highlight, banks will need to gain a better understanding of the risks their customers face, particularly those that can arise from third party relationships and global supply chains.