Dow Jones – Technology Adoption in Third-Party Risk Management: Best Practice or the New Standard?
Examining the extent to which technology use is becoming standard in compliance and expected by regulators.
It should come as no surprise to anti-corruption compliance professionals that third parties represent major sources of risk. Regulators also are aware of that fact. Most bribery cases do not involve direct payments from companies to government officials—a third party makes the payment. Regulators expect companies to have compliance programs that prevent corrupt payments. As Deputy Attorney General Rod Rosenstein reiterated on March 7, 2019, “a company with a robust compliance program can prevent corruption and eliminate the need for enforcement” and the government should “provide incentives for companies to engage in ethical corporate behavior,” including through implementation of a “robust compliance program.”1
It also should not surprise professionals that technology vendors are clamoring to supply them with cutting-edge artificial intelligence (AI) and machine learning solutions to help them avoid the liabilities third parties can create. However, while emerging technology can be leveraged to mitigate third-party risk effectively, companies seeking to deploy more advanced technology first need to determine how to appropriately tailored it to their risk management programs.
Third-party risk management is essential under the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs guidance.2 But, in reality, the government looks for a program tailored to the enterprise risk those third parties create—and there is no one size fits all compliance program. The 2017 guidance notes that the Department of Justice “recognize[s] that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation.”
For large companies that use many third parties, technology may be necessary to achieve what the government expects, including appropriate controls, red flag identification and ongoing monitoring. It may be impossible for a company’s compliance department to manage its third parties without payment monitoring by AI or contract mining to ensure proper reps and warranties and appropriate anti-corruption provisions. The government would not, however, expect the same level of technological sophistication from a smaller entity or a company that does not use as many third parties.
Technology also is not a panacea that makes any compliance program “effective.” Although technology can provide 24/7 monitoring and sophisticated analysis in seconds, regulators will not assume that a compliance program is robust because the company uses the latest compliance software. The best technology in the world is worthless if the people entering and analyzing data or monitoring identified red flags are insufficiently trained or demoralized by a company’s lack of a compliance culture.
Technology can be an extremely helpful tool but regulators will recognize it as an indicator of proficiency only if the company tailors the technology to its specific needs and implements it as part of a broader program that effectively addresses the company’s third-party risks.