Food for Thought: Auditing Anti-Bribery & Corruption Risk

“Food for Thought” is a series showcasing insights and best practices from Exiger’s roundtables, where senior financial services professionals and industry thought leaders come together to discuss the latest industry developments over a bite to eat.Request an invitation Anti-bribery and corruption (ABC) is an area of increased focus for law makers and regulators around the world, given the introduction of new ABC laws in the last few years. Regulatory expectations on ABC control design and effectiveness are growing, as noted by the Financial Conduct Authority (FCA) following its second wave of Systematic Anti-Money Laundering Programme (SAMLP) reviews[1]. In this context, senior auditors from leading financial institutions joined us in London in May for a roundtable discussion to benchmark their audit approach, and to share best practice in executing ABC audits.Regulator expectationsFinancial crime teams in banks have been transformed over the last decade. There is generally a deeper talent pool in financial crime, particularly in the anti-money laundering (AML) and sanctions risk space. ABC risk however has suffered from the perception of being the “poor relative” within the financial crime family, with smaller teams and investment. As ABC practitioners will attest to, ABC straddles both branches of compliance: financial crime compliance and regulatory compliance. This is because effective ABC risk management relies heavily on compliant employee conduct, which is traditionally the domain of regulatory compliance staff specialising in compliance with code of conduct rules and product compliance. Broadly speaking, AML and sanctions compliance programmes tend to have more issues due to operational breakdowns, whilst ABC programmes tend to have more issues arising from staff misconduct. Conduct and culture remain areas of focus for regulators on both sides of the pond, so auditors would do well to view ABC as a conduct issue – as well as a financial crime issue.We understand that the FCA expects firms to adopt a risk-based approach in managing financial crime risk. This does not mean they are not interested in understanding what a firm is doing to oversee the low-risk areas of its business as well as the high-risk areas.  Rather, regulators expect firms to be mindful of what is happening at both ends of the risk spectrum in order to demonstrate a holistic view of ABC risk across their firm. In the UK, the FCA has been interested in the high-risk topic of introducers in the insurance broking market and investment banking sector and now have expanded their coverage to include ABC risk as part of their SAMLP reviews. This indicates their broader approach to supervising firms’ financial crime risk programmes in the round. The tone set by the FCA has evolved in that they not only want to see a robust policy framework, they now also want to see how senior managers in the first line are actively managing their ABC risk and that there is clear accountability for this.Nature & challenges of ABC riskOf the firms surveyed at the roundtable, 62% said their 2019 audit plan included coverage of ABC risk.So what is the nature of ABC risk? What issues does it present for audit functions? And how can these challenges be overcome?Similar to fraud risk, what makes ABC risk challenging to cover comprehensively is how spread out it is through many different areas of a financial institution. As a result, many processes will contain bribery and corruption risk without the staff who oversee them always being aware of it to the extent they should be. This makes bringing the resources and training required to cover all areas where ABC risk might manifest itself challenging. Whereas AML and sanctions risk is more focused on customers and transactions, ABC risk is also more focused on employee conduct – so it is widely dispersed.Auditors said that raising the understanding of ABC risk in the business was their second biggest challenge in executing ABC audits. This clearly highlights the role that internal staff have to play in identifying red flags that indicate risk or suggest control breakdowns.  Other challenges included:Understanding what “good looks like”Getting the right ABC expertise on the audit teamMaintaining visibility of emerging regulations worldwideGetting management buy-in to recommendations and action plans Audit’s role in raising the barAn effective audit function should consider the following best practices to optimise their ABC audit plans:Thematic reviews / deep dive reviews Instead of trying to boil the ocean, address ABC risks via thematic reviews or deep dive reviews into specific areas of ABC risk exposure. A good starting point is often to identify parts of the business interacting with government officials.  Innovation & data As the first and second lines of defence adopt technology solutions to enhance their ABC efforts, such as email surveillance that uses sentiment analysis to identify red flags, make sure that you’re keeping pace. Audit functions need to get comfortable with how these solutions make decisions that affect risk management outcomes if their audit approach is to be sufficiently robust and defendable to their regulators. Operationalising ABC control framework As auditors, you can play a role in assessing the extent to which the business has operationalised an end-to-end ABC control framework through effective procedures and controls. Compare ABC controls against AML and sanctions ones to assess their robustness. Audit should evaluate the handoffs between different functions involved in ABC risk management within the Front Office, Finance, Human Resources, Compliance, Marketing, Vendor Management and Corporate Social Responsibility to see if anything is being missed. Pay close attention to US enforcement actions in other industries such as pharmaceuticals and oil and gas. Recent hot topics include the use of intermediaries and hiring practices. The FCA Handbook contains a chapter on ABC[2] with self-assessment questions to help you assess your firm’s ABC programme, along with examples of good and poor practice.  “Lessons learnt” reviews You should consider looking at the typologies and root causes of recent high-profile ABC enforcement actions to see if you can identify similar control breakdowns in your organisation. 60% of the delegates who joined us said their audit function hadn’t conducted this kind of “lessons learnt” review, meaning they are missing out on key risk indicators that could inform their audit plans and potentially result in re-prioritisation of ABC risk coverage.  Auditors should also assess how far the first line in the business and second line ABC team have evolved in terms of their ability to discourage and identify bad behaviours. This can be through whistleblowing hotlines and email surveillance systems.Auditors should assess culture and tone from the top to determine if there is a healthy risk culture, risk ownership and awareness and buy-in. Poor risk culture demonstrated by an influential leader can quickly infect an entire team or function. What can help is to focus on senior managers with influence and authority, in case they behave poorly and are open to abusing their position.Poor conduct often leaves a trail – for example damning emails which are often at the root of bribery and corruption enforcement actions and are a common theme in the identification of wrong doing. Auditors should assess the extent to which the business is equipped with controls that detect these types of emails through email surveillance and the use of software that conducts sentiment analysis that can be helpful in spotting suspect emails on a preventative or detective basis.We’re here to helpExiger is a global authority on regulatory compliance. We have worked with financial institutions, corporations and regulators across the world to enhance and assess the effectiveness of financial crime compliance programmes.White paper: Read our white paper on how auditors can raise the bar in auditing financial crime risk.  Read white paper >Benchmark your audit approach: By attending our next financial crime audit roundtable.  Request an invitation > Compliance audit, assurance & testing: Read more about our audit and assurance services.  Find out more >[1] FCA Annual report 2017/18: Anti-money laundering ( [2]