The FSA has published a report into how commercial insurance broking firms in the UK are addressing the risk of becoming involved in bribery and other corrupt practices (click here). The report is the culmination of a thematic review which was begun in late 2008.
The report articulates numerous criticisms of anti-corruption risk management in the insurance broking sector.
Whilst the report is explicitly stated not to constitute formal guidance from the FSA, it will be of interest not only to organisations in the regulated sector (which should take note that the report's recommendations are of general application and that the FSA has indicated it may undertake further 'thematic reviews') but to all organisations in view of the new corporate offence of failing to prevent bribery in the Bribery Act 2010 which is expected to become effective later this year. The report explicitly suggests that regulated organisations make use of the examples of good and poor practice it contains when putting in place procedures to enable them to benefit from the adequate procedures defence to the new corporate offence. We will be publishing further ebulletins on what firms should do as a result of this report and the new adequate procedures defence.
Findings and Recommendations
The report sets out its findings and conclusions in relation to nine different aspects of risk management and gives examples of good and poor practice in each area.
Governance and Management Information
The report found that in most cases among the 17 firms visited there was senior management engagement with corruption risk but that in more than half of the firms reviewed the responsible person did not, in their view, properly understand the nature of the risk.
The report recommends that businesses generate detailed and specific Management Information ("MI") to assist senior management in evaluating corruption risk (covering the opening of new third party accounts and their risk classification; higher risk third party payments and unusually high commissions paid during the preceding period; relevant external developments etc.).
Examples of good practice included clearly documented responsibility for managing corruption risk lying with either a senior manager or a committee reporting to the board and the regular circulation of MI among the board and senior management. Examples of poor practice included a lack of awareness and/or engagement with risk management at a senior level and inadequacy of MI (either because it was infrequent or lacking in relevant detail).
Risk Assessment and responses to significant bribery and corruption events
Despite previous references to the importance of 'risk-based' procedures, the FSA found that most firms were still adopting a 'one size fits all' approach in their corruption risk management. This approach was frequently inadequate as it failed to take account of the differing risk profiles of jurisdictions and industries. Even where firms took account of higher risk circumstances they often failed to properly document what additional procedures were required to address them.
The report is also critical of firms' failure to respond to significant external events. The FSA was "extremely disappointed" by the fact that firms had not taken action in November 2007 in response to their 'Dear CEO' letter in which they advised commercial insurance brokers to review their practices and ensure they were not involved in, or associated with, illicit payments.
Recommendations of good practice in this area include regular assessment of country and business class risk; robust due diligence and monitoring in respect of higher risk third party relationships and reviews and gap analyses of systems and controls in response to relevant external events. Cited examples of poor practice, by contrast, include a failure to identify and monitor risk; application of a 'one size fits all' approach; slow implementation of change and failure to make appropriate use of external expertise.
For all organisations reviewing their systems and controls for fitness for purpose in light of the adequate procedures defence, a robust risk assessment is the heart of the exercise. It seems that many brokers at least have struggled to identify those classes of business, clients, jurisdictions and third parties that represent particular risks from an anti-bribery perspective.
Due diligence on third party relationships
The report identifies several examples of weakness in the due diligence undertaken on third parties. Common defects included failure to identify where third parties were inherently higher risk (for example being an individual, introducing business from higher risk jurisdictions or being connected to the assured, the client or a public official) or where circumstances indicated a higher risk (for example where there was no understood or documented business case for commission payments; where third parties requested commission in advance of premium payments or sought to conceal the existence of their commission from other parties to the transaction).
Firms were also criticised for relying too much on an informal 'market view' of third parties. Where due diligence was undertaken, information provided by third parties was frequently not verified. There were also failures in not undertaking due diligence on third party relationships brought to firms via acquisitions of other businesses or teams.
The FSA recommends that firms ensure robust due diligence policies are established and documented and that information provided by third parties be reviewed by risk/compliance committees and independently verified. The level of corruption risk posed by third parties should also be considered and commission limits set to take account of such risks. Further, all third party relationships should be regularly reviewed to identify any change in risk profile.
These findings provide further evidence of the difficulty firms have found in practice in taking on board messages given by the FSA in previous enforcement actions which have stressed the importance of carrying out adequate due diligence before entering into relationships with third parties and routinely reviewing the relationship from a corruption risk perspective. Although in the broking context third party introducers of accounts normally represent by far the highest risk category, it should be remembered that there exist numerous third party service providers who assist the performance of insurance and reinsurance contracts (surveyors, engineers, loss adjusters to name but a few) who represent potential avenues for illicit payments in higher risk jurisdictions in the event that those intent on corruption seek to evade even enhanced systems and controls.
The FSA found the payment controls employed by brokers to be generally adequate with only one of the firms visited showing major shortcomings. This positive conclusion was, however, subject to the significant caveat that payment controls will not be effective in the absence of proper underlying due diligence into payees or the reasons for payment.
Staff recruitment and vetting
Vetting of staff among firms of brokers was found to be weak compared with other regulated businesses. As with third party vetting, the FSA criticises firms for over-reliance on informal 'market gossip' and consequent reluctance to carry out formal checks.
The FSA recommends a risk based approach to staff vetting: employing enhanced techniques (including credit and criminal record checks) for staff in roles with higher bribery and corruption risks and periodically repeating relevant checks.
Given the significant mobility of producing brokers and teams in this sector, there is an ongoing challenge in ensuring that new personnel and teams are subject to appropriate vetting and that this takes place in a timely fashion.
Training and awareness
The FSA were "very disappointed" to discover that only two of the 17 firms visited provided adequate staff training with regard to corruption risk and firm policy. Most firms had general financial crime training programmes but these included very little, or no, specific material covering anti-bribery and corruption even for staff whose roles involved higher corruption risk. The report underlines the importance the FSA attaches to training which is appropriate to an employee's exposure to corruption risk, which uses testing to demonstrate understanding and which is repeated periodically to ensure that both the course content and employees' awareness are kept up to date.
Once again, this section of the report suggests that lessons have not been learnt from earlier enforcement action in which the FSA specifically criticised the failure to provide sufficient guidance or training to staff.
Risks arising from remuneration structures
The report notes that there is little evidence that broker firms had considered whether their remuneration structures gave rise to increased risks of bribery and corruption. Particular criticism is levelled at bonus schemes (for producing brokers) which are focussed entirely on income or profit generated. The FSA identify as good practice that bonus awards be based on factors such as a balanced score card as well as income generated and (in the case of staff in higher risk positions) be subject to deferral and clawback provisions.
Only four of the firms visited had ever made a Suspicious Activity Report and only one had ever done so in relation to bribery and corruption (in spite of numerous examples of issues discovered by the FSA at these firms which might reasonably have been reported). One possible reason the FSA suggest for this is that, while a number of firms had formal whistleblowing procedures, very little appeared to have been done to make staff aware of them. The report recommends the procedures be strengthened by the appointment of senior managers to oversee the whistleblowing process, respect for the confidentiality of persons raising concerns, training in whistleblowing procedures and better internal monitoring of suspicious reports (to identify trends even if individual reports are not forwarded to the FSA).
The role of compliance and internal audit
The report makes clear that compliance and internal audit departments are key to bribery and corruption prevention. The chief criticism made in the report is that too often these departments merely check that existing procedures have been properly complied with rather than assessing the adequacy of underlying due diligence or the rationale for third party payments. In addition, compliance and internal audit staff were frequently found to have "patchy" knowledge of bribery and corruption issues due to inadequate training. The report identifies as good practice that audit and compliance staff receive specialist training and review not only compliance with processes but also the adequacy of the processes themselves.
In the insurance and reinsurance (broking) sector it is essential that those devising systems and controls and overseeing their operation have a proper understanding of the business practices of the market and, consequently, of those activities that represent red flags.
Whilst this report will come as a significant wake up call to insurance brokers to galvanise their anti-corruption systems and controls, given the inherent risks in the sector when services are frequently delivered by a number of international subsidiaries on behalf of group companies (whether as producing and placing broker or otherwise), all regulated firms and organisations reviewing their systems and controls in readiness for the adequate procedures defence will wish to check that the good practices identified by the FSA are, where appropriate, adopted.
The report recognises that some of the broker firms visited have improved their procedures in the aftermath of the thematic review but it is evident that progress has been slow in some quarters: a skilled persons report has been commissioned in relation to one firm, a private warning issued to another and it is said to be likely that there will be referrals to enforcement. All regulated firms will be mindful of the risks of regulatory action in this area and it follows that concerns over anti-corruption systems and controls articulated by the FSA will impact on the degree of confidence firms can have in relation to the adequate procedures defence under the Bribery Act 2010.
Herbert Smith is currently working with organisations in the insurance and reinsurance sector to assist them in managing their bribery and corruption risk as well as a broad range of regulated and corporate entities who are revising their anti-corruption policies, procedures, systems and controls. We offer health checks of current compliance procedures and have assisted a range of organisations in enhancing their policies (for further information click here). We also run workshops for our clients' compliance teams and senior employees and have prepared bespoke electronic learning courses tailored to industry sectors to assist in meeting training requirements.