FSA’s fine of £5.25 million against Aon Limited should sound a warning not just to the insurance industry, but to all firms who use overseas contacts to win business. Strong systems and controls to counter the risk of exposing a firm to bribery and corruption are as important as any other anti-financial crime measures.
Aon, like many other institutions, relies on third parties to get business from overseas customers. Many of these third parties will be unregulated. Often, as was the case for Aon, they will be in high risk jurisdictions.
The firm paid various overseas third parties to help win reinsurance business from clients for its aviation and energy divisions. Some of these clients were state-owned or had Government connections.
There was a risk the third parties might have used some payments Aon made for bribery or other inappropriate purposes.
These business practices lasted for many years. Once Aon looked into the circumstances, it needed to report potentially inappropriate payments to SOCA.
What procedures did Aon have?
Aon had a global Code of Business Conduct. This was meant to raise employees’ awareness of “improper payments” but did not give specific examples of risks. The Code also required employees to confirm each year they understood the Code and placed an even stricter annual confirmation requirement on supervisors.
The firm had also historically given training and guidance to senior employees about the risks of dealing with third parties.
Aon’s procedures included an authorisation process for each third party before it could give any approval or make any payment.
How did Aon check compliance?
Aon had procedures in place. But FSA found several training and compliance problems:
- Aon did not give its staff enough training or written guidance specifically about bribery and corruption risks;
- it was not clear how the guidance that existed outside the Code was distributed or enforced;
- the explanatory notes to the forms for third party authorisation were not clear so employees may not have understood what due diligence they had to do. Forms did not contain enough detail to clarify the services the payments related to, and sometimes Aon allowed business to go ahead without a completed form;
- the compliance department did not play a big enough role in checking third parties. It did more checks on UK third parties than overseas ones, and did not have to monitor the firm’s relationships with overseas third parties as part of its ongoing programme.
What risk controls were in place?
The firm’s board and relevant committees did not specifically consider the risks of these payments until the firm discovered the events that led to FSA’s action. Management information did not have the right focus to enable the firm to oversee the management of overseas third party risks.
Internal Audit’s work did not include doing risk-based reviews of the payments.
What went wrong?
In the 1990s, two predecessor companies paid overseas third parties in suspicious circumstances and Lloyd’s, the then regulator, took disciplinary action in respect of these.
In the early 2000s, Aon carried out a programme of preparation for FSA regulation (which started in 2005). It did not properly assess the potential bribery and corruption risks to the firm. It even decided to focus on third parties that conducted activities in the UK and did not look at relationships with overseas third parties.
The Code and the compliance function following this programme was inadequate. So Aon neither properly set up nor controlled relationships with overseas third parties. It failed to flag specific risks to appropriate staff.
The firm found out about the problems when an overseas law enforcement agency enquired about a group of Indonesian transactions. Once Aon carried out its own investigations, it notified FSA of two potentially suspicious groups of transactions and made suspicious transaction reports to SOCA.
What changes did the firm make?
When the firm reported to FSA, it said it had put in place new systems and controls that meant:
- the firm could not make payments to any overseas third parties until it had completed its set-up process;
- all third parties were included on the Compliance List; and
- it would introduce new training.
Despite this, the firm made a payment that avoided the new procedures when it wrongly classified a third party and as a result the payment did not trigger the correct authorisation and compliance procedures. The new procedures had not taken this risk into account. Aon made another report to SOCA and FSA.
What did FSA dislike most?
FSA found many problems. Although it did not think Aon had acted deliberately or recklessly, it found breaches of Principle 3 because the firm did not:
- require satisfactory levels of due diligence on overseas third parties before the firm made payments;
- monitor its relationships with overseas third parties in respect of bribery risks;
- give staff in affected divisions enough guidance or training on bribery and compliance risks; or
- ensure relevant committees got the right management information or otherwise routinely assessed effective management of bribery and corruption risks. FSA was particularly hard on the firm because:
- it wants its actions to have a strong deterrent effect not only on Aon but also on other firms;
- the systems and controls failings existed in several major business units over nearly three years;
- the firm made 66 suspicious payments totalling around $2.5 million and €3.4 million in that three years alone (and other payments before Aon became FSAregulated);
- the firm should have been aware of the risks, and some divisions routinely dealt with third parties in jurisdictions where bribery and corruption are perceived to be common;
- Lloyd’s had previously disciplined the firm on the matters;
- the firm is one of the leading insurance and reinsurance brokers in the London market; and
- the firm may have profited from the breaches in commission or brokerage from business it won or kept because of suspicious payments.
In mitigation, FSA noted:
- Aon’s prompt reporting to SOCA and FSA once it discovered the problems;
- the firm appointed accountants to review the systems and controls and is implementing the review recommendations;
- the accountants also conducted a review covering the past six years so the firm could be confident it could identify potentially suspicious payments. The firm then asked lawyers to look at groups of payments some of which it subsequently reported to SOCA and FSA;
- action the firm has taken in relation to staff involved in the past problems; and
- the detailed and robust new and enhanced systems and controls the firm has put in place as well as senior management’s commitment to ensuring necessary behavioural changes take place.
What should firms do now?
All firms that use overseas third parties should have a global culture and policy that highlights awareness of bribery and corruption risks.
Policies and procedures should:
- embed due diligence at the outset of any relationship that fleshes out the third parties involved, the payments made and their purpose and destination;
- ensure proper authorisation procedures before any payment is made;
- monitor third party relationships and payments appropriately;
- carry out regular risk assessments on third parties and third countries to assess bribery and corruption risks;
- embed compliance with anti-bribery and corruption procedures at senior management level;
- assess compliance at high levels, with the right management information and with input from relevant committees; and
- train and supervise staff working in areas particularly at risk.
It is not enough just to make staff aware of anti-corruption laws. They must know the particular risks their business units face and how to deal with them.