When Compliance programs go wrong…...• A low cost, high volume screening and monitoring solution available through the Kroll Compliance Portal • One-time screens for sanctions,

Proprietary and Confidential. These slides have been prepared for general information purposes only and do not constitute legal or other professional advice

1 Best Practices in corporate compliance ◼ Kevin Braine


AICP Conference – Isle of Man

March 26, 2019

When Compliance programs go wrong…



1

2

3

4

5

6

7

Introduction

Agenda

The trap of “one-size-fits all”

If it is not auditable, did it actually happen?

When ambition gets you in trouble

Keeping up with the regulators

The most important thing – is what happens next

Questions



Global Multi-Disciplinary Risk Management

Over 3,500 employees in more than 70 offices in 28 countries

▪ Sanctions Screening and

Monitoring

▪ Public Records and

Enhanced Due Diligence

▪ Remediation and Special

Research Projects

▪ Kroll Compliance Portal -

3rd Party Management

Platform

▪ AML and ABAC Consulting

– program design, reviews,

and training

▪ Investigations

o Fraud & Internal

o Financial

o Regulatory

▪ Business Intelligence

o Market Entry

o Competitive

Intelligence

▪ Investigative Due Diligence

▪ Forensic Accounting

▪ Asset Searches &

Recovery

▪ Litigation & Disputes

▪ Security and Risk

Assessment

▪ Policy Review and Design

▪ Penetration Testing

▪ Vulnerability Scanning

▪ Third Party Reviews

▪ Computer Forensics

▪ Data Breach

o Incident Response

o Notification

o Remediation

▪ Security

▪ Operational Security

Services

▪ Security Design and

Engineering

▪ Resilience Consulting

Compliance, Risk and Diligence Investigations Cyber Security Security Risk Management



Kroll’s Risk-Based Approach to Due Diligence- fixed cost reports

First View

Red Flag Review

Reputational Review

“What on-the-ground sources are saying”

• Enhanced due diligence with in-country source inquiries for insight into a subject’s reputation

• Public record review plus targeted local human intelligence to validate the risks identified during public record research,

assess reputation, as well as to provide additional services such as site visits

Investigative Due

Diligence

“The basics you should know”

• A low cost, high volume screening and monitoring solution available through the Kroll Compliance Portal

• One-time screens for sanctions, watch list and enforcements, politically exposed persons (PEPs), state-owned

enterprises (SOEs) and profile-based adverse media, ongoing monitoring to ensure visibility into any new risk events.

• Option to outsource false positive review and resolution to Kroll’s risk and compliance analysts

“What is in the media”

• A red flag review for summarizing potential compliance and reputational risks

• Adverse media and internet research performed by research analysts in English and local professional language

• Review of compliance and watch list databases

• Narrative presentation of findings

“A consultative, investigative approach”

• A consultative approach to due diligence tailored to each client, based on their specific needs

• A customized review and analysis of public records and inquiries of human sources.

“What is in the public domain”

• Analyst-driven, detailed review of certain online public records to identify potential adverse and noteworthy information

relating to corruption, money laundering, fraud, or other illicit or unethical behavior

• Includes corporate registration, individual corporate affiliations, regulatory, litigation, US higher education claims, and

global compliance, sanctions, and watch list checks

Public Record

Review

January 2019Duff & Phelps | Private & Confidential 4



The traps of “one-size” fits all

Aim for holistic risk-based assessments NOT rigid rules



The trap of “one-size” fits all

Cooking the books



If you cannot demonstrate it to a regulator

Did it happen at all?

Compliance activity must be

Documented

Easily accessible

Secure

Auditable

At your fingertips at all time



Your programme is only as good as its weakest link

Ensure your rules are applied consistently




Apply your processes and controls consistently




Apply your processes and controls consistently



Relying on third party’s due diligence

And you could end up dealing with the DEA’s most wanted



Political Exposure is a risk indicator

But do not neglect conflicts of interest



Make sure your programme is workable

Compliance policies ambitious but not implemented



Programme must be live and dynamic

“Keeping it fresh”



Keeping up with Regulatory Obligations

Keep up domestic and international

https://www.google.co.uk/imgres?imgurl=x-raw-image:///b8c7ab98a7dc78b54e9227b553a143057d7bca055c8cf8f68311ae70f90ab68d&imgrefurl=https://www.fincen.gov/sites/default/files/shared/OverallChart.pdf&docid=nycQWzUR3thltM&tbnid=tXjcp5irx7g3zM:&vet=10ahUKEwjbtqis-ZHhAhXEURUIHfsYDGAQMwhDKAUwBQ..i&w=1095&h=286&bih=438&biw=1067&q=fincen&ved=0ahUKEwjbtqis-ZHhAhXEURUIHfsYDGAQMwhDKAUwBQ&iact=mrc&uact=8

https://www.google.co.uk/imgres?imgurl=https://media.licdn.com/dms/image/C4D0BAQH0A_byLjfjuw/company-logo_200_200/0?e%3D2159024400%26v%3Dbeta%26t%3D9CjnErA1EjBca2hypsWhRsS0LDtTHhZiBv8IP8d_RKA&imgrefurl=https://www.linkedin.com/company/serious-fraud-office-uk&docid=fUz5rZ0Hre-1CM&tbnid=duCyfg4oyyUAkM:&vet=10ahUKEwiI2d2o-pHhAhUSp4sKHYavC5gQMwg-KAEwAQ..i&w=200&h=200&bih=438&biw=1067&q=sfo%20serious%20fraud%20office&ved=0ahUKEwiI2d2o-pHhAhUSp4sKHYavC5gQMwg-KAEwAQ&iact=mrc&uact=8



Implementing a risk-based approach

High risk situations only

Led by senior leadership

Extensive ad hoc due diligence

Targeted research to address a specific concern

Routine checks on large numbers of third parties

Led by in-house compliance team

Volume driven cost pressures

Focussed solely on regulatory risk

Risk-based screening of all counter parties

Involvement of all internal stakeholders

Increased use of technology

Holistic risk review including reputational risks

To detect: Financial Crimes, Sanctions, Political Exposure, Bribery, Corruption

But also: reputational risk, payment risks, business continuity risks

Having the right risk assessment in place



And lastly…

Ensure you have an efficient escalation process when something comes up



Key challenges

How to make a compliance programme work

Make the most of limited resources

Identify and focus on the highest risks

Get buy-in from your commercial teams

Learn from the financial services industry

Place more emphasis on suppliers to demonstrate compliance

And ensure that your programme is

Consistently applied throughout all group companies

Not so ambitious that it causes business disruptions

Easily auditable



Kroll Compliance Risk & Diligence SolutionsA cost-effective, high-quality, and structured approach to background checks

Since 1972 Kroll has helped to shape the compliance industry, building a wealth of in-houseexpertise and resource in the process of helping clients with their wide array of due diligencerequirements. The resulting ability to find and contextualise nuanced (often sensitive) informationenables our clients to make more informed business decisions on the basis of truly independentresearch in virtually any market, jurisdiction or language.

Kroll’s screening and due diligence solutions can help our clients to plan and execute a consistentrisk-based approach to a broad range of business needs in line with regulatory principles,including:

▪ Anti-Money Laundering (AML), Know Your Customer (KYC), USA PATRIOT Act, Foreign CorruptPractices Act (FCPA), UK Bribery Act, Financial Action Task Force (FATF) recommendations, and more

▪ Identifying and mitigating third party and transactional risks, including business and reputational risks

▪ Screening existing and potential joint ventures

▪ Screening against sanctions and government watch lists

▪ Assessing reputation through review of public records and local source inquiries

▪ Board appointments and pre-IPO due diligence

▪ Conducting market entry or deep dive investigative research in support of new and significant projects




A Risk-Based Approach to Due Diligence

Depending on your

requirements,

Kroll can provide both

automated and

human-led

approaches to

conducting

Enhanced Due

Diligence




A Risk-Based Approach to Due DiligenceTailored to your needs

Standard Enhanced Due Diligence

Kroll’s standard Enhanced Due Diligence offerings seek to address the most common needs of risk and compliance professionals, at a fixed cost, timeframe and methodology; however, as with all Kroll Compliance reports, we can expand and tailor the scope of this research to meet your organisation’s specific requirements.

Investigative Due Diligence

Kroll is world-renowned for delivering investigative due diligence for situations where clients need an iterative, consultative, and more tailored answer to their more complex due diligence needs.

In those situations, Kroll will devise an investigative plan specifically designed to drill down to those risk areas most relevant for your unique situation and needs.

Kroll provides answers to questions that financial and legal analyses cannot address, especially regarding integrity issues and the reputations and backgrounds of counterparties.




An approach to Third Party Risk Management

IDENTIFICATION

- All types of third parties

- Sort and categorize

. nature of services, domiciled countries,

business value, business relationships

- Risk nature already identified

RISK-BASED CATEGORIZATION

- Define third party categorization

- Initial data gathering

. Questionnaires

. Nature, scope, geography

. Business data

- Criteria for risk scoring

DUE DILIGENCEDefine granularity in due diligence

LOW - LEVEL 1:

. First view screening

. Red Flag review

MEDIUM - LEVEL 2:

. Public Record review

. Reputational review

HIGH - LEVEL 3:

. Investigative due diligence

MONITOR & CONTROL

- Train operational people for:

. onboarding new third parties

. appropriate level of due diligence

- Monitor high risk third parties

- Recurrent review and approval

- Initiate random controls and audits




The Kroll Compliance PortalThe flexible online third-party relationship management platform

▪ Automated questionnaires. Collect and store the information you need from third parties and quickly process high volumes.

▪ Risk scoring. Generate scores based on your risk appetite and trigger actions accordingly.

▪ Screening, monitoring, and due diligence. Automatically screen, monitor and conduct additional levels of due diligence based on perceived risk.

▪ End-to-end digital management. Increase the consistency and efficiency of intake and review processes by extending portal functions to colleagues beyond the compliance team.

▪ Reduced False-positives. Kroll analysts will review false-positive results of initial screens to deliver only the information that matters to you.

▪ Tracking and auditing. Powerful reporting and audit capabilities.


Apply consistent business-wide on-boarding and monitoring processes in line with your

company policy and board’s risk appetite. Organise and store all third-party information in one

central and secure location.



The Kroll PortalEfficiently manage, mitigate, and monitor third party risks

As third party management and anti-bribery and corruption regulations grow increasingly complex,

the Kroll Compliance Portal provides you with capabilities designed to bring efficiency and

consistency to third party compliance programs, including:

An easy-to-use,

web-based platform

that brings efficiency

and consistency to

the challenge of

third party

compliance risk

management




The Kroll PortalFirst View Screening & Monitoring

First View Monitoring enhances your ethics

and compliance processes with ongoing, real-

time third-party risk event tracking.

Powered by LexisNexis® WorldCompliance™

and Dun & Bradstreet to provide you with

access to the most robust screening data on

the market

Access the most comprehensive and current

database of sanctions, enforcements, PEPs,

state-owned or controlled enterprises, and

adverse media content.


Keep your third-party profiles up-to-date.

All the time.



The Kroll PortalFirst View Screening & Monitoring

First View Monitoring with embeddeddatabases allows initial screening for selectcombinations of Sanctions, Enforcements,Political Exposure, State Owned Entities, andAdverse Media against:

▪ more than 2.5 million risk entities fromover 240 countries and territories;

▪ 50+ risk categories including terrorism,narcotics, money laundering, fraud, taxevasion, collateral crimes and PEP law,…;

▪ over 30,000 sources monitored in over 50native languages.


Access to the most robust screening data on

the market & comprehensive risk categories



The Kroll PortalThird-Party Questionnaires

▪ Use the questionnaire module to collect information from your third parties, disseminate

company policies and procedures, and capture certifications.

▪ Speed up onboarding processes by reducing response times through automation, tracking and

local language capabilities.

▪ The questionnaire module includes:

▪ customised questionnaires and risk scoring models tailored to each client

▪ multiple questionnaires to address different third-party processes or risk scenarios

▪ sending of questionnaires in the third-party’s language of choice

▪ effortless tracking of questionnaire status and automated reminder emails

▪ automated, risk-based scoring of responses to help you align due diligence with risk

▪ re-certifications on an annual basis




The Kroll PortalThird-Party Questionnaires


Effective third-party compliance programs include

systematic processes to collect information from

third parties on a periodic basis

I. Risk Scoring

II. e-Sign-off



The Kroll PortalDue Diligence Report – Central Repository


Access Kroll’s spectrum of market-leading due

diligence reports and communicate directly with our

research experts

I. Tailored search specs

II. Interact with our Research Team



The Kroll PortalAutomate your unique compliance process – custom workflows

▪ Our automated, step-by-step workflows

connect our screening, questionnaire and

due diligence report ordering modules

together – all inside the Portal.

▪ Enable globally consistent decision-making

on whether or not to do business with a third

party.

▪ Automate your third-party compliance

processes to accelerate onboarding of new

third parties.

▪ Easily design onboarding


Customise your complete compliance process,

leveraging preset templates or by building your own

WorkflowDecisions

Identification

Questionnaire

Due Diligence

MonitorProfiles



The Kroll PortalAutomate your unique compliance process - custom workflows


Easily design onboarding, recertification, and other

due diligence workflows using drag-and-drop

technology that brings your process to life

Track activity and third party profile progress with a

visual display of your workflow

Manage internal approvals and hand-offs

automatically

Standardize your workflow automation according to

your unique business rules

Customize your complete compliance process

leveraging preset templates or by building your own

1

2

3

4

5



The Kroll PortalAutomate your unique compliance process - custom workflows

Benefits of custom workflows

▪ Ensure staff in various internal functions and physical locations are aware of and follow established screening standards

▪ Save time and reduce human error with this controlled and automated approach

▪ Increase transparency into your workflow with tracking and reporting tools

▪ Improve efficiency leveraging the insights gained from automation and tracking

▪ Tailor your approach by creating scenario-dependent workflows




The Kroll Portal Difference

Leveraging our expertise, global reach, and technology to deliver deeper, more refined, and more

contextual information that results in better decision-making.


– Manage your entire program with Kroll’s Compliance Portal, designed to address your specific workflow needs, from screening and monitoring to governance, due diligence, and compliance.

– Take a risk-based approach to your program through Kroll’s full spectrum of screening and due diligence which provide escalating levels of research, from first view screening to investigative due diligence.

– Gain unique insight and efficiency from Kroll’s global presence and regional expertise, including fluency in over 35 languages as well as our proprietary research tools.

– Enhance the design, set-up, and implementation of your compliance program by partnering with our expert consultants.

Watch the video

https://www.youtube.com/watch?v=oT6hawrNo0c

https://www.youtube.com/watch?v=oT6hawrNo0c



Tom Hollobone

Associate Managing Director

Compliance Risk and Diligence, EMEA

[email protected]

T +44 (0) 207 029 5159

M +44 (0) 7500 447231

For further information

please contact

Dominic Lynch

Director

Compliance, Risk & Diligence, EMEA

[email protected]

T +44 (0) 207 029 5031

M +44 (0) 79 202 32 987

www.kroll.com

http://www.kroll.com/

Documents

When Compliance programs go wrong…...• A low cost, high volume screening and monitoring solution available through the Kroll Compliance Portal • One-time screens for sanctions,