As companies expand and move into new markets locally and abroad or venture to establish new partnerships there will be engagements with third parties to handle different aspects of their business operations or to create a suite of services and products for their customers. These could include any associate that a company does activities with, such as vendors, distributors, contractors, consultants, sales agents, service providers, suppliers, other companies and other intermediaries.

While these third party services or collaborations provide the firms with a competitive advantage as well as new business opportunities, they also make companies vulnerable to integrity risks such as fraud, corruption, bribery, labour violations and human rights issues.

This is as companies often do not have full visibility of the inner workings or practices employed by third party vendors or business partners. These might include subcontract arrangements, material or labour sourcing, environmental or waste management that could expose the companies to reputational risk.

For example, technology companies have long faced accusations of lax practices in controlling for labour sourcing along their supply chains. Just this month, Apple Inc. revealed plans to use 100% recycled cobalt for its product batteries, to guard against child labour being used for cobalt mining activities.

The challenge in oversight was compounded during the Covid-19 pandemic, when lockdowns and travel restrictions made it more difficult for companies to effectively monitor third party integrity risks in their supply chains or for subcontracting arrangements said experts. The rise of remote work (post pandemic) provides a new challenge for businesses, and highlights the difficulties companies face in adapting to the growing complexity of supply chains while maintaining a close eye on their vendor ecosystem.

For corporations, including public listed companies (PLCs) in Malaysia, third party integrity risk has now become a concern for several reasons.

Corrupt activities by unethical third parties can damage a company’s reputation and render it unable to conduct business in certain areas due to its non-compliance with regulations. They can also disrupt a company’s supply chain and business operations and expose them to government investigations and monetary penalties.

Companies also need to meet the needs of important stakeholders. Societal expectations on ethical practices and sustainability are becoming more prominent. These expectations are reflected by shareholders, regulators and customers as they express their preferences, make decisions or investment choices, as well as provide critique and feedback. Companies that do not manage third-party risks well may come under fire as their stakeholders hold them accountable. This may also adversely affect their business performance.

The concept of “Adequate Procedures”

Malaysia has recently tightened its anti-corruption laws on corporate liability. With the introduction of Section 17A of the MACC (Malaysian Anti-Corruption Commission) Act 2009 (Amendment 2018), which came into effect on 1 June 2020, a commercial organisation is deemed to have conducted an offence if any persons associated with the commercial organisation commits a corrupt act.

“Persons associated” with the commercial organisation not only includes directors, partners and employees, but also includes any persons “who performs services for or on behalf of the commercial organisation”. In other words, companies can be liable for acts of appointed third parties that lead to corruption.

Effective Third Party Risk Management Programme (TPRM)

Companies need a solid TPRM to effectively manage bribery and corruption risks and ensure they have adequate resources to develop and implement it. A study by KPMG showed that companies seriously underestimated the investment needed to establish a good TPRM framework. Although a TPRM programme should be tailored according to each company and evolve to fit changing circumstances, here are common key elements of an effective TPRM programme.

1. Third party risk management policies and procedures: These policies and procedures describe how third parties should be managed by the organisation and its employees.

Companies can consider these guiding questions while formulating and evaluating their TPRM risk management policies:

1. What is its risk tolerance when it comes to third party risks?
2. What are the roles and responsibilities of the third party provider or partner it is engaging?
3. What are the current due diligence processes in place for new third party service providers or partners?
4. What are the reporting or disclosure obligations that third party service providers or partners need to fulfill?

Bursa Malaysia Anti-Corruption Policy, May 2020 DEALING WITH THIRD PARTIES

As a market operator and regulator, Bursa Malaysia has dealings with many third parties and stakeholders. These dealings must be carried out in compliance with the relevant laws and in line with Bursa Malaysia’s values and principles, which include treating the organisation’s stakeholders with integrity and respect. As part of this commitment, all forms of bribery and corruption are unacceptable and will not be tolerated.

Bursa Malaysia expects all third parties acting for or on behalf of the organisation to share Bursa Malaysia’s values and to refrain from all forms of bribery or corruption. They must adhere to this Policy, where applicable, in their interactions and dealings with the organisation or when transacting on behalf of the organisation.

Employees are required to undertake due diligence to assess the integrity of prospective business counterparties and avoid knowingly entering into any business dealing with any third party reasonably suspected of engaging in money laundering, bribery or improper business practices unless those suspicions are resolved.

Employees are expected to exercise caution when dealing with public officials to avoid any perception or suspicion of bribery or corruption.

Notwithstanding the establishment of the third party risk management policies and procedures, the enforcement and implementation of these policies and procedures are equally important. These will require an effective compliance programme to be in place, and adequate resources need to be deployed to support its implementation.

2. Third party risk assessment: Third parties need to be assessed for the risks they pose to a company, so that the company can set up a monitoring mechanism to ensure an appropriate level of due diligence. Risk assessments should be conducted prior to the onboarding of third parties, and vendors should be periodically monitored.

The risks identified and assessed should be appropriately documented for reference as well as to coordinate the risk mitigation actions.

Vendors can be assessed and then categorised as high, medium or low risk. The appropriate preventive measures and parameters can then be developed for these third parties.

Among the risk factors that should be considered are local or foreign regulatory requirements, supply chain risks, third party credibility, third party geographical locations, as well as political connections.

3. Due diligence: Third party due diligence is an essential component of an effective third party risk management programme and is part of the key control measures recommended by “The Guidelines on Adequate Procedures”, issued by the Prime Minister’s department.

Companies can conduct third party due diligence by screening and checking past records of third parties to identify if there are any alleged, suspected or convicted cases of corruption. Due diligence is usually conducted prior to the onboarding of third parties or during periodic monitoring.

MACC’s Adequate Procedures Best Practice Handbook, February 2022

Among due diligence key considerations or criteria include:

a) List of convicted persons found on MACC or PDRM website;

b) Check against Office of Foreign Assets Control (OFAC), United Nations (UN) or other relevant Sanctions List;

c) Company profile and financial strength found in SSM or CTOS;

d) Check on compliance with AMLA rules and regulations;

e) Check on ownership structure and beneficial owners of the company;

f) Check on any relationship with government or Government Officers;

g) Check on lawsuits or legal proceedings of the company/personnel;

h) Check on any previous employment/business with the organisation for issues encountered.

4. Contract Management: Contracts with third parties can also serve as a tool to counter corruption. Companies can insert provisions into their contracts with third parties that include anti-corruption requirements and other expectations for compliance. For example, contractual provisions may include:

a) the compulsory signing of an integrity pledge

b) an agreement to comply with applicable anti-corruption laws

c) an agreement to implement policies and practices to prevent corruption throughout the duration of the contract

d) a mechanism for a party to conduct inquiries should red flags arise

e) a vendor exit strategy

Structured and enforced contractual provisions with third parties may help reduce legal and reputational risks associated with corrupt actions by third parties.

5. Training and communication: Training and communication is crucial in raising awareness amongst employees on company policies on third party risk management, as well as the latest regulatory needs and industry practices.

It is also helpful to provide training to specific third parties as well as to communicate to them the company’s third party integrity risk management. Training can be either general or tailor made for employees and third parties.

There are examples of Malaysian PLCs which have developed pilot training programmes for their third party business associates to guard against integrity risks and corruption. External business associates are sometimes required to enroll in multiple-module year-long programmes guided by the requirements of the MACC Act 2009. This can help third parties identify gaps, assess corruption and ethical risks and execute necessary control measures to counter the identified risks.

MACC’s Adequate Procedures Best Practice Handbook, February 2022

− The organisation should communicate on integrity matters to business associates at the entry point of business such as during engagement or onboarding. Organisations are also recommended to make it compulsory for business associates to sign a Vendor’s Letter of Declaration or Integrity Pact to comply with the company’s anti-bribery and corruption policies at this stage.

− The business associates should also be updated when there are new laws and policies or changes to policies.

Businesses should also be aware of potential blind spots when planning training and communication programmes. For instance, the management and board may not be aware or only have partial knowledge of how the company deals with third party risks for bribery and corruption. They may also fail to understand the risks associated with third party corruption or spend insufficient attention on these matters.

6. Ongoing monitoring: Companies should have internal policies and procedures that specify the need for periodical and systematic enforcement and monitoring of third parties with regards to risks associated with their services or partnerships, contractual performances, and reporting obligations.