Examples of good practice
|
Examples of poor practice
|
•
|
Establishing and documenting policies with a clear definition of a ‘third party’ and the due diligence required when establishing and reviewing third-party relationships.
|
•
|
Failing to carry out or document due diligence on third-party relationships.
|
•
|
More robust due diligence on third parties which pose the greatest risk of bribery and corruption, including a detailed understanding of the business case for using them.
|
•
|
Relying heavily on the informal ‘market view’ of the integrity of third parties as due diligence.
|
•
|
Having a clear understanding of the roles clients, reinsurers, solicitors and loss adjusters play in transactions to ensure they are not carrying out higher risk activities.
|
•
|
Relying on the fact that third-party relationships are longstanding when no due diligence has ever been carried out.
|
•
|
Taking reasonable steps to verify the information provided by third parties during the due diligence process.
|
•
|
Failing to respond to external events which may draw attention to weaknesses in systems and controls.
|
•
|
Using third party forms which ask relevant questions and clearly state which fields are mandatory.
|
•
|
Asking third parties to fill in account opening forms which are not relevant to them (e.g. individuals filling in forms aimed at corporate entities).
|
•
|
Having third party account opening forms reviewed and approved by compliance, risk or committees involving these areas.
|
•
|
Accepting vague explanations of the business case for using third parties.
|
•
|
Using commercially-available intelligence tools, databases and/or other research techniques such as internet search engines to check third-party declarations about connections to public officials, clients or the assured.
|
•
|
Approvers of third-party relationships working within the broking department or being too close to it to provide adequate challenge.
|
•
|
Routinely informing all parties involved in the insurance transaction about the involvement of third parties being paid commission.
|
•
|
Accepting instructions from third parties to pay commission to other individuals or entities which have not been subject to due diligence.
|
•
|
Ensuring current third-party due diligence standards are appropriate when business is acquired that is higher risk than existing business.
|
•
|
Assuming that third-party relationships acquired from other firms have been subject to adequate due diligence.
|
•
|
Considering the level of bribery and corruption risk posed by a third party when agreeing the level of commission.
|
•
|
Paying high levels of commission to third parties used to obtain or retain higher risk business, especially if their only role is to introduce the business.
|
•
|
Setting commission limits or guidelines which take into account risk factors related to the role of the third party, the country involved and the class of business.
|
•
|
Receiving bank details from third parties via informal channels such as email, particularly if email addresses are from webmail (e.g. Hotmail) accounts or do not appear to be obviously connected to the third party.
|
•
|
Paying commission to third parties on a one-off fee basis where their role is pure introduction.
|
•
|
Leaving redundant third-party accounts ‘live’ on the accounting systems because third-party relationships have not been regularly reviewed.
|
•
|
Taking reasonable steps to ensure that bank accounts used by third parties to receive payments are, in fact, controlled by the third party for which the payment is meant. For example, broker firms might wish to see the third party’s bank statement or have the third party write them a low value cheque.
|
•
|
Being unable to produce a list of approved third parties, associated due diligence and details of payments made to them.
|
•
|
Higher or extra levels of approval for high risk third-party relationships.
|
|
|
•
|
Regularly reviewing third-party relationships to identify the nature and risk profile of third-party relationships.
|
|
|
•
|
Maintaining accurate central records of approved third parties, the due diligence conducted on the relationship and evidence of periodic reviews.
|
|
|