The COVID-19 pandemic has taught us many lessons, but are we missing an age-old one that we all need to learn and act upon? That is, in every crisis there are people waiting to exploit the situation for their gain and your loss. Johnny Skillicorn-Aston from health transformation consultancy, Conclusio, and Andrew Clarke from International Compliance Association (ICA), look at new compliance trends for professionals working in pharma and health supply chains.
To be compliant suggests an outlook of ‘going along with’, fitting in with convention and protocol with a passive mindset. Perhaps, that is how we view the practice of compliance regimes and due diligence approaches? There are a set of rules and as long as we can show that we are following them, then we have played our part. In our commercial interactions, we can say that we ‘went along’ with what was expected but it is not enough. Passive alignment does not go far enough, will not protect you from sanction nor will it stop criminal and hostile elements exploiting what they already know; that corners will be cut, the ‘i’ will remain undotted and ‘t’ uncrossed.
For criminals and fraudsters who seek to exploit our process-weaknesses, this is a huge business opportunity. It is a chance to access the supply chains we work in, extract significant gains and leave us to face the sanctions that follow.
“The pandemic crisis has brought many changes to the way in which businesses operate, with staff working remotely, fewer face-to-face interactions, an urgency to act and a reduced focus on due diligence processes. When change occurs, criminals carry out a form of ‘opportunities assessment’”
I saw this often in my police career specialising in serious financial crime. As an example, a company in your supply chain folds and there then appears an alternative supplier to plug the gap. It is actually a completely fictitious company (even though it has a web presence), or it is the stolen identity of a real company. Are you confident that your systems in place during the pandemic would be able to uncover this?
The pandemic has caused a financial crisis which will continue to impact businesses for years to come. In this situation, your customers and those within your supply chain actually become higher risk. Previous crises have repeatedly shown that even some of those ‘good’ or ‘long-trading’ partners may unfortunately commit dishonest acts. Individuals feel pressures that lead them to rationalise illicit acts and they may conceal their true situation, trade whilst insolvent or take profitable commercial opportunities in breach of sanctions; all of these exposing you to commercial, reputational and potentially legal risk.
These situations are happening in reality, at this moment, and will continue to happen. One recent example includes a man who was arrested in Singapore, having been involved in stealing the identity of a legitimate supply company. The criminals advertised the fast delivery of surgical masks and defrauded a French pharma company of €6.6 million.
Increasing due diligence
Compliance is the bit we must do, but how we do it rests in the practice of due diligence. Just as compliance is universal, due diligence is everyone’s business and it is most effective when it is applied on first business contact. In large, complex organisations, it would be easy to view the function as something carried out by specialists in an area of your company remote from your end of the business. However, the interactions, transactions and relationships that can be criminally exploited are being conducted by you, each and every day. As a result, you need to know your customer.
Criminals exploit new technology against businesses. Counterfeit bank statements, utility bills, identity cards and even passports are readily available on the internet at low cost. These are difficult to spot when used by a criminal but thankfully there are efforts to disrupt this activity, with credit card companies beginning to block payments on these types of sites. Challenging to spot, but they serve to emphasise the importance of how we tackle due diligence.
Effective due diligence is key. What overall information do we have? Does it all fit? As an example, we may have an operating address provided by the supplier or customer, this is reflected in documentation and on websites. Is there continuity? Does the address represent a realistic business premises appropriate to purported trade? A simple check on mapping websites that photograph locations may reveal a small apartment as opposed to factory premises; I have had that very situation within a criminal investigation.
A key point to remember is that good compliance makes good commercial sense. Compliance is not business prevention, it is a business enabler. Is it better to identify a suspicious situation and avoid business engagement, or to later face the consequences of being a victim of the fraudster or sanctions evader?
Criminals use new technology, so let us also use it for our due diligence purposes. There is an emerging industry of ‘RegTech’ providers; these are technology products that we can use to achieve our due diligence objectives. Software on a smart phone can be used to photograph and identify counterfeit documents from their security features, not recognisable to the human eye. Anyone opening an account with an online-only bank will be familiar with this process.
Pharma businesses can outsource due diligence to trusted third-parties, who will use new technology and their experience to carry out effective due diligence and protect us as a business.
While knowing who you are dealing with is important, within complex supply chain dynamics knowing what your product is being used for is equally critical. There will be a range of goods, products and technologies that offer criminals, fraudsters and other hostile agencies an opportunity to gain from secondary use and application beyond their commercial purposes and intents. Where finished products contain many elements, this risk increases, and it is a dangerous approach to assume that any of those elemental factors are not controlled for export. It is a gamble that can only pay out sanctions.
The table below lists some of the products and items that are listed as ‘dual-use’, among which there are those that feature in pharma and health care supply chains:
The solution is to use a risk-based approach. Considerations and examples include:
- Nature of supplier/customer
Established company or new to market?
- Nature of business
Overly complex, with areas lacking transparency?
- Beneficial ownership
Who is really behind the business, the human not the Cayman Islands trust? What is the risk with them, have we checked them against sanctions lists?
- Product type: complexity/volume
Are there ‘dual-use’ goods, i.e. those with a legitimate use such as in medicine or health care; but also having potential use as a weapon. Castor oil seed is an example, with innocuous consumer and medical use, but also capable of being used as a chemical weapon.
- Geography of business
What risks of the country involved? Is there ongoing conflict or terrorist activity? Is there a high level of corruption?
- Intermediary/third parties
Are we recognising our responsibility under anti-corruption legislation? Are all dealings transparent and open to scrutiny if legally challenged?
- Commercial rationale
Does it make sense?
These examples show the efficacy of good risk management, however, viewing the process only through the lens of risk is not sufficient. Criminals and fraudsters view it through a lens of opportunity, so we need to adopt a bifocal view. Risk and opportunity combined, keeping our organisations safe from sanction and making the most of our business relationships within the supply chains in which we operate. Compliance and risk are more than just defensive measures, they are processes that can really help business consolidate and grow.
Returning to the COVID-19 pandemic, much has been made about the ‘new normal’, however this is merely a societal and transactional concept; it does not reduce the rigour required in due diligence. As commentators speculate on what the ‘new normal’ may look like, we can theorise but we cannot yet know for certain; one thing we can know is that it will not be a statutory defence against compliance accountability and sanction.
Effective compliance and due diligence regimes in pharma remain as important as ever and will stand or fall on the following:
- Knowing your supply chain
- Knowing your customer
- Knowing your customer’s customer
- Understanding your risks
Andrew Clarke MA, FICA is ICA Course Director AML/Financial Crime Prevention, ICA. Go to https://www.int-comp.org/
Johnny Skillicorn-Aston MCIPR is Communication and Engagement lead at Conclusio. Go to https://www.conclusio.org.uk/