India poses high risks of corruption and money laundering for financial institutions operating in the country. To evaluate these risks, the authors recommend four key general steps combined with a number of India-specific considerations. Anti-corruption efforts, they suggest, require, among other things, a comprehensive knowledge and understanding of all customers and business affiliates, including third parties and joint venture partners. For anti-money laundering, the authors emphasize “Know Your Customer” procedures that meet the Reserve Bank of India’s robust standards, along with a strong monitoring program to help detect common money laundering schemes. For years, multinational companies have flocked to India to take advantage of the country’s low-cost labor force and its burgeoning middle and consumer classes. [1] Recently, India’s emerging markets have attracted even more attention with the election in May 2014 of business-friendly Prime Minister Narendra Modi, who has promised to boost infrastructure spending and job growth while combating high inflation rates and bureaucratic red tape.[2] India’s economy is expected to improve significantly over the next several years, with some experts forecasting that it could soon outpace China as the world’s premiere growth market.[3] Indeed, financial institutions should take note — the formalization of India’s economy under Prime Minister Modi and the corresponding surge in foreign business investment may create lucrative opportunities for banks, lenders, and money services businesses alike. India remains a challenging country in which to conduct business. For example, corruption continues to be a vexing problem,[4] while the informal economy renders financial institutions common targets for money laundering.[5] Prime Minister Modi has promised to combat corruption by significantly enhancing local law enforcement resources and related prosecutions in India— practices largely absent from the country’s prior enforcement regimes.[6] In light of this pledge by India’s new leadership, and considering that financial institutions already face a heightened level of global enforcement with respect to both anti-corruption and anti-money laundering compliance — a trend likely to continue as new laws are passed and cooperation between international authorities increases — financial institutions must ensure that they have a robust, comprehensive compliance program firmly in place before committing to business in India. Risk assessment is an integral part of any strong anti- corruption and anti-money laundering compliance program. The practice of regularly evaluating risk not only allows financial institutions to detect potential violations of anti-corruption and anti-money laundering laws and regulations, it also plays a key role in helping companies shape their compliance programs to prevent future violations and related improprieties. Noting the considerable challenges of conducting business in India and the anticipated uptick in anti-corruption and anti- money laundering enforcement there, the purpose of this article is to spotlight best practices for conducting risk assessments in India in order to help financial institutions enhance their compliance programs and increase the prospect of satisfying the expectations of law enforcement and regulatory authorities in India and around the world.
OVERVIEW OF RISK IN INDIA
Financial institutions must be prepared to manage significant corruption and money laundering risks if they intend to take advantage of the expanding Indian business landscape. A thorough appraisal of these risks, as unique to each company’s specific business and operational profiles, is critical to conducting a meaningful risk assessment.
Corruption Risk
India has long suffered from a deeply entrenched culture of corruption. Graft remains a strong part of Indian culture today. The country’s vast and complex bureaucracy creates abundant opportunities for government officials to demand bribe payments in exchange for assistance or benefits. The Indian government employs a large number of government workers, about 90% of which are classified as “low-wage earners.”[7] The government often entrusts these particular employees with the power to grant or deny many of the licenses and permits that companies need in order to operate in the country. Because these workers are paid so little, many rely on bribes to supplement their income. Several key touch points between companies and the government in India therefore become opportunities for corruption to proliferate. Indeed, the sheer number of licenses and permits required by the government for multinational corporations to operate in many business sectors, including the financial sector, ensures that such opportunities are plentiful.[8] According to a recent survey conducted by Transparency International, a leading non-profit organization dedicated to stopping corruption and promoting accountability and integrity, 80% of Indians believe that corruption in the public sector is “a problem” or “a serious problem.”[9] Only 3% of respondents said that corruption was “not really a problem” or “not a problem at all.” Corruption also appears to be trending in the wrong direction, with 71% of respondents opining that the level of corruption in India increased over the past two years, compared to only 7% who observed a decrease. Unsurprisingly, India has become a hot spot for global anti-corruption enforcement actions, particularly those pursued by the U.S. government under the U.S. Foreign Corrupt Practices Act. The FCPA prohibits bribery of foreign (i.e., non-U.S.) government officials and requires publicly traded companies in the United States to maintain accurate books and records and effective internal controls.[10] In the past 10 years, companies have collectively paid billions of dollars to settle FCPA matters with the U.S. government. And several of the higher-profile FCPA enforcement actions have involved India. For example, in 2011, Diageo paid over $16 million to the U.S. Securities and Exchange Commission to settle a matter involving allegations that its Indian distributors paid bribes to employees of government-owned liquor stores to increase beverage purchases.[11] In 2010, Pride International paid $56.2 million to the SEC and the U.S. Department of Justice in response to allegations that it paid bribes to an Indian judge to secure a favorable determination in a customs dispute.[12]
Money Laundering Risk
India’s extensive informal economy poses a significant money laundering risk to financial institutions operating in the country. Many wealthy Indians go to significant lengths to keep their assets out of regulated transactions or savings accounts. Some of these individuals may have earned their assets through criminal activity, while others simply do not want to pay taxes on their income. To avoid the formal economy, wealth is stored and transferred in alternate asset classes, such as land, housing, or precious metals, which can be difficult to trace for law enforcement purposes. Furthermore, approximately 85% of employed Indians are paid in cash.[13] A staggering amount of India’s economy exists outside of the regulated financial system — Indian regulators recently declared that the so-called “black economy” is estimated to be worth as much as $2 trillion, more than India’s annual gross domestic product.[14] Some prosperous Indians have also turned to the offshore finance system to disguise the source and amount of their overall wealth. Experts have estimated that anywhere from $500 billion to $1.4 trillion in illicit Indian money has flowed out of the country into foreign bank accounts since 1948.[15] Some Indians send “black money” out of the country only to arrange to have it transferred back into local financial institutions disguised as legitimate foreign funds. Until recently, the Indian government did little to curtail this practice. Anti-money laundering enforcement, however, is now on the rise. In June 2010, for example, India was admitted as the 34th country- member of the Financial Action Task Force (“FATF”), an inter-governmental body that monitors financial crime in its member countries and recommends government action to combat money laundering, terrorist financing, and other threats to the integrity of the international financial system. The Reserve Bank of India (“RBI”) has also taken greater responsibility in fighting money laundering. The RBI has issued several advisories reiterating for local financial institutions their anti-money laundering obligations, and it has fined many banks for failure to comply with relevant Indian regulations.[16]
BEST PRACTICES FOR RISK ASSESSMENT IN INDIA
In the wake of the significant anti-corruption and anti- money laundering compliance challenges faced by financial institutions seeking to enter or expand in the Indian market, there are a number of best practices that are effective for purposes of assessing and mitigating risk.[17] These best practices are informed by the standards reflected in the various regulatory regimes of the DOJ, the SEC, the World Bank, and the Organisation for Economic Co-operation and Development (“OECD”). Importantly, as with most compliance procedures, an appropriate risk assessment strategy must be tailored to the particular risk profile of the business conducted by the company and the company’s operational footprint. Broadly speaking, financial institutions should conduct periodic, informed, and documented risk assessments with an emphasis on the areas of highest risk within the company’s business and operational structure. Geography is a key factor in evaluating risk, and the conduct of financial operations in India unquestionably qualifies as an elevated risk consideration. Risk assessment generally requires four principal steps. The first step is for the financial institution to determine the scope of the review and gather relevant information about its business operations and practices. For operations in India, it is particularly important to concentrate at the outset on the company’s client base, top-level commitment, existing standards and controls, and training and response protocols. Another important component of this step is to identify all laws and regulations that apply to the company and the local authorities with jurisdiction over the company’s activities. This component is particularly germane in India, where the shifting political landscape has led to changes in the government’s regulatory regime, such as the creation of the Indian Supreme Court’s Special Investigation Team (“SIT”) in 2014.[18] The second step is to conduct relevant interviews of key company officers, employees, and other stakeholders with strong knowledge of the company’s operations. Importantly, this would include personnel on the ground in India who are involved in the company’s day-to-day business activities there. To conduct effective, focused, and streamlined interviews, relevant documents and materials should be collected and reviewed in advance. The third step is to carefully evaluate information gathered from the document review and interview stages, and begin to develop a report that underscores the company’s risk profile and outlines recommendations formulated to enhance the company’s compliance program by addressing determined risks (sometimes called compliance “gaps”). During this third step, the information collected over the course of the earlier phases should be scrutinized to identify “red flags” within the company’s risk profile and pinpoint areas of risk that should be attended to on a priority basis. Note that issues or “gaps” requiring even further review or investigation may be found in step three, and, if so, supplemental evaluation should be conducted, as necessary and appropriate, during this phase of the risk assessment process. The fourth and concluding step of a risk assessment in India is to compile and synthesize the findings of the review in a final report, which must include a plan for designing and implementing the recommended anti- corruption and/or anti-money laundering program enhancements. The final report should contain very specific suggestions for improving the financial institution’s compliance program and prioritize those recommendations based on the nature of the risk and the complexity or difficulty of design and implementation. The report should conclude with a detailed action plan assigning responsibility for each enhancement to a specific department or individual (with corresponding timeframes for completion).
Anti-Corruption Risk Assessment Considerations
While the four general steps detailed above are designed to assist financial institutions with business operations in India and around the world to manage risk, there are certain additional factors particularly relevant to India that should be considered with respect to anti- corruption risk, on the one hand, and anti-money laundering risk, on the other. Combining the four general steps with consideration of India-specific factors will help financial institutions maximize the customization of the assessment process to the specific type of risk under review. For example, perhaps the most critical factor in conducting an effective anti-corruption risk assessment in India relates to identifying the level of business activity with government officials or state-owned or-operated entities. Indeed, under the FCPA, the U.K. Bribery Act, and other anti-bribery laws around the world (such as Brazil’s recently enacted Clean Company Act), bribing foreign government officials can create substantial criminal and/or civil and administrative liability. Financial institutions and other companies operating in India, therefore, must have a comprehensive knowledge and understanding of all customers and business affiliates, including third parties and joint venture partners. For a company to maximize its understanding of government-related risk, the assessment should seek up front to determine if any customers or business partners are government officials of state-owned or -operated entities. If so, the financial institution will want to include a review of the effectiveness of current internal controls relating to the treatment and oversight of those relationships. This would incorporate, for instance, careful consideration of the company’s compensation arrangements with government partners, including commissions and profit margins that each partner receives as part of its current contractual arrangement. Importantly, however, an anti-corruption risk assessment in India must identify all touch points between the financial institution and government officials — not just those relating to contractual payments. Given the substantial risk that low-wage officials in India may demand bribe payments in exchange for licenses, permits, or other basic services, the assessment should consider the safeguards surrounding all of the company’s communications with government officials. The assessment should also seek to ensure that the company maintains records thatcarefully document contacts with the Indian government, and any fees or costs paid to procure related services, including expenses incurred involving other payments to government officials.[19] Further, an anti-corruption assessment should examine the company’s compliance culture with respect to its operations in India (and, ultimately, around the world). Authorities in the United States, the United Kingdom, and elsewhere expect local company officers and onsite managers stationed in India to set the tone for anti- corruption compliance, and to detect and address inappropriate or unethical practices before they become major compliance issues. Given the pervasiveness of corruption in India, it is particularly important during the interview stage of the assessment to determine whether the company has a strong compliance culture, beginning with a positive “tone at the top” emanating from officers and managers to employees across operations in India. A robust anti-corruption culture will incorporate regular anti- corruption training and easily accessible policies, procedures, and response and escalation protocols.
Anti-Money Laundering Risk Assessment Considerations
As with anti-corruption evaluations, risk assessments in the anti-money laundering realm also have important and distinctive components that ultimately shape their utility and effectiveness. Importantly, within the context of observing and adhering to the general best practice risk assessment steps set forth above, a specific anti- money laundering risk assessment for financial institutions (and other multinational companies) operating in India should be designed to review products, services, customers, entities, and locations unique to the company’s risk profile and that may be particularly vulnerable to money laundering activity. Although attempts to launder money, finance terrorism, or conduct related illicit activities through a financial institution can originate from many disparate sources, certain products, services, customers, entities, and geographic locations, such as India, are more susceptible.[20] These include, for example, electronic funds payment services, private banking, trust and asset management services, issuance of monetary instruments, foreign correspondent accounts, trade finance, foreign exchange activity, services provided to third-party payment processors or senders, and non-deposit account services (such as investment products or insurance).[21] To facilitate the review of potentially problematic customers, products, entities, and services as part of a regular risk assessment process, it is imperative for financial institutions in India to ensure that the company has a comprehensive transaction monitoring system in place to track activity within all of these areas. Indeed, financial institutions operating in India must comply with certain reporting requirements, including the filing of Suspicious Transaction Reports (“STRs”).[22] To fulfill such obligations, they need a vigorous monitoring structure that can identify and sift through large amounts of data to generate meaningful real-time alerts that can be swiftly evaluated and acted upon. A strong monitoring program will also help detect common money laundering schemes in India, such as transfers of illicit funds from offshore accounts. An assessment of money laundering risk in India must also be designed to determine whether the company is in compliance with the RBI’s “Know Your Customer” (“KYC”) guidelines.[23] Similar to the anti-money laundering regulatory regimes of other countries, a key objective of the RBI’s KYC guidelines is to prevent financial institutions from being used by criminal elements for money laundering or terrorist financing activities.[24] Robust KYC procedures enable financial institutions in India to analyze and, ultimately, understand the profiles of their customers and related financial dealings. This, in turn, helps them sensibly manage risks. Financial institutions in India must be particularly careful to identify customers that are foreign financial institutions, senior political figures, foreign corporations, deposit brokers, cash-intensive businesses, and professional service providers (such asconsultants).[25] Among other things, the RBI’s KYC guidelines require financial institutions to follow certain customer identification procedures designed “to obtain sufficient information necessary to establish, to their satisfaction, the identity of each new customer, whether regular or occasional, and the purpose of the intended nature of the banking relationship.”[26] This obligation includes, for example, determination of the beneficial owners of each account (the person on whose behalf the account is ultimately maintained), screening for Politically Exposed Persons (“PEPs”), and special attention for accounts opened by “professional intermediaries.”[27] Accordingly, an anti-money laundering risk assessment in India must ensure that the financial institution’s current KYC program is designed to obtain sufficient data to verify the identity of each and every customer — including address and photograph — to be certain that the RBI’s screening priorities are satisfied. Those conducting the assessment should seek to confirm that, for all customers, the company verifies the legal status of the person or entity through proper documents, whether any person purporting to act on behalf of the legal person or entity is authorized to do so, and the ownership and control of the customer.
Benefits of Effective Risk Assessment and Robust Compliance
The favorable resolution of the FCPA investigation of Morgan Stanley by the DOJ and the SEC in 2012 provides recent and powerful evidence of the benefits to financial institutions of investing resources to conduct regular risk assessments and periodically enhancing their compliance programs based on assessment results. In that matter, a former Morgan Stanley managing director pleaded guilty to one count of conspiring to circumvent the system of internal controls that the bank maintained to prevent violations of the FCPA.[28] Both the DOJ and SEC, however, declined to charge Morgan Stanley itself, citing the company’s effective ethics and compliance program as the primary basis for this decision. Morgan Stanley’s internal policies, “which were updated regularly to reflect regulatory developments and [the company’s] specific risks,” were underscored in press releases and subsequent comments by U.S. officials as a key reason for the determination not to prosecute the bank.[29]
CONCLUSION
While financial institutions and other multinational companies should be enthusiastic about the opportunities presented by India’s increasingly fertile business environment, they should approach their entry into (or expansion within) the country with caution and prudence. Assessing and managing risk in this context is essential for purposes of safeguarding the legal interests of the company and advancing business interests in the Indian market. The practice of periodically evaluating risk plays a critical role in helping companies shape their compliance programs in a way that will help reduce scrutiny by authorities in India (and around the world), and avert improprieties and any attendant criminal, civil, or administrative penalties. Ultimately, adhering to the aforementioned best practices for conducting regular, detailed, and tailored risk assessments will reduce the considerable corruption and money laundering risks posed by India’s vast bureaucracy and informal economy. This article was originally published in the The Review of Banking & Financial Services and has been reprinted here by permission.
