JON DUE DILIGENCE POLICY
1. EXECUTIVE SUMMARY
1.1. JON International is aware that is may be held liable for act of corruption by their parties or any individual or entity that has some form of business relationship with JON. Therefore before entering into such relationships with third parties, JON International has taken active steps to draw up a policy to ensure that potential corruption risks flowing from these relations are responsibly evaluated and subsequently managed. This policy sets out the minimum required due diligence procedure for doing business with certain third party service providers and suppliers, (TPSP&S) as defined in Section 3, below. Unless otherwise defined, the term ‘due diligence’ in this document means ‘due diligence for doing business with TPSP&S.’
2. REGULATORY STANDARDS
2.1. This policy is aimed at ensuring that the engagement procedures for TPSP&S incorporate and are a key requirement of legislation such as the UK Bribery Act (UKBA) and the US Foreign Corrupt Practices Act (FCPA), which may be applicable to certain JON International entities and/or operations.
2.2. US Foreign Corrupt Practices Act 1977 (FCPA). Under the FCPA, an organization or individual may be held liable for making payment to a third party while knowing that all or a portion of the payment will go directly or indirectly to a foreign official. According to US Department of Justice guidance issued on the FCPA, the term knowing includes conscious disregard, deliberate ignorance and willful blindness. To avoid being held liable for corrupt third party payments, the US Department of Justice encourages companies to "exercise due diligence and to take all necessary precautions to ensure that they have formed a business relationship with reputable and qualified partners and representatives".
2.3. The UK Bribery Act 2010. In its Adequate Procedures Guidance to the UK Bribery Act, the UK Ministry of Justice states that "a commercial organization will be liable to prosecution if a person associated with it bribes another person intending to obtain or retain business or an advantage in the conduct of business for that organization". An "associated person" is defined as an individual or entity that "perform services for or on behalf" of an organization. In the event of failure to prevent bribery by an associated person, the UK Bribery Act provides that is a "defence" for an organization "to prove that (it) had in place adequate procedures designed to prevent people associated with (it) from undertaking such conduct".
3. SCOPE AND PURPOSE
3.1. Scope. This policy applies to all JON International group companies, divisions and business units. It applies to TPSPS except the following which may be subject to separate JON International policies: employees, clients, joint venture partners and any other form of corporate investment activates provided that where such relevant person or organization is also engaged with JON International in the capacity as a TPSPS they shall, for that purpose, separately be subject to the requirements of this policy.
3.2. Purpose. The purpose of this policy is to identify certain objectives and requirements in relation to identification and assessment of risks and implementation of appropriate activities to manage bribery and assessment of risks and implementation of appropriate activities to manage bribery and corruption in connection with TPSPS in order to meet applicable legal standards. In essence, this policy is to ensure JON International does business only with ethically acceptable third parties.
4. ROLES AND RESPONSIBILITIES
4.1. Executive management of each division will have the responsibility for complying with this policy and the discretion to define the process, procedures and other mechanisms by which the policy is implemented within the division.
4.2. It is the responsibility of business unit operational management to ensure that all relationships and contracts with TPSPS are subject to the appropriate risk related due diligence process and other relevant activities completed in accordance with this policy.
5. GUIDELINES FOR CONDUCTING THIRD-PARTY DUE DILIGENCE
5.1. The essential requirement of third-party due diligence is to know one’s partner. In operational terms, this means making appropriate inquiries to determine whether an organization’s existing or prospective third parties are honest and can be reasonably expected to refrain from corruption. Effective third-party due diligence should help organizations reach the following conclusion: I am confident that my agent, reseller, supplier etc. does not make corrupt payments, and that our business relationship is a normal, legitimate one. I can explain to, and convince others why my confidence is justified.
5.2. A Risk-based Approach. The level of scrutiny necessary for an organization to reach reasonable confidence that it is engaged in a normal, legitimate business transaction varies with corruption risk. The level of corruption risk determines how much scrutiny is required to be able to defend before a judge or a prosecutor that the organization is confident it is dealing with a bona fide third party. The higher the risk, the broader and deeper the third-party due diligence should be.
5.3. The policy requires that a risk based approach to due diligence be applied and, at the division’s discretion, integrated with existing procurement or other TPSP&S engagement processes. The risk assessment process and action plan should be specific to each division and or business unit according to the nature of their business.
5.4. The due diligence process is on-going and should include a risk rating for existing and new TPSPS. At the division’s discretion, an initial risk assessment may be exercised which applies certain reasonable risk based criteria, as defined by the division in consultation with divisional legal advisors. This will categorize the TPSPS pool for the purposes of prioritizing subsequent, more detailed due diligence and other actions over time.
5.5 In accordance with guidelines, JON International utilizes the following process map as part of its policy:
5.6 A. Scope of Third Parties Understanding the universe of third parties and which ones should be subject to due diligence.
This first step in an effective due diligence process is to understand the organization’s universe of third-party relationships and determine which third parties should be considered “in scope” and therefore subject to risk-based due diligence
6.Defining Third Parties:
Joint venture partner
An individual or organization which has entered into a business agreement with another individual or organization (and possibly other parties) to establish a new business entity and to manage its assets.
Consortium partner
An individual or organization which is pooling its resources with another organization (and possibly other parties) for achieving a common goal. In a consortium, each participant retains its separate legal status.
Agent
An individual or organization authorized to act for or on behalf of, or to otherwise represent, another organization in furtherance of its business interests. Agents may be categorized into the following two types: - Sales agents (i.e. those needed to win a contract) - Process agents (e.g. visa permits agents).
Adviser and other intermediary (e.g. legal, tax, financial adviser or consultant, lobbyist)
An individual or organization providing service and advice by representing an organization towards another person, business and/or government official.
Contractor and sub-contractor
A contractor is a non-controlled individual or organization that provides goods or services to an organization under a contract. A subcontractor is an individual or organization that is hired by a contractor to perform a specific task as part of the overall project.
Supplier/vendor
An individual or organization that supplies parts or services to another organization.
Service provider
An individual or organization that provides another organization with functional support
(e.g. communications, logistics, storage, processing services).
Distributor
An individual or organization that buys products from another organization, warehouses them and resells them to retailers or directly to end-users.
Customer
The recipient of a product, service or idea purchased from an organization. Customers are generally categorized into two types: - An intermediate customer is a dealer that purchases goods for resale. - An ultimate customer is one who does not in turn resell the goods purchased but is the end user.
7. Third-Party Risk Assessment.
The appropriate amount of due diligence will be guided by the results of a risk assessment process. JON International will then assess third parties as high-, medium- or low-risk third parties. The level of risk will ultimately determine the amount of due diligence that JON International believes is required, with high-risk third parties subject to a more detailed due diligence process.
8. Key Risk Indicators:
Geographical Location
Industry
Background and identity of Third Party Connection with Government officials or entities
Compensation structure for proposed payment
Additional factors related to the scope of the services to be rendered Selection of the Third Party
9. Due Diligence
Following categorization of TPSPS, appropriate levels of due diligence must then commence. For low-risk third parties, this process will consist of basic Internet searches and database checks. For medium- to high-risk third parties, more thorough data collection and investigation will take place and where deemed necessary will include input or supervision from an independent business function (e.g. the organization’s compliance or legal department) and, in some cases, the assistance of an external due diligence service provider. In accordance with guidance, JON International recognize three key elements to conducting a thorough third-party due diligence to be:
- Data collection
- Verification and validation of data
- Evaluation of results, including identification of red flags
Once data has been properly verified and validated, JON International will determine whether or not to move forward with the proposed third-party business relationship. To assist with this judgment, collected data will be tested against a “red flag” checklist.
The identification of a red flag does not mean JON International will go ahead with the third-party business relationship. Red flags will be addressed with mitigating measures in place that reflect the level of seriousness of the red flag(s) identified.
A detailed Red Flag Checklist is available.
10. Approval Process and Post-Approval Risk Mitigation
Only when JON International is confident it has sufficiently robust information about the proposed third party and the specifics of the business relationship, will it be in a position to decide whether to go ahead or not with the proposed transaction. This decision will be documented supported by the rationale for the decision alongside any risks exposed during the due diligence process.
a. Approval Process
The responsibility of the risk assessment and due diligence processes will be with those within the company who are looking to enter into a third-party relationship – typically a business unit – in consultation with key subject-matter experts in the organization (e.g. compliance and legal departments). The persons responsible for the risk assessment should document the rating process in reasonable detail and renew the assessment periodically (e.g. once every three years).
Once the risk assessment and due diligence processes are complete, JON International will apply the following system of approval for determining whether or not to move forward with the third party:
- Low-risk third parties, management of the business unit is responsible for approving the business relationship.
- Medium - to high-risk third parties, a minimum of two business units must be involved in the approval process: the management of the business unit, and another level of management which has nothing to gain from the selection of the third party (e.g. the compliance or legal department).
All documentation relating to the risk assessment and due diligence processes, and to the evaluation of red flags, is to be signed by the parties responsible and retained by the JON International.
11. MONITORING, TRAINING AND REVIEW
11.1. Following any agreement of a business relationship with TPSPS, they will be monitored in the following ways:
- A periodic renewal or update of the risk assessment and due diligence processes
- Recurring Internet and database searches to identify new red flags
- Implementing a post-approval assurance program, including training activities and periodic and/or risk-based audits of the third party
- A request for the third party to submit an annual certification of compliance with applicable anti-corruption laws
- A periodic review of the third party’s payment requests and payments
- Tracking unusual or excessive expenses by the third party
11.2. Training will be used to communicate JON International’s anti-corruption standards and procedures to personnel. Training content and method will be tailored to employee responsibilities. Decisions regarding when and in what form to offer training support should reflect the third party’s risk profile and the degree of corruption risk in the relationship.
JON International senior management will monitor the third-party due diligence process, periodically review its suitability, adequacy and effectiveness, and implement improvements where needed. Spot checks may be used to ensure that the due diligence process is properly applied and to deter any potential abuse. The organization will endeavor to regularly reassess due diligence measures ensuring they are adapted