Last month, e.l.f. Cosmetics reached an agreement with the U.S. Department of the Treasury to pay a nearly $1 million fine related to apparent violations in the company's supply chain.
According to Lexology reports last week, e.l.f. was found to have been sourcing materials from two Chinese suppliers for false eyelash products. Regulators found the company completed 156 shipments worth a combined $4.4 million into the U.S. from those suppliers.
The China-based suppliers themselves were not what landed e.l.f. in hot water, though. Rather, those suppliers had themselves been sourcing from North Korea, and e.l.f.'s importation of those goods via China was found to be in violation of the Treasury's Office of Foreign Assets Control (OFAC) North Korea Sanctions Regulations.
Importantly, e.l.f. notified regulators when it discovered the violations. The 156 shipments could have yielded a maximum fine of more than $40.8 million, reports said, but e.l.f. settled for $996,080, in part because the company cooperated and initially disclosed the violations.
The case highlights the risks and challenges companies face in not only vetting their suppliers, but vetting their suppliers' suppliers, with third-party vendors a potential source of non-compliance for importers.
"Throughout the time period in which the apparent violations occurred, ELF's OFAC compliance program was either non-existent or inadequate," the OFAC wrote in its enforcement notice dated Jan. 31, 2019. "The company's production review efforts focused on quality assurance issuers pertaining to the production process, raw materials, and end-products of the goods it purchased and/or imported.
"Until January 2017," the OFAC continued, "ELF's compliance program and its supplier audits failed to discover that approximately 80 percent of the false eyelash kits supplied by two of ELF's China-based suppliers contained materials from the DPRK [Democratic People's Republic of Korea]."
According to King & Spalding LLP, which discussed the case in the Lexology article, the settlement "serves as a warning" to businesses operating with partners across borders.
Know Your Supplier
Last year the Center for Financial Professionals and Aravo Solutions, a third-party risk management solution provider, released a survey on the struggles companies face to manage compliance requirements. Most third-party risk management programs in place today remain in their early stages, researchers found, and struggle to manage the scope of risks to which their firms are exposed, including cybersecurity and fourth-party risk.
Seventy-five percent of companies surveyed said they did not maintain a single list of all of their third-party relationships (6 percent said they were not sure how many third party relationships they had), while 72 percent added they would not be able to quickly produce a report on all of their third-party relationships.
The vast majority also admitted that they do not conduct due diligence on all third parties, and 20 percent said they do not require their third-party partners to disclose their sub-contractors.
In a recent interview with PYMNTS, Dun & Bradstreet Global Head of Compliance and Supply Products Brian Alster explained that managing third party risk is made even more difficult as regulations tighten.
"The level of due diligence is greater than any time in the past several decades, because regulators around the world are requiring more," he said. "In that environment, one would expect there would be significant investments in people or technology to keep up with the increased requirements — and, unfortunately, that's just not the case."
Recent data breaches have highlighted the risk of due diligence failure, with data released last November from Opus finding that nearly 60 percent of companies have experienced a data breach as a result of a third party or supplier facing its own security lapse.
But e.l.f.'s recent settlement emphasizes the continued challenge companies face in managing regulatory risks down their supply chains, too.
According to reports, following the disclosure of the violations, e.l.f. took a series of steps to enhance its third-party risk management processes., including the adoption of supply chain audits with country-of-origin verification, a new requirement of vendors to sign compliance certificates, introduction of payment verification and supplier bank account reviews, collaboration with outside counsel and mandatory training for employees.