By Susan Frank Divers, Director, Thought Leadership and Best Practices, LRN
According to data from Stanford Law School, nearly 90% of Foreign Corrupt Practices Act (FCPA) cases involve the actions of third-party intermediaries. That has been true for decades based on worldwide enforcement data. To take a line from the famous film Casablanca, third parties are the “usual suspects” when a major anti-corruption case takes place. What is the best way to mitigate this significant risk, given that companies have limited control over the actions of their third parties?
The US Department of Justice and the Securities and Exchange Commission have set out extensive guidance on best practices: the DOJ’s ongoing Evaluating Corporate Compliance Programs (ECCP) and the Resource Guide to the US Foreign Corrupt Practices Act (FCPA), first published in November 2012 and updated in July 2020.
As set out as set out in DOJ and SEC guidance, there are seven steps in the life cycle of third-party management: 1) business justification; 2) third party questionnaire; 3) evaluation of responses to determine level of risk; 4) risk-based due diligence; 5) resolution/mitigation of any red flags; 6) contract compliance terms and conditions, including payment terms, audit rights, certifications; and 7) management and oversight of third parties after contract signing.
Some of these steps sound deceptively simple but are critical for high-risk third parties that interact with government officials, so let’s look at those in more detail.
What’s the Business Case for Each Third Party?
The 2020 ECCP notes that “prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials.”
A comprehensive rationale is important in anti-bribery risk mitigation and should include the following five elements:
- The name and contact information for your business partner selecting the third party and the proposed third party
- How the business partner came to know about the third party (because it is a red flag if a customer or government representative points towards a specific third party)
- What services the third party will perform, the length of time and compensation rate for the third party
- An explanation of why this specific third party should be used as opposed to an existing or other third party
- Justification for the proposed compensation structures and levels
Thus, it’s important to go beyond a simple SOW and make the business case for using the third party.
Use a Comprehensive Third-Party Questionnaire
A good questionnaire is essential and should cover requests for information on background and experience, ownership, ethics and compliance program and financial controls, even pictures of company offices. Too many companies have discovered after a bribery scandal that their subcontractor was one person with a computer, not an established entity of substance.
And failure to answer questions fully and comprehensively should count as a red flag. Some key areas of focus include determining and documenting third-party entity ownership—in particular, the ultimate beneficial owner rather than a Cayman Islands corporation, for example. You need to determine any ownership interests by foreign government officials or their close relatives or state-owned entities. In addition to complying with US and other jurisdictions’ anti-corruption laws, take into account anti-money laundering, sanctions, and export controls laws which prohibit dealings with banned entities and individuals.
Use the questionnaire to confirm the business justification and rationale for each third party. As stated in the DOJ and SEC resource guide, “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the services to be performed.” The questionnaire can document experience, references financial information, personnel, physical locations, staff expertise, and other relevant information that strengthens and supports the business rationale.
The questionnaire can also ask about the entity’s compliance program and internal controls including its compliance history—including any regulatory investigations, scandals or enforcement, and whether it has basic elements such as policies and training, audit, and ability to identify the location of bank accounts. Another area for focus is regulatory compliance, such as confirmation that necessary licenses and permits to operate are valid and sufficient. Be sure to request information on any fines, penalties, investigations, or enforcement actions by regulators as well.
Risk-Based and Updated Due Diligence
As the 2020 resource guide states, “as part of risk-based due diligence, companies should understand the qualifications and associations of its third-party partners, including its business reputation and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.”
In practice, this means that the higher the risk of a relationship with a third party, the greater the depth of due diligence is required in establishing and managing the relationship. For example, third parties that provide catering and cleaning carry less compliance risk than those that obtain building or environmental permits, which involve interaction with government officials.
Due diligence is generally recognized in three levels: Level I, Level II, and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.
- Level I generally includes reference checks and screening against global sanctions and global watch lists.
- Level II usually involves deep internet searching, including international media and in-country sources.
- Level III can require “boots on the ground” interviews and include open-source intelligence searches as well as retention of foreign law firms.
Manage Your Third Parties
Many companies make the mistake of onboarding third parties but failing to monitor their performance and any changes in the relationship. The 2020 update to the resource guide devotes an entire prong to third-party management and makes clear that the DOJ expects an integrated approach that is operationalized throughout the company and covers the full life cycle of third-party risk management:
Prosecutors should also assess whether the company knows the business rationale for
needing the third party in the transaction, and the risks posed by third-party partners,
including the third-party partners’ reputations and relationships, if any, with foreign
officials. For example, a prosecutor should analyze whether the company has ensured
that contract terms with third parties specifically describe the services to be
performed, that the third party is actually performing the work, and that its
compensation is commensurate with the work being provided in that industry and
geographical region. Prosecutors should further assess whether the company engaged
in ongoing monitoring of the third-party relationships, be it through updated due
diligence, training, audits, and/or annual compliance certifications by the third party.
The update says it all, but ensure that your risk mitigation process follows up and gets notice of any unusual payments or changes in terms and conditions or in the due diligence results. Screening against the list of sanctioned and prohibited parties is essential, as are contractual terms that have audit rights that are exercised if questions arise. Ethics and compliance training is another key element in prevention, as well as making sure that third parties that breach their obligations or fail to cooperate are disciplined.
The bottom line is that the risk of corruption is all too real. So, take steps to ensure that your third parties do not become “the usual suspects.”