US companies and others subject to jurisdiction under the Foreign Corrupt Practices Act (FCPA) can be held vicariously liable for an FCPA violation committed on their behalf or at their direction by third parties. In fact, most enforcement actions brought by the US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) under the FCPA involve third parties. International consultants, sales representatives and distributors represent a huge danger area for defense contractors (and other companies) seeking to grow their international business in high-risk countries around the world. This danger has been especially great for defense companies because of the declining US defense budget over the past four years and the continuing uncertainty over the impact of sequestration. This has led them to focus on growing their international business and diversifying into new areas and “commercial adjacencies,” involving high-risk countries in emerging markets and doing business with and through many new third parties. The FCPA compliance risk posed by these third parties makes having and maintaining an effective FCPA due diligence procedure critically important. This article will examine several “guiding principles” which the DOJ and SEC have said “always apply” to an effective third party due diligence program. It also will discuss a number of “red flags” to watch out for when engaging third parties and provide a couple of real-life examples of how these red flags have been discovered and addressed.

In the Resource Guide to the FCPA (Resource Guide), the DOJ and SEC observed that third parties, including agents, consultants and distributors, are commonly used to conceal bribery in international business transactions. The Resource Guide states that risk-based due diligence is especially important with third parties and will be considered by the DOJ and SEC in assessing the effectiveness of a company’s compliance program. The Resource Guide notes that while the degree of appropriate due diligence will vary based on the industry, size and nature of the transaction, and historical relationship with the third party, several guiding principles always apply.

First, as part of risk-based due diligence, companies should always understand the qualifications and associations of their third party partners, including their business reputations and relationships with foreign officials. The DOJ and SEC are essentially highlighting the need to “know-your partner,” requiring an understanding of the proposed partner’s qualifications and capabilities, reputation in the marketplace, and business or family connections with foreign officials. Effective due diligence without this most basic information about a proposed third party would be impossible.

Second, according to the Resource Guide, companies should always understand the business rationale for working with the third party in the transaction. This includes confirming the role and need for the third party, ensuring the contract specifically describes the services to be performed, considering the payment terms in light of industry norms, confirming the third party is actually performing the work, and confirming that the compensation is commensurate with the work. Like the first principle, understanding the proposed third party’s value proposition – what he is selling and how – makes eminent sense from both a commercial reality and FCPA compliance standpoint. If the third party will not be performing real and necessary services or is receiving unreasonably high compensation that does not make commercial sense, there are serious FCPA compliance or fraud concerns that must be investigated and resolved.

The third principle that, according to the Resource Guide, always applies is that companies should monitor their third party relationships, for example by updating the due diligence, exercising audit rights, providing periodic training, and/or requesting annual compliance certifications. This principle, like the first two, represents good common sense and is a prerequisite for any compliance program operating effectively over time. The initial due diligence on a third party must be periodically updated because owners, employees and circumstances change. Compliance by the third party with the company’s anti-corruption policies and procedures must be monitored on an ongoing basis, whether by auditing the third party’s books or otherwise, and FCPA compliance training must be conducted periodically. Based on personal experience, I would recommend refreshing the formal FCPA due diligence on a consultant, representative or distributor at least every two years and conducting live FCPA and ethics compliance training on a biennial basis. In the year in which such compliance training is not conducted, I would recommend a live FCPA due diligence interview with the third party conducted by a lawyer experienced in FCPA compliance matters.

Finally, the Resource Guide recommends that companies inform third parties about their compliance programs and, where appropriate, obtain assurances through FCPA certifications or otherwise. This can be done through both live FCPA compliance and ethics training and the FCPA due diligence interview with the third party. A company should be constantly reminding the third party of its commitment to compliance. This commitment must be genuine and a clear prerequisite to continuation of the relationship with the third party.

The Resource Guide also identifies a number of “red flags” to watch out for when engaging third parties. These “red flags” include excessive commissions to agents or consultants; unreasonably large discounts to distributors; consulting agreements with only vaguely described services; the consultant is in a different kind of business that what he has been retained for; the third party is related to or closely associated with a foreign official; the third party becomes part of the transaction at the request or insistence of a foreign official; the third party is merely a shell company incorporated in an offshore jurisdiction; and the third party requests payment to offshore bank accounts.

A couple of real-life examples illustrate how these “red flags” have arisen in actual transactions and have been addressed. In the first example, a proposed Malaysian representative for the sale of a satellite ground station was demanding a flat 15% commission from a business unit that normally paid commissions on a sliding scale basis starting at 5% and ending at 0.5%. In the face-to-face due diligence interview that the US defense contractor conducted with every proposed international consultant, representative and distributor, the proposed Malaysian representative explained that she required a flat 15% commission, but that this should not be a problem as it could be built into the price of the ground station. She explained that the Malaysian government would “never be the wiser” so long as the commission was paid to her outside of Malaysia. In response to a question about her office and support staff, she said that she did not have an office or employees and that she worked through the office of a Swiss lawyer located in Zurich. She explained that she was a “close personal friend” of the then-Malaysian Prime Minister and winked at the interviewers. She said that she did not need an office or employees in her type of business. When asked if she planned to pay any portion of the requested 15% commission as a bribe, she said that she preferred to call it “incentivization” and noted that, “No one is going to help you in Malaysia for nothing.” The defense company obviously did not retain this proposed representative.

In a second example, a US defense contractor wanted to sell avionics pods to the Royal Thai Air Force (RTAF) for use on certain fighter aircraft. An RTAF Air Vice Marshal told the defense contractor’s local business development employee that this procurement opportunity was going to be complicated and the company needed an effective sales representative. The Air Vice Marshal on several occasions recommended that the defense company retain a particular sales representative, a newly formed Thai company owned by a jeweler. The defense contractor’s legal department conducted a face-to-face due diligence interview with the owner of the proposed Thai representative and learned that he and his company had no past experience in selling defense products or systems. Rather, his experience involved the jewelry business, though he did have a good relationship with the Air Vice Marshal involved in the procurement. After the initial due diligence interview with the jeweler, the Air Vice Marshal requested a meeting with the company’s lawyer and offered to put the jeweler together with another, more experienced businessman if the jeweler’s lack of industry experience was a concern.

Not surprisingly, the defense contractor declined to retain the jeweler’s company and retained another, more experienced sales representative not selected by the RTAF officer. The US company lost the contract to a French competitor. According to a Thai newspaper article at the time, the French company had bribed the selection committee that awarded the contract and the pod purchased by the RTAF was not fully compatible with the US fighter aircraft on which it would be mounted.

There are several points to these true stories. First, due diligence on third parties such as the two proposed sales representatives is absolutely critical. Both cases also illustrate the importance of a face-to-face interview conducted by an experienced FCPA practitioner. If the due diligence had been conducted merely by filling out forms and certifications, important information about the proposed representatives would not have been obtained.

Second, both examples illustrate two of the principles articulated by the DOJ and SEC in the Resource Guide – the need to understand the qualifications and associations of a company’s third party partners and the need to always understand the business rationale for working with the third party, what the third party will actually do and how he will do it.

Finally, the examples illustrate the very real and non-theoretical nature of the “red flags” identified by the DOJ and SEC in the Resource Guide. The risk of retaining third parties who will serve as conduits for bribes to foreign officials is all too real in many countries around the world. Failure to conduct adequate FCPA due diligence on such third parties is an invitation to disaster.