As we discussed in Issue 1 of this series on November 16, the Department of Justice ("DOJ") and Securities and Exchange Commission ("SEC") jointly published a Resource Guide to the U.S. Foreign Corrupt Practices Act (available here). The Guide covers an extensive array of topics and is a convenient one-stop resource on DOJ and SEC’s expectations regarding corporate compliance programs. In Issue 2 on November 27, we examined seven DOJ and SEC expectations for corporate anti-corruption compliance programs generally and provided specific actions that companies can take to help address each one.
This alert will highlight the risks detailed in the Guide that can arise from third-party relationships and outline steps a company can take to identify suspect third parties initially or red flags after the third-party relationship has been formed.
Why You Should be Aware of Third-Party Risks
Although third parties often play a fundamental role in a company’s business in foreign jurisdictions (e.g., identifying local opportunities, developing local relationships and advising on local customs), they also can pose significant corruption risk. The Guide reemphasizes that individuals and companies can be subject to civil and criminal penalties under the FCPA for corrupt payments to foreign officials made on their behalf by third parties – such as agents, consultants and distributors. In addition, DOJ and SEC make it clear that they use a low threshold when assessing whether a person or company possesses the requisite knowledge to be liable for a third-party’s conduct. For example, they stress that a "head-in-the-sand" approach to, or conscious disregard of, unlawful third-party payments and conduct will not insulate an individual or company from criminal liability for such actions.
Common Third-Party Red Flags
To assist companies in understanding third party risk, DOJ and SEC identify these common red flags in the Guide:
- "excessive commissions to third-party agents or consultants;"
- "unreasonably large discounts to third-party distributors;"
- "vaguely described services" within third-party consulting agreements;
- the third party’s line of business differs from that for which it has been engaged;
- "the third party is related to or closely associated with the foreign official;"
- a foreign official initiated or requested the third party’s involvement;
- the third party is "a shell company incorporated in an offshore jurisdiction;" and
- the third party requests payment to offshore bank accounts."
To reduce the risk of these red flags arising, and to identify them when they do occur, the Guide includes recommendations that a company conduct risk-based due diligence before engaging a third party and routine oversight of third parties with whom it currently does business.
Due Diligence and Monitoring of Third Parties
In the Guide, DOJ and SEC emphasize that one of the hallmarks of an effective anti-corruption compliance program is risk-based due diligence of third parties. A due diligence program should be scaled according to the characteristics of the third-party engagement, including:
- the historical relationship with the third party;
- the size and nature of the transaction; and
- the industry and country involved in the transaction.
While DOJ and SEC discourage a static, one-size-fits-all approach to addressing third-party risk, the Guide does include guiding principles that can assist in-house counsel and compliance officers in assessing whether their company’s due diligence and oversight of third parties is sufficiently robust:
A. Learn the Third Party’s Background. A critical part of any risk-based due diligence is the review of a third party’s credentials and affiliations – particularly its business reputation and any relationships with foreign officials. This review should occur before using the third party and intensify as red flags appear.
Action Items: (1) Perform background and reference checks on the third party; (2) require the third party to complete a due diligence questionnaire (including questions on relationships with foreign officials); and (3) screen the third party against sanctions databases.
B. Understand the Business Purpose for the Third-Party Relationship. Understanding a third party’s role – from a business perspective – in a given transaction is essential to assessing the third party’s corruption risk. A company should be wary of involving a third party in a transaction if it does not have a lawful and legitimate business rationale for the third party’s involvement.
Action Items: Some actions a company can take to ensure a third party is engaged for the right reasons include:
- ensure the third party’s contract terms specifically describe the services to be performed;
- assess the difference, if any, between the third party’s payment terms and the payment norms within the industry, country involved, and company;
- determine the circumstances surrounding the third party’s entrance into the business; and
- audit the payments to the third party to ensure that its compensation is consistent with the services performed and that the services specifically described in the contract are actually being done.
C. Mak e the Third Party Aware of Your Commitment to Compliance. DOJ and SEC noted in the Guide that they "also assess whether the company has informed third parties of the company’s compliance program and commitment to ethical and lawful business practices."
Action Items: (1) Ensure your company’s retention agreement with the third party contains representations, warranties and covenants by the third party regarding compliance with the FCPA and the anti-corruption laws applicable to the third party and company, in addition to termination rights for your company; and (2) consider requiring the third party to complete anti-corruption training and/or requesting reciprocal compliance assurances from the third party (e.g., through certifications) based on risk.
D. Monitor Your Third-Party Relationships Routinely. Companies should periodically assess the effectiveness of their due diligence and third-party anti-corruption compliance training.
Action Items: Based on risk, (1) exercise contractual audit rights; (2) seek annual compliance certifications from the third party; and (3) assess the sufficiency of the company employees’ oversight of the third party’s work and conduct.
Third-party relationships will continue to be an area of significant corruption risk for companies conducting business internationally. A recent survey by Kroll Advisory Solutions of corporate compliance officers at U.S. multinational corporations found that third parties pose the largest overall risk for corporate compliance programs. To mitigate this risk, companies should be diligent in understanding and identifying third-party red flags and implementing risk-based due diligence throughout the lifetime of a third-party relationship, based in part on the guiding principles noted above. However, these efforts to prevent and detect third-party problems will be mostly futile if a company fails to address a problem with meaningful action, such as determining the scope of the problem through an internal investigation, cutting ties with culpable third parties and updating your compliance program to reduce the risk of recurrence.
Next in the Series:
We will examine the government’s specific compliance expectations regarding gifts, hospitality and entertainment in our next alert. M&A and confidential reporting/internal investigations will be addressed in future installments of this client alert series.