I am currently attending the Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston. The event is excellent and the presentations have been ‘spot on’ for the nuts and bolts of how to do compliance. As the conference is in Houston, a number of the speakers and attendees are from energy companies but the concepts that are being discussed apply to all companies which have an anti-corruption or anti-bribery compliance program. One of the things that came through each of the presentations was that as compliance programs mature, many companies are developing programs which are more tailored towards the risks that companies face, which are ascertained through more sophisticated risk assessments and management of those risks.
This pattern is certainly consistent with the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance which says that a company should assess its risks and manage its risks. From this starting position, a company can then put together a well thought out and reasoned approach to Foreign Corrupt Practices Act (FCPA) compliance. Many of the presentations dealt with third parties and the differing responses and approaches companies have developed for the specific risks that they have uncovered.
Clearly third party risk mitigation through due diligence is key. How much due diligence is enough? One speaker said that it is a balancing call to determine the right amount. There were several presentations which spoke about the increasing use of technology to assist companies in this process. One speaker, a former federal prosecutor, said that one of the things that she looked for when a prosecutor was the ‘thoughtful analysis’ that the FCPA Guidance speaks about. To this end she believes that the human element will always be important because prosecutors want to see the thought process of not only how your program is designed but how you have crafted your risk mitigation based upon the information that you have assessed.
One of the speakers listed some of the factors to begin the review of your third parties. Recognizing that there is no one all-encompassing list, she suggested the following:
- How many third parties do you have?
- Where are these third parties located?
- Industry or sector do you conduct business?
- What is the relationship of the third party to a foreign government or state owned enterprise?
- Are the owners of the third party related at all to government employees?
- Is the use of the third party a business necessity or not? Why do you need to use sales representatives?
- What are the reputations and qualifications of the third parties? Can they do what you need them to do from a commercial perspective?
- How much control will you have over the third parties? Contrast the control that you have over sales agents with the lesser amount of control that you have over distributors and joint ventures.
From the answers to some of these questions you can begin to craft your third party due diligence inquiries. I was intrigued by one speaker who speech contrasted the steps that you might take with a lower risk third party with that of a higher risk third party. She likened the lower risk approach to that of a compact car and set out the following suggestions:
- Rank each third party by the risk you have assessed;
- Perform an Internet search on the third party;
- Perform reference checks on the third party;
- Interview control persons involved with the third party;
- Agreement to abide by anti-bribery and anti-corruption laws;
- Insert appropriate compliance terms and conditions in your third party contracts.
She contrasted the Compact model with what she termed the ‘Luxury model’ requirements of a third party program:
- Prioritize your third parties by risk;
- Appoint a Business Unit sponsor for each third party;
- Develop a detailed third party application;
- Perform an electronic records search on each third party;
- Also perform independent screening of each third party;
- Perform reference checks on each third party;
- Perform site visits and interviews of each third party;
- Have each third party acknowledgement your company’s Code of Conduct;
- Require each third party to go through ethics training;
- Create a company committee, consisting of internal business, legal and compliance representatives to review your high risk third parties;
- Insert compliance terms and conditions into each third party contract;
- Require both internal and external audits of each third party;
- Perform annual updates on your third parties; and
- Perform quarterly electronic database rescreening.
There was also a discussion of some common Red Flags that you should be on the outlook for. They included:
- Excessive commissions paid to third parties;
- Unreasonable discounts given to third parties such as distributors;
- Vaguely described services in a third party contract or invoice back to your company;
- A third party which is in a different line of business than the one you want to hire to assist your company;
- Close association by the third party with a Foreign Official;
- Retention of the third party is required by a Foreign Official;
- The third party is a shell company located offshore; and
- Payments made to the third party are in a country different from the location where the third party’s services are delivered.
The concepts I derived from this presentation is that you should assess and manage your risks. If you determine them to be low, the Compact Model may work for you. If your third party risks are high, then the Luxury Model may be more appropriate. If you use a thoughtful and reasoned approach, you can navigate this area. But always Document, Document and then Document what you have done and why.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2013