Today, I conclude my exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie R. Caldwell who called for her review of compliance programs. The metrics for today’s consideration are around the source of the greatest risk under the Foreign Corrupt Practices Act (FCPA); that being third parties. The metrics laid about by Caldwell are as follows:
- Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?
Management of a Third Party Relationship
Recognizing that most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for a business justification, questionnaire, due diligence and compliance terms and conditions in a contract, I was gratified to see the DOJ focusing on the final step in the lifecycle of a third party relationship as a key metric for its new Compliance Counsel to evaluate. This is because it is the managment of third party relationships that continues to be a source of trouble and heartburn for many companies. As Caldwell noted in her remarks, the management of a third party relationship, “means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.”
While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, has noted, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.” But as Caldwell noted it is a more encompassing “sensitization” to anti-corruption compliance that is needed. There are several ways for you to do so.
Relationship Manager for Third Parties
I believe that as a starting point for the management of a third party, your company should have a Relationship Manager for every third party with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:
- Point of contact with the Third Party for all compliance issues;
- Maintaining periodic contact with the Third Party;
- Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
- Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
- Assisting the company’s Oversight Committee with any issues with respect to the Third Party.
Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the Relationship Manager to provide advice, training and communications to the third party.
I advocate that a company should have an Oversight Committee review all documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.
After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.
A key tool in managing the affiliation with a third party post-contract execution is auditing. Audit rights are a key clause in any compliance terms and conditions and must be secured. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a baseline I would suggest that any audit of a third party include, at a minimum, a review of the following:
- the effectiveness of existing compliance programs and codes of conduct;
- the origin and legitimacy of any funds paid to Company;
- books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
- all disbursements made for or on behalf of Company; and
- all funds received from Company in connection with work performed for, or services or equipment provided to, Company.
If you want to engage in a deeper dive you might consider evaluation of some of the following areas:
- Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
- Determine that actual due diligence took place on the third party.
- Review FCPA compliance training program; both the substance of the program and attendance records.
- Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
- Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
- Review employee expense reports for employees in high-risk positions or high-risk countries.
- Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
- Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report?
- How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
- Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
- With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.
Tying it all Together
In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. Diana Lutz and her colleague Marjorie Doyle, in an article entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, gave a checklist to test companies on their relationships with their third parties, which is as follows:
- Do you have a list or database of all your third parties and their information?
- Have you done a risk assessment of your third parties and prioritized them by level of risk?
- Do you have a due diligence process for the selection of third parties, based on the risk assessment?
- Once the risk categories have been determined, create a written due diligence process.
- Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?
- Is there someone in your organization who is responsible for the management of each of your third parties?
- What are “red flags” regarding a third party?
The robustness of your third party management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out in this series, you need to fully document all steps you have taken so that any regulator, and specifically the DOJ Compliance Counsel, can test your metrics. Caldwell’s remarks around the metrics reviewed in this series may not have been anything new but she has laid out what the new Compliance Counsel will be reviewing and evaluating so you understand what will be expected from your company’s compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program.
Caldwell’s short mention of managing third parties is one of the most important metrics of any best practices FCPA compliance program.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2015