In a speech before the SIFMA Compliance and Legal Society New York Regional Seminar in November 2015, then Assistant Attorney General Leslie Caldwell laid out metrics the Department of Justice would consider in evaluating a corporate compliance program around third parties. Caldwell began with the following question, “Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?” This inquiry was brought forward into the Justice Department’s Evaluation of Corporate Compliance Programs.
Management of a Third Party Relationship
Recognizing that most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for a business justification, questionnaire, due diligence and compliance terms and conditions in a contract, I was gratified to see the DOJ focusing on the final step in the lifecycle of a third party relationship as a key metric for its new Compliance Counsel to evaluate. This is because it is the management of third party relationships that continues to be a source of trouble and heartburn for many companies. As Caldwell noted in her remarks, the management of a third party relationship, “means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.”
While the 2012 FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. This means that you must have an experienced compliance and audit team, actively engaged in the corporate office and in the business units, to ensure that financial controls and compliance policies are followed and that remedial measures for violations or gaps are tracked, implemented and rechecked, as additional detection and prevention. Caldwell noted it is a more encompassing “sensitization” to anti-corruption compliance that is needed. There are several ways for you to do so.
Relationship Manager for Third Parties
The starting point for the management of a third party, is your Relationship Manager for every third party with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:
- Point of contact with the Third Party for all compliance issues;
- Maintaining periodic contact with the Third Party;
- Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
- Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
- Assisting the company’s Oversight Committee with any issues with respect to the Third Party.
Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance professional should work closely with the Relationship Manager to provide advice, training and communications to the third party.
I advocate that a company should have an Oversight Committee review all documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.
After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment are within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.
A key tool in managing the affiliation with a third party post-contract execution is auditing. Audit rights are a key clause in any compliance terms and conditions and must be secured. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a baseline I would suggest that any audit of a third party include, at a minimum, a review of the following:
- the effectiveness of existing compliance programs and codes of conduct;
- the origin and legitimacy of any funds paid to Company;
- books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
- all disbursements made for or on behalf of Company; and
- all funds received from Company in connection with work performed for, or services or equipment provided to, Company.
If you want to engage in a deeper dive you might consider evaluation of some of the following areas:
- Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
- Determine that actual due diligence took place on the third party.
- Review FCPA compliance training program; both the substance of the program and attendance records.
- Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
- Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
- Review employee expense reports for employees in high-risk positions or high-risk countries.
- Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
- Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report?
- How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
- Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
- With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.
Tying it all Together
In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. The robustness of your third party management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out herein, you need to fully document all steps you have taken so that any regulator, and most specifically the DOJ Compliance Counsel, can test your metrics. Caldwell’s remarks around the metrics portended the Evaluation and what the DOJ will be reviewing and evaluating going forward so that it is clear will be expected from your company’s compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program.
Three Key Takeaways
- It all starts with a Relationship Manager.
- Have company oversight of all third parties.
- Audit, monitor and remediate on an ongoing basis.
This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.