We are in an exploration of the recently released Evaluation of Corporate Compliance Programs – Guidance Document(2019 Guidance), which was announced(ECI speech) by Assistant Attorney General Brian Benczkowski at the Ethics and Compliance Initiative (ECI) Impact 2019 Conference. It is an update to the 2017 Evaluation of Corporate Compliance Programs, released in February 2017. This new document is available for download at no charge. It should be mandatory reading for every Chief Compliance Officer (CCO), compliance practitioner and professional or any other person interested in the latest thinking of the Department of Justice (DOJ) on what constitutes a best practices compliance program. This series is reviewing the first substantive section of the 2019 Guidance, regarding what should go into a well-designed compliance program or as it states, “Is the corporation’s compliance program well designed?” This section on well-designed compliance programs included the basics of a risk assessment, the foundation of policies and procedures, effective training and confidential reporting and investigations. Today, I consider third parties.
Third-parties are still recognized as one of the very top risks under the Foreign Corrupt Practices Act (FCPA). On this point, the 2019 Guidance stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions. Prosecutors should also assess whether the company knows its third-party partners’ reputations and relationships, if any, with foreign officials, and the business rationale for needing the third party in the transaction.”
Risk-Based and Integrated Processes – How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?
By linking contractual compensation to performance, there should be an increase in third-party performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked. This would seem to be low hanging fruit for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop compliance KPIs.
You should rank third parties based upon a variety of factors including performance, length of relationship, benchmarking metrics and KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them.
Appropriate Controls – How does the company ensure there is an appropriate business rationale for the use of third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?
This prong step breaks down into two parts: business sponsor and business justification. The purpose of the business justification is to document the satisfactoriness of the business case to retain a third-party. The business justification should be included in the compliance review file assembled on every third-party at the time of initial certification and again if the third-party relationship is renewed. It is mandatory this document completed, in full, by the business sponsor, who will be the primary contract with the third-party for the life of the business relationship. The business sponsor will also be your key first line to document that the services contracted for have been performed.
Management of Relationships – How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks? How does the company monitor its third parties? Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past? How does the company train its third-party relationshipmanagers about compliance risks and how to manage them? How does the company incentivize compliance and ethical behavior by third parties?
One of the key elements for any third-party contract is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third-party. If you have a long-term stable relationship with a third-party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third-party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance.
Management of the relationship is where the rubber meets the road in FCPA compliance when it comes to third-parties. If your organization does not manage the third-parties, your work up until this point will be for naught. Obviously audit rights are critical but you must actually exercise them going forward.
I hope you are planning to attend the 14th Annual Compliance Week conference this year, held from May 20-22 in Washington, D.C. at the Mayflower Hotel. It is truly one of the top compliance and ethics conferences of the year. It features not only speakers from compliance, but auditors, lawyers, government regulators, and industry leaders. This year, I am leading a pre-conference workshop on Sunday afternoon about handling internal investigations and performing a root cause analysis. Monday will include keynote address from the always-popular Hui Chen, which sets the tone for speakers throughout the event. To review the full agenda, see who is speaking or to review the registration information click on the appropriate link.
Best of all, if you have read this blog, you are eligible for a discount on the conference cost. Enter code “TOM300” at checkout to save $300 from your registration.
If you only attend one compliance conference in 2019, this is the event for you!
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2019