Ken JohnsonBefore Jim Crane came along to purchase the Houston Astros and provide us all with some of the best lessons learned for the compliance practitioner, they had a long and storied history, even if part of that history included not achieving much in the way of success. After all it took the Astros 50 years to reach the World Series (reach – not win). Before they had that inglorious run, they were known as the Houston Colt 45s and they were even more sad sack than after they re-moninkered themselves as the Astros.

In the Pantheon of baseball achievements one Houston Colt 45 stands above all. It is Ken Johnson, who died earlier this week. Johnson’s achievement – he is the only pitcher in the long and storied history of baseball, who pitched a complete game no-hitter and lost. In a game against the Cincinnati Reds, on April 23, 1964, with one out in the 9th inning, Johnson fielded a bunt by Pete Rose and threw wildly to first, allowing Rose to reach second. Rose scored two batters later on an error by second baseman Nellie Fox. The Reds won the game 1-0.

I thought about hard luck Ken Johnson in the context of the continued difficulty companies face around liability for third parties under the Foreign Corrupt Practices Act (FCPA). There are two areas that do not get as much attention that I wanted to focus on today. The first is the Questionnaire you utilize to help in the evaluation of any third party and the second is the compliance terms and conditions you should include in any commercial agreement with third parties.

Below are some of the areas that I think you should inquire into through your Questionnaire to a proposed third party:

  • Ownership Structure: Describe whether the proposed third party is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials?
  • Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed third party. You should obtain financial records, audited for 3 to 5 years, if available. Obtain the name and contact information for their banking relationship.
  • Personnel: Determine whether the proposed agent will be providing personnel, particularly whether any of the employees are government officials. Make sure that you obtain the names and titles of those who will provide services to your company.
  • Physical Facilities: Describe what physical facilities that will be used by the third party for your work. Be sure and obtain their physical address.
  • References: Obtain names and contact information for at least three business references that can provide information on the business ethics and commercial reliability of the proposed third party.
  • PEPs: Are any of the owners, beneficial owners, officers or directors politically exposed persons (PEPs).
  • UBO: It is imperative that you obtain the identity of the Ultimate Beneficial Owner (UBO).
  • Compliance Regime: Does the proposed third party have an anti-corruption/anti-bribery program in place? Do they have a Code of Conduct? Obtain copies of all relevant documents and training materials.
  • FCPA Training and Awareness: Has the proposed third party received FCPA training, are they TRACE certified or certified by some other recognizable entity?

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

The questionnaire fills several key roles in your overall management of third parties. Obviously it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform.

Similarly, compliance terms and conditions should be in every contract, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant.

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it:

  • Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
  • Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
  • Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
  • No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company’s prior written consent (to be based on adequate due diligence).
  • Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
  • Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
  • On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
  • Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
  • Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years.

Many will exclaim, “What an order, I can’t go through with it.” By this they mean that they do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simple to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the Department of Justice (DOJ) will require the minimum terms and conditions that it has suggested in the various Attachment Cs to the Deferred Prosecution Agreement (DPA) and in the FCPA Guidance. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator from other third parties who have not gone through the life cycle management of a third party.

Two of the under-utilized tools of third party risk management are the third party questionnaire and compliance terms and conditions. By using these relatively simple and straightforward techniques you can help avoid the hard-luck nature of Ken Johnson and losing the game when you pitch a no-hitter.

A Happy Thanksgiving to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Eiffel Tower after attacksThe attacks in Paris and subsequent events have horrified any right-minded person. The slaughter of innocent civilians sickened the world and the outpouring of support for the city of Paris; the country of France and the French people has been universal. One of the things that I thought about in the aftermath is the intersection of corruption and terrorism. The EU open border policy and its banks notoriously lax money laundering regimes and enforcement could certainly have contributed to some of the underlying factors leading to the attack. I am sure there will be aggressive and robust responses from governments across the globe involving new and beefed up anti-money laundering (AML) laws. This is something the anti-corruption compliance practitioner and all US companies need to prepare for in the days and weeks to come, largely in response to the attacks in Paris.

Most anti-corruption compliance practitioner and most US companies do not focus on AML compliance or corporate AML controls. However, the bad guys think about how to move money around from their ill-gotten gains quite a bit, using the most innocuous types of business. In an article Los Angeles Times (LAT), entitled “Cartels use legitimate trade to launder money, US and Mexico say”, reporters Tracy Wilkinson and Ken Ellingwood described a process whereby teams of money launderers working for cartels use dollars to purchase a commodity from the US and then export the commodity to Mexico or Colombia. A key is that “Paperwork is generated that gives a patina of propriety” which means that drug money is given the appearance of legitimate proceeds from a legitimate commercial transaction. An Immigration and Customs official interviewed said, “It’s such a great scheme. You could hide dirty money in so much legitimate business, and they do. You can audit their books all day long and all you see is goods being imported and exported.” Another scheme involved several executives of Angel Toy Company, who conspired with Mexican drug cartels to launder drug money through a scheme to purchase Teddy Bears (of all things), for shipment back to and for resale in Mexico. The plan was straightforward, just under $10K of cash for each shipment of Teddy Bears, which were then resold in Mexico.

The key is that the commodities being purchased are so mild that large bulk purchases will rarely, if ever, draw any official scrutiny. The goods purchased can be red tomatoes or bolts of cotton fabric. In either case, the commodity itself does not matter, as the simple fact of purchasing in the US, shipping into, and reselling in Mexico allows the drug cartels to “transfer earnings back home to pay bills and buy new drug supplies while converting dollars to pesos in a transaction relatively easy to explain to authorities.”

However, now money launderers use even more sophisticated tactics such as “overvaluing and undervaluing invoices and customs declarations.” There is even a new term “trade-based money-laundering” used to denominate the schemes. It was reported that in another operation, which was estimated to launder over $1MM every three weeks, money launderers were exporting from the US to Mexico polypropylene pellets that are used to make plastic. However, the money launderers inflated the value declared on the high-volume shipments and this eventually attracted suspicion of US bank investigators, “who shut down the export operation by discontinuing letters of credit that the suspected launderers were using.” One official noted, “You generate all this paperwork on both sides of the border showing that the product you’re importing has this much value on it, when in reality you paid less for it. Now you’ve got paper earnings of a million dollar and the million dollars in my bank account – it’s legitimate. It came from this here, see?”

Transactional based due diligence and internal controls are mandatory components of Foreign Corrupt Practices Act (FCPA) minimum best practices compliance program. In addition to due diligence on agents, distributors or others in the sales distribution chain, companies need to perform due diligence on those to whom they sell. If someone from Mexico suddenly comes to your business and wants to buy widgets with cash, this needs to send up a huge Red Flag.

Banks and financial institutions have led the way in fighting money laundering through their robust AML controls. Below I have listed some AML Red Flags that you can begin to use now:

  1. Legitimacy of the party and/or assets are undeterminable through due diligence or independent verification;
  2. The party proffers false, misleading or substantially incorrect information and documentation;
  3. The party suggests transactions involving cash or insists on dealing only in cash equivalents;
  4. The party refuses to disclose or to provide documentation concerning identity, nature of business, or nature and source of assets;
  5. The party refuses to identify a principal or beneficial owner;
  6. The party appears to be acting as an agent for an undisclosed principal or beneficial owner, but is reluctant to provide information, or is otherwise evasive, regarding the identity of the principal or beneficial owner;
  7. The party is a shell company and refuses to disclose the identity of the party’s beneficial owner;
  8. The party has assets that are well beyond its known income or resources;
  9. The party requests that funds be transferred to an unrelated third party and is unable to provide sufficient legitimate and independently verifiable justification for such request;
  10. The party requests a wire transfer to a jurisdiction other than the one in which the party is located and is unable to provide sufficient legitimate and independently verifiable justification for such request, particularly if located in an “offshore” bank secrecy or tax haven;
  11. The party engages in transactions that appear to have been structured so as to avoid government reporting requirements, especially if the cash or monetary instruments are in an amount just below reporting or recording thresholds;
  12. The party exhibits unusual concern about compliance with government reporting requirements;
  13. The party exhibits a lack of concern regarding risks or other transaction costs;
  14. The party wishes to engage in a transaction that lacks business sense, economic substance or apparent investment strategy;
  15. The party lacks general knowledge of its industry or lacks adequate facilities or qualified staff to perform the required tasks or work;
  16. The party requests that a transaction be processed in a manner that circumvents procedures or avoids documentation requirements;
  17. The party is included on list of Specially Designated Nationals, or similar lists maintained by the U.S. Government and the United Nations, or is associated with such individuals and entities;
  18. The party is located or has accounts or financial dealings in countries either identified as being non-cooperative with international efforts against money laundering by the Financial Action Task Force, or against whom the U.S. Treasury Department has issued an advisory;
  19. The party, or any person associated with the party, is or has been the subject of any formal or informal allegations (including in the reputable media) regarding possible criminal, civil or regulatory violations or infractions; and
  20. The independent due diligence conducted uncovers allegations that raise concerns regarding the party’s integrity.

Obviously there is a large overlap with anti-corruption due diligence and red flags. While most anti-corruption compliance practitioners understand the basic concepts behind KnowYourCustomer programs, including due diligence and policies and procedures, most of corporate America is quite far behind banks and financial institutions in the sophistication around detecting, investigating and reporting suspicious transactions. I think companies will need to take a look at the steps they place around AML compliance and the sooner the better.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

DawkinsDaryl Dawkins died yesterday. To anyone who followed the National Basketball League (NBA); Dawkins will always be remembered with the brilliant Stevie Wonder-derived moniker – Chocolate Thunder. I will also remember him for three things. First he was one of the very rare high school stars who went straight to the NBA with no college stop and was successful. The second was when he squared off to fight Maurice Lucas of the Portland Trailblazers during the 1977 NBA finals. Let’s just say Dawkins slaps at Lucas did not come close to hitting their mark. Number 3 was his thundering dunks, particularly one in a game against the Kansas City Kings at Kemper Arena on November 11, 1979, Dawkins threw down such a massive dunk that the backboard shattered. Then three weeks later he did it again.

As noted Dawkins was one of a very few high schoolers to NBAers who did even passably well. His contemporary Bill (Pugh) Willoughby had some success with Atlanta and, of course, Moses Malone had a Hall of Fame career, later taking those now Dawkins-less Philadelphia 76ers to the NBA promised land in 1983. I thought about Dawkins and his lack of college seasoning while reading the absolutely disgusting story of Art Briles, the University of Baylor, its football team and the saga of Sam Ukwuachu.

Jessica Luther and Dan Solomon have been following this sorry spectacle. In an article in Texas Monthly, entitled “Silence at Baylor”, they wrote, “That Ukwuachu transferred to Baylor in May 2013 because he had been kicked off the Boise State team for a previous incident of violence involving a female student; that Ukwuachu claimed after the transfer was announced that Baylor’s coaches “knew everything” about what happened in Idaho; and, as indicated by court documents obtained by Texas Monthly, the two programs had some communication regarding Ukwuachu in which Boise State officials expressed reticence about supporting the player’s efforts to get back on the field.”

Art Briles, the Baylor head football coach, claimed that he was never informed from anyone at Boise State about Ukwuachu’s prior incident, even implying they had covered it up. Yet Chris Petersen, then head coach at Boise State and now head coach at the University of Washington, said he had fully disclosed to Briles the details about Ukwuachu. Petersen said in a statement, ““After Sam Ukwuachu was dismissed from the Boise State football program and expressed an interest in transferring to Baylor, I initiated a call with coach Art Briles,” Petersen said. “In that conversation, I thoroughly apprised Coach Briles of the circumstances surrounding Sam’s disciplinary record and dismissal.” It is known that Boise State did not support any waiver that would have allowed Ukwuachu to play immediately for Baylor upon his transfer. In the fall of 2014 Ukwuachu sexually assaulted a female soccer player. Ukwuachu was indicted and convicted this month of second-degree sexual assault. His sentence – 180 days in jail and 10 years probation.

Briles and Baylor have claimed they are really the aggrieved party here because if Coach Petersen or anyone at Boise State had told them that Ukwuachu had been disciplined or dismissed from the Boise State team for sexual assault they would never have given him a full scholarship to Baylor. This means Briles and Baylor would have simply ignored the football facts that Ukwuachu was a Freshman All-American and highly recruited high school athlete. Indeed in early June of this year, Baylor defensive coordinator Phil Bennett said at a luncheon in Fort Worth for the Baylor Sports Network, that he expected Ukwuachu to play this year. This was in the face of a trial scheduled to begin some two months later.

All of this was overlaid by a university which, if not trying to suppress all this news about Ukwuachu, certainly did nothing to alert its student body that a scholarship athlete was on trial for sexual assault. Moreover, according to Luther and Solomon in Texas Monthly, “Meanwhile, the details about the investigation conducted by Baylor that came out during the trial reveal one that was shockingly brief: It involved reading text messages, looking at a polygraph test Ukwuachu had independently commissioned – which is rarely admissible in court – and contacting Ukwuachu, Doe, and one witness on behalf of each of them.”

I thought about all this sorry state of affairs at Baylor in the context of the Foreign Corrupt Practices Act (FCPA) and anti-corruption compliance programs. There is a clear reason why the responsibility should be on any company which wants to employ a third party to act on its behalf to do thorough due diligence on that agent. If this was not the situation, companies would make claims similar to those made by Baylor Coach Briles that “no one told me about Ukwuachu.” If Briles had accepted his responsibility for bringing a player into the university and onto his team, he might have understood the importance of knowing who you are dealing with going forward.

It is incumbent that a company evaluates and addresses its risks regarding third parties. This means that an appropriate level of due diligence may vary depending on the risks arising from the particular relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology (IT) services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering into the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Six Principles of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of this principle is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”

The onus put on companies too not only do compliance but to ‘Document, Document, and Document’ that effort provides the incentive needed to comply with the law. If there was not such an incentive, you have would have corporations crying out now like Baylor Coach Briles that it was the responsibility of the school and team which dismissed him to alert them about Ukwuachu’s past misdeeds. Fortunately for FCPA compliance and the greater anti-corruption compliance community, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) do not see things in such a light.

As to Chocolate Thunder, at one point in his career Dawkins said that he was an alien from the Planet Lovetron. Alien or human, I hope you will join me in wishing a smooth trip to the great hereafter to one of the NBA’s most unique characters.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Bobby KeysBobby Keys died last week. What you probably did not know was that Keys was a Texan so we get to claim him. He was the saxophonist for the Rolling Stones and a number of other serious rockers. As Bruce Weber wrote in his New York Times (NYT) obituary, entitled “Bobby Keys, Hard-Living Saxophonist for Rolling Stones, Dies at 70, Keys “was a rock ’n’ roller in every sense of the term. Born (almost literally) in the shadow of Buddy Holly, he was a lifelong devotee and practitioner of music with a driving pulse and a hard-living, semi-law-abiding participant in the late-night, sex-booze-and-drug-flavored world of musical celebrity.”

But Keys was far more than just another rock and roll party animal. He “recorded with a Who’s Who of rock including Chuck Berry, Eric Clapton, John Lennon, George Harrison, Carly Simon, Country Joe and the Fish, Harry Nilsson, Joe Cocker and Sheryl Crow. He toured with Delaney and Bonnie and was recording with them in 1969”. For me his most famous work was with the Stones and his soaring sax solo in Brown Sugar. He worked on the albums “Sticky Fingers, Exile on Main Street, Goats Head Soup and Emotional Rescue”. He also joined the Stones for “almost a dozen tours over more than 30 years.” I was lucky enough to see Keys play with the Stones on their farewell tour last spring. Most interestingly he felt an instant kinship with Keith Richards, about an un-Texan a person as one can imagine.

I thought about Keys, both his life and his relationship with Keith Richards, when I read a couple of recent articles in the Financial Times (FT). The first one was by Luke Johnson and entitled “Trust can seem risky – but its absence is far more perilous.” Johnson said, “For commercial life to function at all, there has to be a general assumption of trust – that partners, staff, suppliers, customers and the authorities will do the right thing by each other. It is impossible to verify every transaction, and check each task: delegation is essential for all operations of scale. Those who are suspicious of everyone have to limit their ambitions, because they assume deceit is endemic. Such a pessimistic approach is a sorry and unprofitable state of human affairs. As Samuel Johnson said: “It is . . . happier to be sometimes cheated than not to trust.””

Trust is certainly important but as President Reagan noted, “Trust but verify”. In a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program, this means that you need to obtain a full battery of information about any third party with which you might be doing business. Obviously performing due diligence is a well recognized step for any third party management protocol under the FCPA but with certain data and privacy restrictions coming out of locations as diverse as China and the EU, it may be the situation that you cannot perform full due diligence on third parties you may wish to do business with or through.

I have previously written extensively about the need for the management of the third party relationship after the contract is signed. However there are other steps that you can use to help in this process. These include steps one and two, which are the Business Justification and the Questionnaire. Viewed from another angle, they can provide further internal controls to your anti-corruption compliance program.

I believe it should be common sense that you have a business justification to hire or use a third party but it is also an important financial control. If that third party is in the sales chain of your international business it is important to understand why you need to have this particular third party represent your company. This concept is enshrined in the FCPA Guidance, which says, “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.” Conversely, if a business representative cannot articulate a reason why you should have a new or another third party representative, your company probably does not need that third party.

The Questionnaire fills several key roles in your overall management of third parties. Obviously it provides key information that you need to know about who you are doing business with and whether they have the capabilities to fulfill your commercial needs. Just as importantly is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, UK Bribery Act or anti-corruption/anti-bribery programs generally. The information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform. But the final requirement of your questionnaire provides an important internal control. It is one of the most basic controls and is what internal control expert Henry Mixon calls the ‘stop and think control’. Your Questionnaire should require a signature that all of the information included is true and correct. It is something else under the ‘pains and penalties for perjury’ but nonetheless it should give anyone signing it outside the United States pause before the put their name on the line.

In his article Johnson ends with the following, “Confidence in the other party is the magic ingredient that empowers an entrepreneurial business to succeed. An absence of trust leads to paralysis. Straight dealing, accountability and transparency are much more about truth and candour than box-ticking and an obsession with regulations. Any partner can betray you and stay within the law if they are assiduous and devious enough. Integrity in your working relationships consists of a broader understanding than the letter of the law. In the end, all that any entrepreneur can do is obey their gut instinct and, perhaps, to follow the example of Charlie Munger, vice-chairman of Berkshire Hathaway and Warren Buffett’s partner, who said: “By the standards of the rest of the world, we overtrust. So far it has worked very well for us”.”

Even if you cannot perform the level of due diligence that you might otherwise like to do because of country or regional regulations, you can still talk to your prospective third party business partner. This can go quite a long way in you determining whether you can trust them. You can visit them in their office to get a better feel for the size of their operations. In addition to talking with the principals of the third party, you can visit with the employees who will work on your account, if it they are different from the principals of the organization.

Just as Bobby Keys and the Rolling Stones had an ultimate level of trust that lasted well over 40 years, you can learn to develop one with your third parties. And just as such trust is absolutely key in making great music, it is also required to make any successful business relationship.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Last EmpireI recently read a book review in the Times Literary Supplement (TLS) by Archie Brown, entitled “One into fifteen”, where he reviewed the book “The Last Empire” by author Serhii Plokhy. Plokhy’s book is about the dissolution and final days of the Soviet Union. One of the more interesting precepts from the book is end of the Soviet Union as announced on Christmas Day, 1991, by then Communist Party Secretary Mikhail Gorbachev. Brown wrote, “All too often the dissolution of the Soviet Union is conflated with the end of Communism and with the end of the Cold War. But the book points out that the Politiburo had ceased to be the ruling body of the USSR in March of 1990 and thus it was “entirely fallacious to speak of either Communism or the Cold War as having ended in December 1991. The transformation of the system was a precondition for the demise of the state, with the latter being an unintended consequence of the former. But these were distinctive, albeit interconnected processes.””

I considered ‘interconnected processes’ when I saw the Compliance Insider, Illustrative Case Study Series, entitled “Supplier Risk Management”, in which The Red Flag Group laid out in a visual format how a company can effectively identify and manage risks in its supply chain. The process is dubbed ‘Report, Review and Improve’ and consists of six steps.

Step 1 – Collect information on the suppliers. This step begins with a review and assessment of your own Vendor Master files to make an initial determination if a new or indeed other supplier is needed. If there is a business justification for bringing the supplier into a commercial relationship with your company, then you should gather performance data on the proposed vendor. The article suggests that a technological solution can help to provide risk-rated questionnaires to facilitate the process by building workflows and approvals directly into your questionnaires.

Step 2 – Validate the collected information. This is the investigative step. You should take the information provided to you by the proposed supplier and test it. You can check on references. You should also engage the supplier directly by interviewing the internal staff of the proposed supplier and review documents and records as appropriate. When necessary, you may also wish to consider the use of outside experts or internal consultants for recommendations or validations. This step should end with the creation of a risk score of the data you have gathered. Here a technological solution can assist by automating your analysis of completed questionnaire with a risk-based scoring of the answers to facilitate the validation process.

Step 3 – Rate the risk of the supplier. This is the analysis step where you should “compare the risks against your complete knowledge of the proposed supplier.” You should also compare your assessed risks against industry data and the risk-rank the proposed supplier or suppliers. A technological solution can also help to crunch large amounts of numbers or other data to give a first pass on your risk-ranking which can be further refined if required.

Step 4 – Implement risk management controls. The article posits that this step should include the conducting of background due diligence and integrity analysis by screening against known watch lists, sanctions lists and those of politically-exposed-persons (PEPs). A technological solution can help this step by managing the request and delivery of due diligence reports, aid in the reviewing, approving and tracking of completed reports and ensure ongoing compliance with automated daily reviews of such lists. Another suggested component of this step is to meet with your internal and external stakeholders to convey expectations. From this point you should be ready to enter the contracting phase, with appropriate compliance terms and conditions. To the extent required, you should also create and manage your compliance policy for the supplier at this stage as well.

Step 5 – Assess and monitor the supplier. In any relationship with a third party in the compliance world, this step is where the rubber hits the road and you have to manage the relationship. The article discusses custom eLearning that can allow you to quickly and efficiently create training programs for your suppliers based upon your compliance regime and not hypothetical training based on legal standards. A technological solution can also assist you in obtaining online certifications to certify that your supplier is in compliance with your company’s business requirements and internal controls. Finally such a solution can help to automate the process going forward to ensure that certification updates are provided, executed and tracked. But more than the ongoing certifications and training, you will need to monitor the transactions you engage in with a supplier. This may entail reviewing a large amount of data through transaction monitoring but it may also entail going to visit a supplier and going through the deep dive of an audit.

Step 6 – Continuous reporting, review and monitoring. All of this information you obtained must be fully documented. Of course, it must be documented to produce to a regulator if the government comes calling. However, this information can also be used to improve the supplier relationship and perhaps even your vendor system. One of the most interesting suggestions was to create a ‘Virtual Data Room’ dedicated to your suppliers. Not only would the creation of such a stored environment enable you to call up information requested by a regulator on short notice, you would also have it in an accessible format for supply chain process improvements. The article suggests trying such techniques as implementing performance incentive programs which can push compliance culture and behavior changes based upon the data you collect. Interesting the clothing company Levi Strauss instituted just such a policy for suppliers in the area of corporate social responsibility, it announcing it earlier this week.

If you do not subscribe to The Red Flag Group’s Compliance Insider publication, I suggest that you do so. It is one of the very best periodicals around on the building blocks of compliance. The six steps it has laid out for process of identifying and managing your supplier compliance risks under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act demonstrates the thesis of Plokhy’s book reviewed in the TLS; that it is interconnected processes which usually mark change and management. In the case of the former Soviet Union, it may be been drawn by more human factors but there are now a variety of technological tools available to assist your facilitation of this process under any anti-bribery or anti-corruption compliance regime.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014