China DollI was recently in New York and was able to see the theater production of the new David Mamet play China Doll. It stars Al Pacino and it is probably worth it simply to see Pacino on stage. As you might expect from any Mamet script, it is about rapid-fire language. I was a tad apprehensive when I read the show’s reviews, which said that Pacino could not or had not learned his lines well enough to recite them without the use of a teleprompter and even an earpiece in which he was fed his lines.

I am happy to report that the production works. Although the Opening Night was moved from November 19 to December 4 to continue the previews, it was still a very good show. There were two laptops strategically placed on the set and it did appear that occasionally Pacino would scan the screens to get some lines. A large part of the play occurs while Pacino’s character was on the phone so some lines could have been fed to him in that manner. Finally he did take several pauses but it was never clear to me if he was fumbling a line or it was a dramatic pause.

The saving grace is that it was Pacino. From time-to-time, he was that cool controlled Pacino who graced us as Michael Corleone. More rarely he was Tony (let me introduce you to my little friend) Montanze from Scarface. For either of those moments the play was worth it. If you have the chance to see it, I heartily suggest you check it out.

If you have made it this far in this blog post and want to see the play be prepared for a SPOILER ALERT. If you are not going to see the play, no worries however a significant plot device turns on, of all things, the Foreign Corrupt Practices Act (FCPA). Imagine my utter shock when Pacino’s character was told he would be charged with violating the FCPA because a company in his Supply Chain (SC) had paid a bribe to have Pacino’s financé perform design work on an airplane that Pacino had custom ordered. So, first we had a movie (Syriana), television show (House of Cards) and now a Broadway theater production, which all prominently feature the FCPA as a show element. When art begins to imitate life, it certainly speaks to the ubiquitousness of the issue.

China Doll also reminded me that one of the areas many companies do not focus on is possible corruption in their SC for goods and services provided on a company’s behalf. The FCPA risks can be just as great through those entry points as it can be through the sales side of an organization. You need to know who your company is doing business with through the SC as much as you need to know your agents seeking business opportunities on your behalf.

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including, such factors as whether the supplier is (1) located, or will operate, in a high risk country; (2) associated with, or recommended or required by, a government official or his or her representative; (3) currently under investigation, the subject of criminal charges, or was recently convicted of criminal violations, including any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls, that has not been recently investigated or convicted of any corruption offense or that has taken appropriate corrective action to remedy such conduct; or (5) a provider of widely available services and products that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal Risk Supplier, such as wide circulation newspapers, magazines, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services. You should note that any supplier, which has foreign government touch points, should move up into the high level of scrutiny. 

A High-Risk Supplier is an individual or an entity that is engaged to provide non-project specific goods or services to a company. It presents a higher level of compliance risk because of the presence one or more of the following factors: (a) It is based or operates in a country (including the supply of goods or services to a company) that poses a high risk for corruption, money laundering, or commercial bribery; (b) It supplies goods or services to a company from a high-risk country; (c) It has a reputation in the business community for questionable business practices or ethics; or (d) It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions. Finally, it presents one or more of the following factors, in which case the Chief Compliance Officer (CCO) should be consulted for further direction: (1) It is located in a country that has inadequate regulatory oversight of its activities; (2) it is in an unregulated business; (3) Its ultimate or beneficial ownership is difficult to determine; (4) the company has an annual spend of more than $100,000 with the supplier; (5) It was established or registered in a jurisdiction where ownership is not transparent or that permits ownership in the form of bearer shares; (6) It is registered or conducts business in a jurisdiction that does not have anti-corruption, anti-money laundering (AML) and anti-terrorism laws comparable to those of the US and UK; or (7) It lacks a discernable and substantial business history.

A Low-Risk Supplier is an individual or a non-publicly held entity that conducts business such as a sole proprietorship, partnership or privately held corporation, located in a Low-Risk Country. Some indicia include that it (1) supplies goods, equipment or services directly to a company in a Low-Risk Country; (2) a company has an annual spend of less than $1,000,000 with the supplier; and (3) the supplier is not involvement with any foreign government, government entity, or Government Official. However, if the supplier has other indicia of lower risk such that it is a publicly-held company, it may be considered a Low-Risk Supplier because it is subject to the highest disclosure and auditing and reporting standards such as those under the US Securities Exchange Act of 1934, including those publicly traded on a reputable and highly regulated stock exchange, such as the New York or London exchanges, and are, therefore, subject to oversight by highly regarded regulatory agencies.

Below the high and low risk categories I would add two other categories of suppliers that present very low compliance risks. The first is ‘Minimal-Risk Suppliers’ which generally provide to a company goods and services that are non-specific to a particular project and the value of the transaction is USD $25,000 or less. Some examples might be for the routine purchase of fungible items and services, including, among others: Office supplies, such as paper, furniture, computers, copiers, and printers; Industrial or factory supplies, including cleaning materials, solvents, safety clothing and off-the-shelf equipment and parts; Crating and other standard materials for packing products for shipping; Leasing and rental of company cars and other equipment; and Airline or other travel tickets or services. It may also include legal services from professional firms that are approved and overseen by a company’s Legal Department; Investigative services from professional firms that are approved and overseen by a Legal Department and that do not interact with government agencies on behalf of a company; and Accounting and financial services from professional firms that are approved and overseen by a company Finance Department or Audit Committees and that do not interact with government agencies on behalf of a company.

Finally, are the category of third parties that provide widely available services and products, ‘Common Product and Services’, that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal-Risk Supplier. These include, among others, wide circulation newspapers, magazines, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services. These third parties raise even less than Minimal Risk to a company, especially when their services and products are provided in a non-high risk country. Suppliers in this category require no FCPA due diligence.

In China Doll, Pacino’s character bemoans that not only did he not authorize any bribe payments made to facilitate the construction and delivery of his airplane but that he did not even know bribes were paid to help construct his product. As a political fixer, he should have been better versed in the law and acted accordingly. For the rest of us, you need to risk rank your third parties which your company might engage through your SC for FCPA exposure.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

IMG_3310Today, I conclude my exploration of the new Department of Justice (DOJ) Compliance Counsel and the metrics laid out by Assistant Attorney General Leslie R. Caldwell who called for her review of compliance programs. The metrics for today’s consideration are around the source of the greatest risk under the Foreign Corrupt Practices Act (FCPA); that being third parties. The metrics laid about by Caldwell are as follows:

  • Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?

Management of a Third Party Relationship

Recognizing that most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for a business justification, questionnaire, due diligence and compliance terms and conditions in a contract, I was gratified to see the DOJ focusing on the final step in the lifecycle of a third party relationship as a key metric for its new Compliance Counsel to evaluate. This is because it is the managment of third party relationships that continues to be a source of trouble and heartburn for many companies. As Caldwell noted in her remarks, the management of a third party relationship, “means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.”

While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, has noted, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.” But as Caldwell noted it is a more encompassing “sensitization” to anti-corruption compliance that is needed. There are several ways for you to do so.

 Relationship Manager for Third Parties

I believe that as a starting point for the management of a third party, your company should have a Relationship Manager for every third party with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
  • Assisting the company’s Oversight Committee with any issues with respect to the Third Party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the Relationship Manager to provide advice, training and communications to the third party.

 Oversight Committee

I advocate that a company should have an Oversight Committee review all documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.

Audit

A key tool in managing the affiliation with a third party post-contract execution is auditing. Audit rights are a key clause in any compliance terms and conditions and must be secured. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a baseline I would suggest that any audit of a third party include, at a minimum, a review of the following:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

  • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report?
  • How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

Tying it all Together

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. Diana Lutz and her colleague Marjorie Doyle, in an article entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, gave a checklist to test companies on their relationships with their third parties, which is as follows:

  1. Do you have a list or database of all your third parties and their information?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk?
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment?
  4. Once the risk categories have been determined, create a written due diligence process.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?
  6. Is there someone in your organization who is responsible for the management of each of your third parties?
  7. What are “red flags” regarding a third party?

The robustness of your third party management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out in this series, you need to fully document all steps you have taken so that any regulator, and specifically the DOJ Compliance Counsel, can test your metrics. Caldwell’s remarks around the metrics reviewed in this series may not have been anything new but she has laid out what the new Compliance Counsel will be reviewing and evaluating so you understand what will be expected from your company’s compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program.

Caldwell’s short mention of managing third parties is one of the most important metrics of any best practices FCPA compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

 

© Thomas R. Fox, 2015

My grandfather was a comic book collector. He collected all kinds and types of comics, from super-heroes to the Archie series. One of the series that he collected that I still think about from time-to-time was Classics Illustrated. Classics Illustrated was a comic book series featuring adaptations of literary classics which began publication in 1941 and finished its first run in 1971, producing 169 issues. I won’t divulge how many classic novels that I read in such fashion as a youngster but I will say that that group is the only set of magazines and comics that I collected in the 60s of which I still have a complete set.

There is another illustrated series which may be of more use to the modern day compliance practitioner which can be found in Compliance Week Magazine. In the February 2012 edition OCEG President Carole Switzer continues her series on an illustrated six-part anti-corruption program. In this issue she focuses on third party due diligence. She begins by noting that one of the surest ways to develop and strengthen your anti-corruption compliance program, whether based upon the US Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act is to discover “what you do not understand about the third-parties who help you to do business abroad.” She explains that if your company does not “expand its knowledge of activities of your business partners,” the Department of Justice (DOJ) or UK Serious Fraud Office (SFO) may well do so for you in an enforcement action. Switzer provides a six-step process with a nifty diagram attached to the article.

1.  Define

To begin you should define your objectives and then design your process. This should include all forms that you will use including questionnaires, background checks, references and certifications. You should also delineate your process to review and clear any Red Flags which may arise in the process.

2.      Collect Initial Data

This step should begin with a country review to make an initial determination of risk of corruption. You can use the Transparency International (TI) Corruption Perceptions Index (CPI) or similar resource. Determine how you can make real-time checks, whether through a third-party software provider such as World Compliance or other mechanism for initial due diligence. You will also need to collect data directly from the proposed third party business partner in the form of a questionnaire or other document. There should also be an initial discussion of the “nature, scope and intended relationship” with the third party.

3.  Assess

Under this step, Switzer believes that you should initially set up categories for your third parties of high, moderate and low. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”

4.      Approve/Deny/Approve with Condition

Under this step you should establish business rules and process triggers to “facilitate control and monitoring throughout the life of each contract.” As the risk level increases you should apply more stringent controls on the third party. This would also include more intense monitoring of the relationship on an ongoing basis.

5.      Train/Control

Your company should establish anti-corruption training for each risk level of third party with which you do business. You should administer the training, whether live, computer based or webinar, for different third party audiences “taking cultural issues into consideration and addressing role-specific needs.” You should assess and certify the results of your training or certify third party awareness through its own training program. Lastly the “control” portion of this step relates to compliance terms and conditions, which should be included in any written agreement with your third party.

6.      Monitor/Review

Switzer ends her six-point program by noting that you should “establish monitoring and re-approval requirements for each risk level.” There should be continued contact and monitoring by a combination of business unit sponsor and trusted outside professionals. There should be mandatory re-approval at fixed points as well as an action plan to address any red flags which might arise during the relationship.

I find the OCEG Anti-Corruption Illustrated series to be a very useful tool to help visualize the compliance process. While not in the same league as Classics Illustrated they certainly are a useful tool for the compliance practitioner. I would urge you to visit the OCEG website for their series and many other useful tools.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012