Roman Numbers 1-10.2There are five steps in the life cycle of third party management.

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

If you cannot fully accomplish each step, that puts more pressure on the other steps. So if you are in country which limits your ability to look into the background of beneficial owners of corporations, you still may be able to move forward but you must perform additional monitoring or have other risk management protections going forward.

Step 1 – Business Justification

This concept is enshrined in the FCPA Guidance, which says “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.” The first step breaks down into two parts:

  1. Business Sponsor – Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but business unit accountability for the business relationship.
  2. Business Justification – The business unit must articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction?

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third party relationship is renewed.

Step 2 – Questionnaire

The term ‘questionnaire’ is mentioned several times in the FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party.

Below are some of the areas which I think you should inquire into from a proposed third party, they include the following:

  • Ownership Structure: Describe whether the proposed third party is a government or state-owned entity, and the nature of its relationship(s) with local, regional and governmental bodies. Are there any members of the business partner related, by blood, to governmental officials or are they Politically Exposed Persons (PEPs)? It is imperative that you obtain the identity of the Ultimate Beneficial Owner (UBO).
  • Financial Qualifications: Describe the financial stability of, and all capital to be provided by, the proposed third party. You should obtain financial records, audited for 3 to 5 years, if available. Obtain the name and contact information for their banking relationship.
  • Personnel: Determine whether the proposed agent will be providing personnel, particularly whether any of the employees are government officials. Make sure that you obtain the names and titles of those who will provide services to your company.
  • Physical Facilities: Describe what physical facilities that will be used by the third party for your work. Be sure and obtain their physical address.
  • References: Obtain names and contact information for at least three business references that can provide information on the business ethics and commercial reliability of the proposed third party.
  • FCPA or Compliance Regime: Does the proposed third party have an anti-corruption/anti-bribery program in place? Do they have a Code of Conduct? Obtain copies of all relevant documents and training materials. Has the proposed third party received FCPA training?

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

Step 3 – Due Diligence

Most compliance practitioners understand the need for a robust due diligence program to investigate third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. However, the information that you should have developed during the Business Justification and Questionnaire phase of the life cycle of third party management should provide you with the initial information to consider the level of due diligence that you should perform on third parties, which leads to Step 3 – due diligence.

Jay Martin, Chief Compliance Officer (CCO) at BakerHughes Inc. (BHI), often emphasizes that a company needs to evaluate and address its risks regarding third parties when he speaks on the topic. This means that an appropriate level of due diligence may vary depending on the risks arising from the particular relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering into the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Six Principles of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of this principle is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”

Step 4 – The Contract

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 – the contract. In the area of compliance terms and conditions, the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

I have found that while it may not be easy, it is relatively simple to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the DOJ will require the minimum terms and conditions that it has suggested in the various Attachment Cs to the Deferred Prosecution Agreements (DPAs) through the life cycle management of a third party. 

Step 5 – Management of the Relationship

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins here in Step 5 – the management of the relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. Here we will explore some of the tools which you can use to help make sure that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward.

While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

Another noted commentator has discussed techniques to provide this management and oversight to any third party relationship. Carole Switzer, writing in the Compliance Week magazine, set out a five-step process for managing corruption risks for third parties.

  1. Screen – Monitor third party records against trusted data sources for red flags.
  2. Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
  3. Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
  4. Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
  5. Audit – Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Final Thoughts

I continually give my Mantra of FCPA compliance, which is Document, Document and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program. As you sit at your desk pondering whether this assignment given to you by the CCO is a career-ending dead-end; you should take heart because there is clear and substantive guidance out there which you can draw upon.

For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

 

 

How it worksWhat is satisfactory due diligence under the Foreign Corrupt Practices Act (FCPA)? That question seems to be more important after the Huffington Post’s story on Unaoil and the subsequent release of the Panama Papers. However, both of these events largely focused on the “who” part of due diligence and the need to know whom you are doing business with going forward. However there is another important question which does not come up as often in due diligence, which is how?

How does a particular third party perform its services with or for your company? If it is on the sales side of things, how can a third party help you make sales? If a third party comes through the Supply Chain, how do their products or services meet the needs of your company? If the third party has a closer business relationship, such as a joint venture (JV), teaming agreement or other similar arrangement, you may well need a much deeper understand of how this third party does business because the relationship may well become so close you will be intertwined with the party. It may mean more than simply does their how product work but how does this third party conduct themselves and their business?

The questions beyond simply who were made clear in a Wall Street Journal (WSJ) article by Christopher Weaver and John Carreyrou, entitled “Deal With Theranos Haunts Walgreens. It turns out that Walgreens left a gap by “never fully validating the startup’s technology or thoroughly evaluating its capabilities”. The clear message is if you are going to partner with a technology company which is going to change your business model, you best make sure the technology works. Moreover, if a potential JV partner refuses to show you its technology, how it keeps records, its financials relating to the products and services you are contracting for and generally tries to hide from you the very thing you are buying into; you should not walk but run away from the deal.

This article detailed the lack of steps and miss-steps by Walgreens when entering its partnership with Theranos and how these actions have caused Walgreens to consider its $50MM investment in Theranos as something it will never recoup, caused Walgreens reputational damage and potentially subjected it to civil liability. As the reporters noted, “The relationship is now in tatters, making Walgreens an extreme case study of what can go wrong when an established company that craves growth decides to gamble on an exciting and unproven startup.”

One might think that if you are investing in a technology company that provides medical testing, the investor would want to see the laboratory where the testing is performed. It turns out that Walgreens representatives were never allowed to tour, let alone review the labs where the results of Theranos pinprick blood tests were run. A Walgreens consultant, Paul Rust, who was sent to Theranos to do a quality control data review said, “It was a very strange situation. The results were actually really good, but I was never allowed to go into the lab. I have no idea that the results I saw were run on the Edison devices or not.” He went on to say that he was “led to believe that they were being run on the Edison.” Yet even Rust was surprised no Walgreens representatives had been allowed to view Theranos labs.

Interestingly, when Theranos did provide the test results to Walgreens representatives, the results came back with ““low” and “high” values rather than numeric values. As a result, Walgreens couldn’t compare results from the Theranos machine to any commercially available tests.” Once again, this was something which Walgreens should be sought additional information on.

Yet even when Walgreens’ consultants, assisting the company in evaluating Theranos and the proposed transaction, voiced and wrote up their concerns, they were not passed along to Walgreens management. The article reported, “In a report later in 2011, the consultants concluded Walgreens needed more information to assess the partnership. Those findings and reports by other consultants were kept from many Walgreens officials, including some directly involved in the negotiations with Theranos.”

Walgreens made another classic mistake in the due diligence process; they took comfort when a competitor was allegedly considering a similar venture with Theranos. The article said, “Some executives were comforted when Theranos said Safeway Inc. had agreed to host blood-drawing sites at some of its supermarkets. If Safeway trusted Theranos, then Walgreens could, too, the Walgreens officials believed.” How often have your heard that some other company is considering or has approved them through due diligence and a decision was based on the alleged actions of an alleged party.

Walgreens hamstrung itself from managing the relationship after the contract was signed by agreeing to contract terms that prevented Walgreens from auditing or even viewing “Theranos clinical data or financial records”. Finally, and perhaps most damagingly, there was a complete lack of communications between the two companies about the issues that have bedeviled Theranos. The article concluded, “Walgreens shelved the expansion plans after the Journal reported in October that Theranos did the vast majority of tests it offered to consumers on traditional lab machines. The Journal also reported that some former employees doubted the accuracy of a small number of tests run on Edison devices. One of the most recent setbacks came in mid-April when the Journal reported that regulators had 3½ weeks earlier proposed banning Ms. Holmes from the lab-testing industry. The drugstore chain’s senior executives found out from the news report.”

In the FCPA, most companies understand the need to know with who they contract for sales or vendor related issues. They also understand the need to know why they should do business with a proposed third party (IE., a business justification). However the need to perform an investigation into how the third party can actually deliver what they are contracted to do is equally important. Moreover, even with the most robust due diligence, there are still additional steps which a company must engage in to properly manage third parties. Most compliance practitioners believe that compliance terms and conditions should be a part of every contract and there is really no debate that an audit clause and material breach of contract provision should be included.

The Walgreens imbroglio around Theranos points out why such clauses are mandatory. If you do not have them, you do not have the ability verify what you may or may not have been told in due diligence. Finally, managing the relationship after the contract is signed is where the rubber hits the road. If you only obtain a due diligence report and insert compliance terms and conditions, you will have done nothing to test whether the third party is actually performing as it has agreed to under the terms of the contract.

Perhaps if Walgreens had inquired into the how Theranos performed its medical testing it would not find itself in the situation it is in now.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

China DollI was recently in New York and was able to see the theater production of the new David Mamet play China Doll. It stars Al Pacino and it is probably worth it simply to see Pacino on stage. As you might expect from any Mamet script, it is about rapid-fire language. I was a tad apprehensive when I read the show’s reviews, which said that Pacino could not or had not learned his lines well enough to recite them without the use of a teleprompter and even an earpiece in which he was fed his lines.

I am happy to report that the production works. Although the Opening Night was moved from November 19 to December 4 to continue the previews, it was still a very good show. There were two laptops strategically placed on the set and it did appear that occasionally Pacino would scan the screens to get some lines. A large part of the play occurs while Pacino’s character was on the phone so some lines could have been fed to him in that manner. Finally he did take several pauses but it was never clear to me if he was fumbling a line or it was a dramatic pause.

The saving grace is that it was Pacino. From time-to-time, he was that cool controlled Pacino who graced us as Michael Corleone. More rarely he was Tony (let me introduce you to my little friend) Montanze from Scarface. For either of those moments the play was worth it. If you have the chance to see it, I heartily suggest you check it out.

If you have made it this far in this blog post and want to see the play be prepared for a SPOILER ALERT. If you are not going to see the play, no worries however a significant plot device turns on, of all things, the Foreign Corrupt Practices Act (FCPA). Imagine my utter shock when Pacino’s character was told he would be charged with violating the FCPA because a company in his Supply Chain (SC) had paid a bribe to have Pacino’s financé perform design work on an airplane that Pacino had custom ordered. So, first we had a movie (Syriana), television show (House of Cards) and now a Broadway theater production, which all prominently feature the FCPA as a show element. When art begins to imitate life, it certainly speaks to the ubiquitousness of the issue.

China Doll also reminded me that one of the areas many companies do not focus on is possible corruption in their SC for goods and services provided on a company’s behalf. The FCPA risks can be just as great through those entry points as it can be through the sales side of an organization. You need to know who your company is doing business with through the SC as much as you need to know your agents seeking business opportunities on your behalf.

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including, such factors as whether the supplier is (1) located, or will operate, in a high risk country; (2) associated with, or recommended or required by, a government official or his or her representative; (3) currently under investigation, the subject of criminal charges, or was recently convicted of criminal violations, including any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls, that has not been recently investigated or convicted of any corruption offense or that has taken appropriate corrective action to remedy such conduct; or (5) a provider of widely available services and products that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal Risk Supplier, such as wide circulation newspapers, magazines, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services. You should note that any supplier, which has foreign government touch points, should move up into the high level of scrutiny. 

A High-Risk Supplier is an individual or an entity that is engaged to provide non-project specific goods or services to a company. It presents a higher level of compliance risk because of the presence one or more of the following factors: (a) It is based or operates in a country (including the supply of goods or services to a company) that poses a high risk for corruption, money laundering, or commercial bribery; (b) It supplies goods or services to a company from a high-risk country; (c) It has a reputation in the business community for questionable business practices or ethics; or (d) It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions. Finally, it presents one or more of the following factors, in which case the Chief Compliance Officer (CCO) should be consulted for further direction: (1) It is located in a country that has inadequate regulatory oversight of its activities; (2) it is in an unregulated business; (3) Its ultimate or beneficial ownership is difficult to determine; (4) the company has an annual spend of more than $100,000 with the supplier; (5) It was established or registered in a jurisdiction where ownership is not transparent or that permits ownership in the form of bearer shares; (6) It is registered or conducts business in a jurisdiction that does not have anti-corruption, anti-money laundering (AML) and anti-terrorism laws comparable to those of the US and UK; or (7) It lacks a discernable and substantial business history.

A Low-Risk Supplier is an individual or a non-publicly held entity that conducts business such as a sole proprietorship, partnership or privately held corporation, located in a Low-Risk Country. Some indicia include that it (1) supplies goods, equipment or services directly to a company in a Low-Risk Country; (2) a company has an annual spend of less than $1,000,000 with the supplier; and (3) the supplier is not involvement with any foreign government, government entity, or Government Official. However, if the supplier has other indicia of lower risk such that it is a publicly-held company, it may be considered a Low-Risk Supplier because it is subject to the highest disclosure and auditing and reporting standards such as those under the US Securities Exchange Act of 1934, including those publicly traded on a reputable and highly regulated stock exchange, such as the New York or London exchanges, and are, therefore, subject to oversight by highly regarded regulatory agencies.

Below the high and low risk categories I would add two other categories of suppliers that present very low compliance risks. The first is ‘Minimal-Risk Suppliers’ which generally provide to a company goods and services that are non-specific to a particular project and the value of the transaction is USD $25,000 or less. Some examples might be for the routine purchase of fungible items and services, including, among others: Office supplies, such as paper, furniture, computers, copiers, and printers; Industrial or factory supplies, including cleaning materials, solvents, safety clothing and off-the-shelf equipment and parts; Crating and other standard materials for packing products for shipping; Leasing and rental of company cars and other equipment; and Airline or other travel tickets or services. It may also include legal services from professional firms that are approved and overseen by a company’s Legal Department; Investigative services from professional firms that are approved and overseen by a Legal Department and that do not interact with government agencies on behalf of a company; and Accounting and financial services from professional firms that are approved and overseen by a company Finance Department or Audit Committees and that do not interact with government agencies on behalf of a company.

Finally, are the category of third parties that provide widely available services and products, ‘Common Product and Services’, that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal-Risk Supplier. These include, among others, wide circulation newspapers, magazines, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services. These third parties raise even less than Minimal Risk to a company, especially when their services and products are provided in a non-high risk country. Suppliers in this category require no FCPA due diligence.

In China Doll, Pacino’s character bemoans that not only did he not authorize any bribe payments made to facilitate the construction and delivery of his airplane but that he did not even know bribes were paid to help construct his product. As a political fixer, he should have been better versed in the law and acted accordingly. For the rest of us, you need to risk rank your third parties which your company might engage through your SC for FCPA exposure.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015