The risk of engaging a third party overseas is becoming an increasing concern of U.S. companies that do business internationally. In a recent speech given at the Global Ethics Summit, sponsored by Dow Jones and Ethisphere, Mark Mendelsohn, Deputy Chief of the Criminal Division’s Fraud Section at the Department of Justice (DOJ), highlighted the U.S. government’s continuing use of the Foreign Corrupt Practices Act (FCPA) to charge both companies and individuals with criminal violations. He went on to point out that even the “slightest” connection with the United States could be enough to create jurisdiction where none existed previously. Additionally, the recent sting operation targeting the U.S. police supply industry and the announcement of a task force to investigate FCPA violations in the health care industry demonstrate that entire market segments have been targeted for closer FCPA scrutiny. The increased allocation of resources and industry focus will further propel third party risk mitigation into the front lines of FCPA enforcement and compliance remediation.
While many U.S. companies have implemented anti-corruption programs, few contain much enforcement rigor directed at third parties. In a recent benchmarking survey of third party codes of conduct conducted by the Society of Corporate Compliance and Ethics (SCCE), it was reported that the majority of companies with an otherwise robust compliance program do not extend the program to third parties with whom they conduct business. The findings reveal that 53% of companies do not disseminate their internal codes of conduct to third parties; only 26% require third parties to certify to their own codes; and just 17% have any third party codes of conduct. Yet the importance of creating mechanisms to identify and manage third party risks has become very clear and immediate.
I. Risk Based Compliance — Going to School on AML Compliance Can Propel Your Program
For companies seeking to evaluate their third party business partners for compliance, how, and perhaps where, do they begin? The approach that appears to be gaining the most traction both with regulators and learned commentators is to develop a risk based approach to FCPA compliance. There is no specific Department of Justice (DOJ) guidance on any one process for a risk-based compliance system. However, there is sufficient guidance in other FCPA and analogous compliance areas to enable us to provide direction to U.S. and foreign companies in this area.
The answer to adopting a risk-based approach may come from an analysis of the leading industry practices in anti-money laundering (AML) compliance. In AML compliance, certain parties represent far greater compliance risk than others. Indicators of risk include geography, nexus to government officials, source of wealth, business type, method of payment and dollar volume. Leading AML programs use risk scoring to identify high risk customers, such as private banking customers, trusts, personal investment companies, money service businesses and jewelers. They also use transactional analysis to identify suspicious trends, patterns and transactions or sets of transactions that are sufficiently unusual to warrant further scrutiny. List matching of denied parties lists, such as the Office of Foreign Assets Control, other international denied parties lists and lists of known Politically Exposed Persons (high ranking foreign government officials) are all very helpful in deciding which customers should get the most attention from bank compliance officers and investigators.
Many of these same risk factors and tools can be deployed to flag potentially high risk third parties in an FCPA context. There are a few differences in terms of the questions that need to be answered in the course of the due diligence investigation; the answers to these questions can factor significantly into the overall risk score. In addition to Politically Exposed Persons and denied parties list matching, which can be equally valuable in assessing the risk of third parties in a FCPA context, it is critical to look at the role of the state and state-owned companies in the transaction or sale process. While it can be difficult to uncover state ownership relationships, there are databases that can be helpful in finding this information.
It is important to note, though, that the absence of a company’s name in a database of state-owned enterprises doesn’t necessarily mean that the entity of concern is not stateowned. Such databases are a useful tool but do not take the place of an investigation. Answering the question as to whether an entity sells to governments or state-owned enterprises is an even more difficult question to answer. Some companies are obvious purveyors of goods and services to the government and do not require substantial due diligence to answer the question. Defense contractors and weapons manufacturers are two such players. But there are other, less obvious players that can present a greater challenge. Many companies that sell to governments employ former government employees, often from the very agencies they sell to. The presence of one or more senior executives that are former government officials can be a strong indicator that the company’s customers include government agencies. Public announcements of bids and the award of government public tenders are sometimes posted on a company’s website, the website of the agency awarding the contract or the local newspaper. Participating in public tenders is not necessarily problematic but it raises the potential risk of an FCPA violation and needs to be considered as an important part of the due diligence process.
Another warning sign of an FCPA violation is prior involvement in other types of scandal. Often, companies that are implicated in an FCPA violation have previously been named in securities fraud, export control violations, price-fixing, bid-rigging or other crimes or civil violations. Prior involvement in such cases can be an indicator that the company is willing to push the envelope to win business and should be carefully examined.
This risk-based approach was commented upon favorably by the DOJ in Opinion Procedure Release 08-02. In its Release, the DOJ reviewed and approved Halliburton’s proposed acquisition of the U.K. entity Expro with the proviso that Halliburton undertake certain actions. The DOJ spoke directly to a risk-based approach in its statement that Halliburton had agreed to provide the following:
“. . . a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which will address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. Such work plan will organize the due diligence effort into high risk, medium risk, and lowest risk elements.”
This risk-based approach has also been accepted by the U.K.’s Financial Services Authority (FSA) in its settlement of the enforcement action against the insurance giant AON this past year. As a part of the settlement, AON agreed to the following:
“AON…designed and implemented a global anti-corruption policy … limiting the use of third parties … whose only service to AON is assisting it in the obtaining and retaining of business solely through client introductions in countries where the risk of corrupt practices is anything other than low. These jurisdictions are defined by reference to an internationally accepted corruption perceptions index. Any use of third parties not prohibited by the policy must be reviewed and approved in accordance with global anti-corruption protocols.”
There can be many uses for a risk-based compliance system. While Opinion Procedure Release 08-02 system was in response to an international acquisition, risk-based systems can also be used to assist in the evaluation of business partners or supply chain vendors. But, regardless of how such a system is used, the clear import from the DOJ, FSA and learned commentators is that some type of rational system for managing risk should be put in place and followed.
How does a company implement this guidance? The key to any risk-based approach is the strategic use of information technology by identifying, tracking and sorting the underlying critical risk factors of each third party, organizing and prioritizing third parties by the relative risks they represent and performing enhanced due diligence of those deemed to represent the highest risk. An effective third party due diligence program must also recognize that risk is dynamic, and that a company with a clean investigative report issued today can become embroiled in scandal tomorrow. In order to address this dynamism, leading industry practices suggest that some form of ongoing monitoring of high-risk parties can serve as a canary in a coal mine, alerting a company to a negative change in a third party’s risk profile.
The most effective applications of a risk-based approach to third parties are those tailored to a specific organization, its products, distribution model and geographic reach. One particularly important area for scrutiny centers on ‘relationship typing.’ In other words, how is this third party interacting with an organization, to what degree and with whom? A distributor or sales agent that was recently awarded a no-bid, multimillion dollar contract with a state-owned power authority in Bulgaria is likely to represent a very different degree of potential FCPA risk than an office supply wholesaler of Post-It notes in Finland.
A risk-based approach for third parties is similar to having a radar detector in your car. Once you’ve had it for a while, you start to recognize the contours of the road, hills and overpasses where police officers shooting radar like to hide. As with a radar detector, its real value is evident when executives begin to recognize the types of third parties that represent a disproportionate amount of potential FCPA risk and the underlying risk factors themselves.
II. Internal Review of a Proposed Foreign Business Partner and Driving Accountability
Leading organizations have established foreign business partner review committees, tasked with reviewing the results of investigative due diligence and a business unit’s rationale for partnering with a person or entity. The rationale for maintaining an existing high risk third party or bringing on a new one is the cornerstone to driving accountability. The buyers or sponsors of a specific third party should be required to make an internal business case to keep or accept a third party, including a discussion of the potential risks of doing business with the third party, and accept responsibility if the relationship results in FCPA liability.
The next area of review should focus on the proposed foreign business partner’s ethics and compliance program. Such a program should include, at a minimum, the following elements of a FCPA-style compliance program:
- restrictions on facilitation payments, gifts, entertainment and travel;
- proper accounting and invoicing; and
- policies that flow down to any sub-vendors of the foreign business partner.
If a foreign business partner’s program does not meet a company’s or the FCPA’s standards, the company may want to consider requiring the partner to implement a program that will meet the standards suggested in the U.S. Sentencing Guidelines and, by extension, the DOJ.
Smaller companies are unlikely to have even the most rudimentary program. In these circumstances, leading companies often require that a smaller foreign business partner abide by the leading company’s programs. Leading companies might include online training on their program’s key elements and annual certification that attests to compliance standards being met.
The third area of focus by the foreign business partner review committee is the proposed contract. Such contracts often have compliance obligations stated in the formation documents, whether it is a simple agency, consulting agreement or joint venture with several formation documents. All formation agreements should include representations that the foreign business partner will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, or candidates for public or political party office to influence the acts of such officials, political parties, party officials, or candidates in their official capacity to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant.
In addition to the above affirmative statement regarding conduct, the following contractual clauses in a foreign business partner contract will strengthen the overall program:
- Indemnification: The foreign business partner must provide full indemnification for any FCPA violation, including all costs of the underlying investigation.
- Cooperation: The foreign business partner must agree to full cooperation with any ethics and compliance investigation, including the review of foreign business partner emails and bank accounts relating to a company’s use of the foreign business partner.
- Material breach of contract: This clause must include any FCPA violations, with no notice or opportunity to cure. Such a finding would be grounds for immediate cessation of all payments.
- No sub-vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the company’s prior written consent (to be based on adequate due diligence).
- Audit rights: These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and allow a full review of all FCPA-related compliance procedures, such as those for meeting with foreign governmental officials and compliance related training.
- Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship, as well as any country or regional anti-corruption or anti-bribery laws which apply to either the foreign business partner or business relationship.
- On-going training: The top management of the foreign business partner and all persons performing services on a company’s behalf should be required to participate in FCPA compliance training.
- Annual certification: This should state that the foreign business partner has not engaged in, or is aware of, any conduct that violates the FCPA or any applicable laws.
- Re-qualification: The foreign business partner must be required to re-qualify as a business partner at regular intervals, not exceeding a three year period.
Performing due diligence of a proposed foreign business partner is but one of the many steps companies should take before approving a person or entity to represent them overseas in an effort to mitigate FCPA exposure. There are additional steps which a company should employ internally in the foreign business partner review process, some of which have been discussed above. Strong compliance terms and conditions are critical for the management of the relationship going forward. Annual FCPA certifications from high risk third parties can serve as a reminder to a business partner of its anti corruption obligations and further demonstrate your company’s commitment to compliance. The foreign business partner review committee must certify that the appropriate terms and conditions are in place to protect against an FCPA compliance violation; so, should a violation occur, a company could extricate itself immediately from doing business with the foreign business partner.
III. After the Contract is Signed —Monitor, Monitor, and then, Monitor
Evaluating FCPA compliance risk by means of risk scoring, performing due diligence on high risk third parties, evaluating the information obtained through such due diligence, and ensuring appropriate compliance contract terms and conditions are all critical components of an effective anti-corruption program. However, they are primarily focused on past and present time horizons. Investigations and risk scoring, in particular, are based on prior bad acts or associations. So how can companies address future risks? The first step is to recognize that the results of a background investigation and the risk scoring that precedes it both have a shelf life; and those events that have yet to happen can have serious implications in terms of future liability. Once a company has designated certain third parties as high risk and decided to maintain those high risk relationships, it should implement some form of continuous monitoring of those relationships, such as the one described below.
In its Deferred Prosecution Agreement (DPA) with the Monsanto Company for FCPA violations, the DOJ provided some guidance on the continuing obligation to monitor foreign business partners. In this DPA, the DOJ agreed, after the initial due diligence and appropriate review were completed on foreign business partners, that Monsanto would implement certain post contract procedures. This DPA provides some insight into the standard of care the DOJ might expect from other U.S. companies in regard to their high risk foreign business partners, including an ongoing monitoring process.
Another way to monitor high risk entities is through rigorous compliance audits at regularly scheduled intervals. It is important to ensure upfront that contracts with foreign business partners allow for compliance audits as most partners are unlikely to voluntarily submit to an audit. Compliance audits should include detailed audits of the foreign business partner’s books and records, with specific attention paid to payments and commissions to agents, consultants, contractors, and subcontractors that have responsibilities that include interactions with foreign officials and contributions to joint ventures. The compliance audit should include interviews with employees, consultants, agents, contractors, subcontractors and joint venture partners. It should also include a review of the FCPA compliance training provided to the foreign business partner.
An effective ongoing monitoring system requires the substantial involvement not only of the business unit most directly involved with the foreign business partner, but also other departments, such as legal, compliance, accounting, internal audit and information technology, which would assist in devising and implementing a system to effectively monitor high risk third parties. The involvement and accountability of these departments is a critical success factor without which the third party compliance program will very likely fail. But it is necessary to provide them with the tools to perform their roles successfully, such as an understanding of the causal factors underlying third party risk and ways to identify and respond to those risks. Of equal importance is an understanding of the ramifications of failing to recognize and respond to the risks posed by certain third parties in terms of lost revenues, criminal and civil penalties and personal liability. Perhaps most important is to engage the senior executives in each business unit in the third party decision making process and for them to demonstrate a willingness to walk away from certain third party relationships if the risks are deemed to be too great.
The management of foreign business partner risk is one of the most critical aspects of an FCPA compliance program. The vast majority of reported FCPA enforcement actions involve bribe payments made by intermediaries, and there’s no reason to think that this trend is going to change. Gone are the days when a middle manager can create a relationship with a new third party on his or her say-so with no oversight. Engaging a foreign business partner needs to be viewed much more like a potential acquisition, with an appropriate expenditure of resources and high level involvement. As with an acquisition, a company must live with the long term consequences of inadequate due diligence. Applying a sufficient amount of rigor to third party due diligence will greatly increase the likelihood that companies will make informed choices that lead to long term, mutually beneficial relationships with their foreign partners.
Thomas Fox is Houston-based FCPA lawyer. Tom can be contacted via email at firstname.lastname@example.org or through his website www.tfoxlaw.com. Scott Moritz is an executive director with Daylight in its New York office. He provides FCPA/Bribery and Corruption Compliance, international investigations and training, anti-money laundering, forensic accounting and investigative due diligence assignments on behalf of Daylight’s clients. He can be contacted at email@example.com