This article outlines the elements of the due diligence process in assessing third-party relationships.
The requirement under international anti-bribery regimes that companies conduct due diligence on their overseas third parties is clear. Recent enforcement actions brought by the U.S. Department of Justice (DOJ) highlight the importance of this requirement. Companies such as Baker Hughes and Titan received such large fines in the US in part because they conducted no due diligence on the overseas intermediaries that they relied on to help promote their business interests abroad.
Government contractors must be especially vigilant when using third party sales agents to market their services to overseas governments since they can be held liable for any actions of the third party that run afoul of one of a number of anti-bribery laws. In order to mitigate this risk, companies generally put their overseas sales agents through a rigorous vetting process so that they can determine whether there is any likelihood that the third party will make improper payments to government officials to win a contract.
Even when entering into commercial relationships with third parties providing other types of services, companies should have some knowledge of the third party’s background and reputation. In the US, the DOJ has made it clear that it is willing to look beyond the types of third-party relationships that were previously considered ‘high risk’ to find liability with types of third-party relationships that were previously considered to be lower-risk or even risk free. Before the InVision case, most companies believed that entering into an arms-length relationship with a distributor reduced or even eliminated the risk of vicarious liability for that distributor’s violations of the U.S. Foreign Corrupt Practices Act (FCPA). The $800,000 civil penalty imposed on InVision as part of its FCPA settlement with the DOJ and a subsequent $65,000 fine imposed on one of its former senior executives for related charges proved otherwise.
The need to conduct due diligence on third-party relationships and government enforcement agencies’ expansive view of the types of relationships that require due diligence, can leave companies struggling to determine how much due diligence is necessary. When the potential universe of third-party relationships number into the thousands, and corporate resources are limited, companies are forced to make decisions that could potentially pose anti-bribery compliance risks. Is the same high-level due diligence required for all types of relationships? What relationships really do need to be vetted? Do vendors and suppliers pose a risk? Can the company assess the risk of each relationship to determine how much due diligence is necessary?
At least in the US, enforcement agencies have indicated verbally that risk assessment is appropriate when determining how much due diligence is necessary on various third-party relationships; however, additional guidance has not been forthcoming. TRACE recently conducted an in-depth, four month ‘best practices’ project with its member companies that resulted in guidelines that companies can use when assessing the risk posed by a third party. While there will be considerations that are industry specific, company specific and even deal specific, these guidelines provide a basis for a company’s tiered approach to due diligence on third-party relationships.
Identifying third-party relationships
As stated above, there is an expectation that companies should conduct due diligence on a broader range of third-party relationships than previously believed. While most companies understand that their sales representatives who market products to a foreign government on a commission basis require a high level of due diligence, companies often question the need to conduct due diligence on other types of relationships.
Companies should consider performing at least some due diligence on the following relationships: marketing consultants, offset consultants, subcontractors, freight forwarders, customs brokers, resellers, vendors, accounting firms, public relations firms, law firms, joint venture partners, teaming partners, real estate agents and suppliers.[i]
Assessing the risk
Determining the risk level of a third party is not always straightforward. Sales representatives that are paid on a commission basis require a high level of due diligence, but what about customs brokers and freight forwarders? Those relationships can pose significant risk, as many companies have recently discovered; however, few companies are conducting due diligence on these relationships.
The following are some of the factors that companies can use to determine the risk posed by various third-party relationships:
the purpose for which the third party is being retained;
the nature and frequency of contact with government officials;
the amount and type of compensation that the third party receives; and
sales volume and value.
Third-party relationships that pose a high compliance risk should be vetted using a first tier due diligence review; those that pose a lower risk can be vetted using a second tier, or more streamlined, due diligence review.
A tiered approach to due diligence
Once a company has determined the risk associated with the retention of various third parties, they then need to determine how to approach due diligence. Given that resources are often limited, it is unlikely that most companies will be able to conduct a high-level due diligence review on every third-party relationship. Instead, they can divide third-party relationships into various groups with different due diligence requirements. For example, based on the risk assessment described above, a supplier or vendor would most likely require less due diligence than the standard commission sales agent, while a potential joint venture partner would most likely require increased scrutiny.
Certain aspects of a robust due diligence program should be used no matter how much risk an intermediary appears to pose. Companies should have a reasonable justification for any third-party relationship that they enter into. They should determine the ownership of any entity with which they have a third-party relationship to make sure that they are aware of any government ownership. In addition, companies should ask all intermediaries basic compliance questions and should conduct a media search.
A ‘best practices’ first tier due diligence program requires intermediaries to provide audited financial statements or a financial reference, whereas self-certification of financial stability would probably suffice for lower-risk intermediaries. A personal interview is necessary for third parties that pose a higher FCPA compliance risk, but may not be necessary for a low-volume supplier.
Ensuring an adequate review
It is important for companies to remember that even third parties that are initially considered low risk can move into the high risk category based on information that is uncovered as they proceed through the due diligence process. Companies should move these third parties to a first tier due diligence review in order to ensure that all red flags are resolved.
A tiered approach to due diligence should not be used to push higher risk intermediaries through an inadequate due diligence review in order to decrease the time it takes to bring them under contract. Rather, it should be used to enhance a company’s compliance program by increasing the universe of third parties that undergo some form of due diligence.
Carolyn Lindsey,
Attorney and Director of Member Services,
TRACE International, Inc., a non-profit membership association helping companies to raise their anti-bribery standards.
[i]. This list is merely illustrative and is not mean to be an exhaustive list of every third-party relationship that could pose an anti-bribery compliance risk.
