No company is an island unto itself. Vendors, distributors, suppliers, sales agents, and other third parties are all part of an extended “family” that will expand its risk profile.
Regulators, in the United States and abroad, are increasingly holding companies responsible for their partners’ problems, with the sins of sub-contractors visited upon the prime. Domestically, the government’s growing focus on money laundering, corruption, bribery, and violations of the False Claims Act enhance the risk of mammoth fines, lost contracts, and personal liability.
A baseline strategy for minimizing third-party risks is the use of compliance and ethics clauses in the contracts that establish ground rules for a business relationship. Drafting effective clauses, and ensuring that everyone adheres to them, was the focus of a recent panel discussion during the annual meeting of the American Bar Association’s Business Law Section in Boston.
The process is not as simple as merely laying out policies on paper. They need teeth, specificity, context, and enforceability.
“One of the really difficult things is how to get your global partners to buy into the fact that they need to comply with some of the United States ethics and compliance laws. We have had particular difficulty when a company puts in very broad language: ‘You will comply with all U.S. laws and regulations,’ ” says Thomas Coulter, head of the law firm LeClairRyan’s government contracts practice area. “Their response, ‘I’m not doing that and I don’t know what they are.’ ”
A particular concern for government contractors is escalating enforcement of the False Claims Act, a law dating back to the Civil War that imposes liability on those who defraud governmental programs. “The FCA has really grown and morphed into the government’s secret weapon,” Coulter says.
Government contractors have mandatory disclosure obligations whenever they become aware of credible evidence that an FCA violation (or other ethical lapses or law-breaking) has occurred. “Part and parcel to that is that you need to implement a rather extensive set of internal controls, so that you have an ethics program and a mechanism for employees to report any impropriety they see,” Coulter says. An expansion of the FCA in 2009 makes the requirement even more problematic.
“Really take a step back, look at the FCA, look at the FCPA, look at Dodd-Frank, and try to generate [clauses] that are consistent across all of these regulations.”
David Ackerman, CCO, Sound Income Strategies
The law now includes a qui tam provision that allows non-governmental parties, including employees to file actions on behalf of the government and receive a portion of any recovered damages. “That’s really where your company starts to see the FCA in action,” Coulter says.
The end result is costly, up to $1 million or more in investigation, document collection, and compliance costs, he says. And, aside from actual damages, “it’s the penalties that are the killer.”
He cites a recent case where the settlement included $14 million in damages, but also penalties in excess of $350 million because every invoice that contained a request for payment that the government considered invalid added upwards of $11,000 to the total.
Preventing this expensive problem ties back to the need for ethics and compliance clauses in contracts, extending in-house best practices throughout the supply chain.
“Really, all you can do is have a robust compliance policy and constant training to make sure you have the kind of environment where employees feel that they can talk to their supervisors and utilize the hotline you have to set up,” Coulter says. “You want supervisors who know what the issues are and are constantly monitoring problems. The best thing you can do is know you have a problem early on. You may be in a position where you need to start an investigation, talk to other employees, and get to the government before the employees do.”
What are the goals that guide ethics and compliance clauses? Government expectations help establish the template. For example, guidance on the Foreign Corrupt Practices Act issued by the Department of Justice and Securities and Exchange Commission detail expectations for third-party due diligence that include exercising audit rights as needed and obtaining annual compliance certifications.
Suggested items to include in a contract:
Certifying that no employees or their close family members had been government officials in the past three years;
establishing audit rights;
the use of an independent monitor;
prohibiting bribes and presenting anything of value to a government official;
demanding accurate books and records and on-demand compliance certifications;
and the right to terminate the agreement and recall funds.
Clauses may also require disclosing business and personal relationships, conflicts of interest, campaign contributions, ongoing or past internal and government investigations, and private settlements.
The ABA panelists suggested that clauses be crafted after a risk-based assessment that addresses the following questions:
Do you need to even use a third party?
Where is the third party located and what will it be doing for your business?
How much due diligence has been executed on the entity?
How closely will your organization interact with the third party?
What are the applicable laws?
What is the length of your relationship?
What risk will audit rights mitigate and who will conduct the audit?
What is the scope of an audit, and what will you do with any findings?
Should you consider required ethics and compliance training rather than inserting a compliance clause?
Questions must also be asked before agreeing to accept these sorts of contractual clauses. Do you have the means to conduct the due diligence necessary to make the certifications? Do the disclosures expose sensitive business operations, investigations, or settlements? What will the cost of complying with the requirements be? How invasive and cumbersome will the audit be?
Don’t expect that size matters when it comes to government enforcement or the need for compliance clauses. “Many companies incorrectly think they are too small and that FCA investigations only go after the Boeings and Lockheeds of the world,” says Margaret Cassidy, founder of Cassidy Law, a firm that specializes in the compliance risks of operating in a global marketplace.
Training is an important consideration and a demand that can be passed to, or facilitated for, third parties, says Fernanda Beraldi, corporate counel and ethics and compliance director, Latin America, for Cummins Inc.
She recommends “robust clauses to require that employees, distributors, and sales agents” receive necessary compliance training and that the educational programs are certified on at least an annual basis.
Coulter recommends “pre-training,” and advising a potential partner that “these are the things you are going to need to do if you want to work with us.”
“From an outside counsel and CCO’s perspective, it is always easier to say, ‘Let’s just have one standard and one standard only, and we will make it the highest ethical standard.’ Practically speaking, that doesn’t work,” says Edwin Broecker, a partner with law firm Taft Stettinius & Hollister.
Avoid the “one-size-fits-all mentality,” says David Ackerman, chief compliance officer for Sound Income Strategies, a registered investment advisory firm. “That is something everybody tries to default to because it is cheaper, but it is also a way to get into a lot of trouble. Really take a step back, look at the FCA, look at the FCPA, look at Dodd-Frank, and try to generate [clauses] that are consistent across all of these regulations. Then, do your best to train, train, train. The more training you do the greater the likelihood of compliance and the easier it is going to be to point to a specific bad actor as opposed to a systemic problem at the company.”