Anyone who has a sibling knows that you can get in trouble for the actions of others. For companies, the same principle applies to third-party affiliates.
In fact, more than 90 percent of reported Foreign Corrupt Practices Act cases involve third parties, such as sales affiliates and resellers, acting on the company's behalf, according to the 2012 Ernst & Young Global Fraud Survey.
Conducting due diligence is essential to minimizing risk, but some large, global companies have thousands of third parties, making it difficult to keep close tabs on all of them. These companies need to maintain an efficient third-party due diligence program that can focus in on the riskiest business partners doing business in the riskiest nations.
While most third-party intermediaries want to do a good job, their risk-reward calculations differ from the ones most direct employees make, says Jay Martin, chief compliance officer and senior deputy general counsel at oilfield services company Baker Hughes. For many employees, engaging in illegal activities could end their careers. That may not automatically be the case for those at third parties acting on another company's behalf. Many are located outside the United States and may not be aware of U.S. regulations or may assume the laws don't apply to them. In addition, the fees they can earn for a transaction may be substantial, prompting some to willingly accept the risks that accompany violations.
Because most companies that engage sales representatives or other third parties stand to make money from these individuals' or entities' efforts, the U.S. government has taken the position that you have some control over them, says Sam Yoon, director of international compliance at General Dynamics, a defense industry contractor. “The Securities and Exchange Commission and the Department of Justice look at these as close relationships that require due diligence and scrutiny.”
Few companies, however, appear to be doing all they can to effectively manage third-party compliance risks. According to a recent FCPA survey by Kroll Advisory Solutions, for example, about 12 percent of respondents said they conduct no due diligence on third parties whatsoever. One-third said they are not able to track payments made through third parties to their intended recipients. And while 99 percent of respondents say they embed anti-bribery provisions within their employee codes of conduct, just 73 percent do so for third parties, Kroll found.
Given that all companies' budgets are limited, their compliance efforts need to focus on the areas most likely to pose the greatest risks. “You can't develop compliance policies and procedures without knowing where the risks are,” says Joseph Spinelli, managing director in the global investigations and compliance practice at Navigant Consulting. This requires taking a hard look at the organization's products, services, customers, the location of its sales and operations, and transactions involving government officials. Operations in higher-risk regions or that are more closely tied to government entities typically warrant greater scrutiny.
“Don't have one-size-fits-all” third-party due diligence programs, Martin adds. Instead, an organization that engages 2,000 agents might identify the 20 percent likely to present the highest risk and apply more resources to them.
When it comes to assessing the risk of a particular third party, a reasonable step, especially for smaller companies, is to head online and see what information is available on the party under consideration. While a compliance officer can't rely solely on search engines, they can be part of the effort, and may bring to light red flags that warrant further investigation. Yoon, for example, recommends searching the names of the company's owners, along with terms like “fraud,” “bribery,” or “corruption.”
“The message (from the government) is clear: If you do business globally, we don't care how many people are in your organization or the number of third parties representing you. You have an obligation to do due diligence.”
—Joseph Spinelli,
Managing Director,
Navigant Consulting
Companies also can order International Company Profiles through the U.S. Department of Commerce. These contain a credit report, a list of key officers and senior management, banking information, and other data. The reports typically run about $1,000, Yoon says.
The ICPs also can be one part of an organization's due diligence process. However, their quality can vary significantly, and the reports are not available for all companies, Yoon notes.
Companies will also collect plenty of information from a third party itself, including: the parent company, the industries in which it works, any affiliations with foreign officials, and any previous bribery or corruption issues. Compliance officers also will want to know how the organization makes payments to others and investigate any problems, Spinelli says. For instance, the fact that a third party is doing business in China but wiring payments to the Isle of Man should be a red flag, he adds.
Third-party due diligence isn't just about eliminating risks, it's also about demonstrating to government regulators that you have taken the appropriate steps. The more information you can obtain before working with a third party, the more you can show the government if problems arise in the future that you've taken reasonable steps to ensure your partners do business in a way that upholds the laws, Spinelli adds.
Companies should provide ethics and compliance training for third parties, just as they do for their own employees. Third parties should understand the laws that apply to your company, as well as your organization's code of conduct.
Of course, simply imparting information isn't enough; you want some assurance that the third party will abide by the parameters you've established. “They should agree that anything they do on your behalf is done in accordance with the company's business ethics and applicable laws,” Yoon says. The agreements should allow the company to terminate the arrangement if it comes across that there is reason to believe the third party violated a law or the code of ethics, he adds.
Ongoing Monitoring
Third-party due diligence, like most compliance initiatives, requires a sustained effort. The questionnaires third parties complete should be updated quarterly, since the parties' risk profile can change. Annually, companies should obtain certificates of compliance with their code of ethics.
The regulatory agencies also expect companies to have some sort of audit right with third parties, Yoon says. The right would be triggered if the company develops a reasonable belief that some improper behavior took place.
One of the challenges most companies, but especially smaller ones face, is the need to work within tight budgets. At the same time, compliance professionals with smaller firms can't assume that their risks are significantly lower than they are for larger firms. “It just takes one third party” engaging in illegal actions to put a company at risk, notes Spinelli.
Another obstacle can be resistance from both third parties, as well as the individuals within the company who want to engage them. Some third parties may feel that they're being asked to provide information that they should be able to keep quiet, Yoon notes.
If a party won't complete the questionnaire, the company has to decide if it's a deal-killer, Martin says. For many companies, it is, he adds.
RAPID-GROWTH MARKET RISK
Below Ernst & Young discusses the challenges facing companies as they expand into rapid-growth markets.
As companies expand their businesses in rapid-growth markets,
they are confronted by a wide range of risks that must be actively
managed. A majority of our respondents have taken the important
first step by acknowledging the challenges. Nevertheless, a
significant global minority of one in five respondents do not
recognize that new markets bring new risks.
Managing the risks arising from third parties
When entering new markets, the need for local contacts and
procedural knowledge leads many companies to engage the support
of third-party agents or business partners. Such relationships can
expose companies to significant ABAC compliance risks.
There have been many publicized enforcement actions by
regulators which highlight the significant costs to companies of
breaches by their third parties. In fact, more than 90 percent of reported
FCPA cases involved third-party intermediaries.
Inconsistent level of recognition of the risks of investing in new markets
Source: Ernst & Young.
Pushback also can come from within. A sales manager, for example, may be focused on making his or her numbers, and could see engaging a rep as critical to reaching that goal, says Yoon. He or she won't want due diligence efforts to possibly jeopardize their goals.
When the resistance comes from inside the company, you “have to decide as a company who has the power to potentially subject shareholders to a huge liability,” by shortchanging the due diligence process, Martin says, adding that even the CEO should not be able to engage a third party without adhering to the guidelines. “As an officer or board, you have a fiduciary duty to shareholders to not allow any one person to have that kind of power.”
In fact, experts say one of the biggest mistakes when it comes to third-party due diligence is looking for shortcuts or approaching it half-heartedly. If a third party violates a law acting on the company's behalf, and the company made only a token effort to investigate the party before engaging it, the government isn't going to be sympathetic, Martin says. “They'll think you've been totally derelict.”
Moreover, the idea that smaller companies get a pass is a potentially dangerous misperception. “The message (from the government) is clear: If you do business globally, we don't care how many people are in your organization or the number of third parties representing you. You have an obligation to do due diligence,” Spinelli says.
No comments yet