As regulators like the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) gear up to require companies to understand more detailed information about their third parties, experts in third-party risk management (TPRM) are being asked to better recognize the risks posed by their company’s partners and vendors.

Third parties pose great risks for violations of the Foreign Corrupt Practices Act, said Charles Duross, partner at law firm Morrison Foerster and former head of the FCPA Unit within the DOJ’s Fraud Section, as part of a panel Wednesday at Compliance Week’s virtual TPRM and Oversight Summit. Ninety percent of all FCPA cases involve third parties, he said, usually as part of a scheme to make bribe payments look like legitimate business expenses or to provide layers between the bribe and bribe-taker.

The recent $327 million coordinated settlement Swiss technology company ABB reached with the DOJ, SEC, and other global agencies contained FCPA lessons for compliance departments seeking to learn how to guard themselves against bad actors within their own firms.

The ABB case involved third-party subcontractors that were relatively new and had little or no experience providing the services they were purported to provide. They were recommended by and connected to an official at Eskom Holdings, the South African utility for which ABB was bidding for work. The SEC said the official received more than $37 million in bribes from ABB via the subcontractors in exchange for providing confidential information on other bids to ABB.

Some countries, like South Africa, require or encourage partnerships with local companies. That requirement can bring with it added risks for doing business in an already risky jurisdiction, Duross said.

“Maybe you don’t know the landscape and you’re looking for some guidance,” he said. Still, the arrangement should raise red flags.

Michael Pacella, vice president, global chief ethics and compliance officer at Covetrus, a Maine-based veterinary supply company, said once an FCPA violation has been identified, the DOJ is looking for the strength of a company’s response. ABB conducted a root cause analysis of its bribery scheme, fully cooperated with the DOJ’s investigation, fired or disciplined employees involved in the wrongdoing, and made a substantial commitment to improving its compliance program.

These measures helped offset two previous FCPA violations by ABB, in 2004 and 2010.

“The best time to work with a (previously penalized) company … is the day after they resolve their matter with the DOJ. They have been under incredible scrutiny, so their (compliance) program is probably in pretty good shape.”

Charles Duross, Partner, Morrison Foerster

A company’s response “doesn’t require perfection,” Pacella said, but it should demonstrate a high-level commitment to addressing the wrongdoing and preventing future violations.

Another key to a company’s response is being able to provide proof of steps it took to check out a certain third party, particularly on request of a regulator or law enforcement.

“You should always be guarding against the possibility someone is a bad actor,” said Duross. “Being able to demonstrate your due diligence, that you did everything you were supposed to do,” will place your organization in a dramatically different light, he said.

“You want proof you were a victim, not a coconspirator,” he said.

That also means records should be stored in a way they can be found when necessary, even if there has been turnover in the department that generated them.

One audience member wanted to know how companies should respond when one of their third parties is subject to a large FCPA enforcement action.

Pacella, who once worked in compliance at a medical device manufacturer under a deferred prosecution agreement, said it is “fair and expected” a company’s partners would be asking these questions. “You’d want to know if the conduct at issue is connected to the business relationship that you have with that company,” he said.

Speaking from experience, he said, a company’s compliance program is strongest when it comes through an enforcement action.

Duross added, “The best time to work with a company like that is the day after they resolve their matter with the DOJ. They have been under incredible scrutiny, so their (compliance) program is probably in pretty good shape.”

As part of its proposed climate-related disclosure rule, the SEC is preparing to ask public companies to understand and report on the greenhouse gas emissions of their third parties, called Scope 3 emissions.

“More regulation in this area is welcome,” Duross said, as every company seems to be pursuing environmental, social, and governance (ESG) goals a little differently now.

The SEC’s proposed climate-related disclosure regulation, he said, would provide “consistency and certainty of expectation” for companies’ ESG strategies, as well as for how they measure and report on the environmental performance of their third parties. He said he expected the rule to be amended as companies point out difficulties they face in complying with the mandate.