Brockmeyer at TPRM: Investigator expectations for monitoring third parties

Brockmeyer, now a litigation partner at Debevoise & Plimpton and keynote speaker at Compliance Week’s TPRM Virtual Summit on Thursday, stressed the need for vetting and monitoring “throughout the lifecycle of the relationship,” not just when the third party is onboarded. This falls in line with recent guidance from the Department of Justice (DOJ).

It is common for third parties to be hired initially to perform low-risk tasks that are not core to a company’s ability to function, she said. But during the pandemic, third parties have often been hired under duress, when other vendors failed to deliver. In some cases, third parties that had been onboarded and vetted at a much lower level of due diligence—say, with a nominal check that their address, ownership, and banking information on file were correct—have been thrust into more important roles.

“They now have a much broader portfolio, but it’s not commensurate with the risk and the amount of business they represent,” Brockmeyer said. The DOJ and other regulators will ask, “How did you miss the red flags about this third party?”

“They’ll really examine your processes,” she said.

Third parties that have access to a company’s data; that operate in countries with higher risk of bribery, anti-money laundering, or sanctions issues; or that have prominent roles in a company’s supply chain or finances should be monitored more closely, Brockmeyer advised. Checking in with them once a year probably isn’t good enough, she said.

“The amount of due diligence varies dramatically on the amount of risk that a third party represents to the company,” she said. Brockmeyer suggested the pandemic has created a good opportunity “to automate your monitoring system as much as possible.”

While government agents are likely to view pandemic-related fraud in a company’s supply chain with some leeway, she said, it only goes so far.

“Over the past few years, there has been a lot of encouragement (from regulators) for compliance to take advantage of data analytics.”

Kara Brockmeyer, former chief of FCPA Unit at SEC

The best defense, Brockmeyer noted, is to document what your company did to vet those third parties, “so you can show you did the best you could under the circumstances.”

As part of an investigation, regulators will also examine how well company data is shared across departments, including compliance.

“Over the past few years, there has been a lot of encouragement (from regulators) for compliance to take advantage of data analytics,” Brockmeyer said. They’ll want to know what data resources are available within a company and whether compliance has access to them.

The DOJ and other agencies, she said, have “put companies on notice” that it is no longer acceptable for their data to be siloed off. The data needs to be shared with compliance officers, so they can understand the context in which their employer acted a certain way, made a particular decision, enacted a new process, or pursued a new line of business.

Similarly, investigators will apply the same thinking when examining how well a company’s compliance program worked (or did not work) in picking up the bad behavior under investigation; how well the compliance department is funded, relative to the company’s size and the risks it faces; and whether compliance has the authority to take action.

Fourth parties and other risks

Brockmeyer said monitoring fourth parties—vendors and subcontractors hired by your third-party partners—is a shared responsibility.

“Not only do you need to know who their third parties are, but you need to place the obligation on your third parties to abide by the same obligations you have with that third party,” she said.

During the question and answer period, one conference attendee asked Brockmeyer what companies can do when trying to assess a private company, perhaps one in an area of the world without much transparency.

After exhausting all public sources of information, Brockmeyer said, it may make sense to hire an investigator to determine if the company has acted in concert with a foreign government or may be owned by a company on the U.S. sanctions list.

“Or you may decide the risk is too high (to do business with the company), because you don’t effectively know who you’re dealing with,” she said.