Your corporate compliance program requires all third parties to be certified through a rigorous five-step process that is renewed every two years. But what happens during the interim period? If you are not actively monitoring your third parties at all times, you could be setting the organization up for a Foreign Corrupt Practices Act (FCPA) violation.
Consider these three examples:
- Let’s say you have assured yourself that your third-party agent does not have any politically exposed persons as owners, beneficial owners, or principals. You’re confident of this fact at the start of the relationship, but are you monitoring it via public data resources on an ongoing basis? If you’re not, what happened to Hitachi in South Africa about a decade ago could happen to you. In that case, Hitachi’s third-party agent brought on board a member of the African National Congress and transformed the nature of the relationship, which ultimately led to an FCPA enforcement action.
There must be ongoing monitoring, communication, and functioning internal controls of third parties.
- Beyond a change in ownership or in the principals, what happens if there is a change in the commission rate paid to a previously approved third-party agent? Consider Hewlett-Packard and its 2014 FCPA enforcement action. One of the three bribery schemes unearthed on the company occurred in Mexico, where HP-Mexico wanted to use a corrupt agent involving a deal with Pemex, because he had a very close relationship with the Pemex official who would be making the decision on the contract. HP-Mexico even signed a contract with this agent that detailed his description of services included an “influencer fee” for which he would receive a 25 percent commission. This agent apparently could neither meet the company’s due diligence requirements nor accept its mandatory commission rate, or both. Whatever the reason, the corrupt agent was not approved as an agent on the Pemex deal. So HP-Mexico simply sub-contracted this agent to an existing, previously approved HP channel partner. HP-Mexico then said it needed to raise the commission rate of this channel partner from 1.5 percent to 26.5 percent because this channel partner was now “managing discounts with Pemex,” which, not so coincidentally, this channel partner had never done. Because this channel partner was previously approved by compliance, the request for an increase in commission rate was never submitted to compliance for approval.
- Now consider this scenario on a much grander scale, as outlined in Panasonic Avionics’ 2018 FCPA enforcement action. The company had 13 corrupt agents in its Asia region, which had engaged in bribery in the past and could not pass due diligence scrutiny under the company’s compliance regime. So what did the employees in its Asia region do to get around this problem? According to the deferred prosecution agreement, after these corrupt agents were formally terminated by the company, Panasonic Avionics employees secretly continued to use the agents by having them rehired as sub-agents of a previously approved third party, which had passed PAC’s due diligence checks. Through this fraudulent process, Panasonic Avionics employees hid more than $7 million in payments to at least 13 sub-agents, which were used to facilitate bribery and corruption. Similar to Hewlett-Packard, the Panasonic Avionics compliance function did not have any mechanism to detect or prevent this subterfuge, such as effective internal controls over the lifecycle of third parties within their organization. At Hewlett-Packard, there were no internal controls in accounting, finance, or accounts payable that could have alerted the compliance function when a previously approved third party had its commission rate increased by 25 percent. In addition, at Panasonic Avionics there was apparently no red flag raised when a previously approved third party’s total commission payments jumped more than $7 million in one year.
There must be ongoing monitoring, communication, and functioning internal controls of third parties. The compliance function should have visibility into internal controls around third-party payments. If there is a big increase in a commission rate, it should be investigated before it is approved. If there is a spike in annual commissions paid, it should be investigated after the fact. And, as always, document everything!
Special report: Third-party risk management
- Currently reading
Why continuous monitoring is crucial for TPRM