FCPAméricas Blog
How Can I Control My Third Parties?
2.26.2014
Anti-corruption compliance is an increasingly important topic in Latin America, and companies in the region are starting to ask the question – how can I control my third parties? Sometimes, for FCPA practitioners, it is good to go back to basics.
Under the FCPA, liability can be created when companies or their officials make payments indirectly to foreign officials through agents, consultants, distributors, lawyers, accountants, customs brokers, or any other intermediary. Liability arises if the company or individual knows that the third party will make the payment, authorizes the third party to do so, consciously disregards red flags suggesting the possibility of corrupt payments, or (for publicly listed companies in the United States) fails to put in place controls designed to prevent third party bribes.
FCPAméricas has discussed third party due diligence in the past, such as how to manage due diligence pushback in Latin America (here), important provisions for contracts with Latin American third parties (here), and how to transfer third party due diligence responsibility to business units (here).
Here is an overview of steps that companies might take when developing due diligence and monitoring strategies for third parties:
- Assign a business sponsor tasked with overseeing due diligence and monitoring of the third party who is responsible for the relationship and recognizes the nature of FCPA risks.
- Consider and document the business justification for use of each third party.
- Request references from the third party’s customers and business associates.
- Require the third party to complete a questionnaire to obtain information about its beneficial ownership, license and registration statuses, business history, history of criminal or other unlawful activity, business profile, qualifications, internal compliance or ethics program, and financial health.
- Obtain documentation from the third party, such as relevant bank documents, background employment information from relevant third party personnel, incorporation documents, licenses, and permits.
- Conduct integrity due diligence on the entity by performing on-line searches and reviews against international and local denied party lists.
- Commission an integrity due diligence review from a professional provider that can be conducted with varying degrees of depth, from on-line searches to field investigations and verifications.
- Require the third party to complete an annual anti-corruption compliance certification.
- Establish and document the reasonableness of the third party’s fees or compensation structure based on market rates – and, in higher risk situations, seek fixed-fee or hourly-based fee arrangements.
- Establish a work plan or similar proposal that describes in detail the specific services the third party will provide.
- Obtain a copy of the third party’s compliance policies, or require that the third party adopt an anti-corruption compliance program itself if it does not already have one.
- Create contractual representations, warranties, and procedures that can include anti-corruption compliance commitments, audit rights, standards of books and records to be maintained, duration of recordkeeping, prohibitions on use of subagents, termination clauses, and prohibitions or reimbursement processes for certain activities like gift giving and hospitality.
- Conduct a periodic review of the third party’s books and records related to its services for your company.
- Require prior notice for the third party’s contact with government officials.
- Conduct compliance training of relevant third party personnel.
- Conduct interviews with third party personnel to understand its risk profile and clarify any outstanding factual uncertainties related to the integrity due diligence review.
The exact safeguards that a company applies will reflect the levels of risk created by each third party. This requires a risk analysis. Determinations on how much due diligence is enough are guided by a series of principles, as discussed by FCPAméricas here.
If you have other safeguards to add to this list, please include them in the Comment section of this post or e-mail them in.
Here is a selection of other posts that can guide your third party due diligence and monitoring program:
The Master List of Third Party Red Flags
Avoiding Pitfalls in Audit Rights Clauses in Latin America Third Party Contracts
Eli Lilly’s Distributor in Brazil: The Non-Obvious FCPA Risk
Third Party Red Flags and Latin America
The opinions expressed in this post are those of the author in his or her individual capacity, and do not necessarily represent the views of anyone else, including the entities with which the author is affiliated, the author`s employers, other contributors, FCPAméricas, or its advertisers. The information in the FCPAméricas blog is intended for public discussion and educational purposes only. It is not intended to provide legal advice to its readers and does not create an attorney-client relationship. It does not seek to describe or convey the quality of legal services. FCPAméricas encourages readers to seek qualified legal counsel regarding anti-corruption laws or any other legal issue. FCPAméricas gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to FCPAméricas LLC.
© 2014 FCPAméricas, LLC
Post authored by Matteson Ellis, FCPAméricas Founder & Editor
Comments
February 26th, 2014 at 10:19 pm
There is a lot of due dilligence there! To manage all of the questionnaires, attestations, evidence gathering, reviews and audits for all third parties you also need a centralised compliance monitoring platform with the flexibility to adapt to a changing regulatory landscape. You can find one at http://www.complianceexperts.com, with all the functionality you need, out of the box.