FCPAméricas Blog
How Much Third Party FCPA Due Diligence Is Enough?
7.30.2013
How deep must a company dig when engaging an agent, broker, distributor, supplier, consultant, lawyer, accountant, or other third party? How much third party anti-corruption due diligence is enough?
Unfortunately, there is no precise answer to this question. The levels of fair, reasonable, and adequate due diligence are highly context dependent. As a result, FCPA compliance professionals are prone to advise, “it depends.” They add, “enforcers won’t tell you.”
One colleague has described due diligence as a careful balancing act. On one hand, a company does not want to do too much because it can throttle business. On the other, too little will make it vulnerable. Somewhere in the middle is the safest place. Keep in mind, almost every FCPA enforcement action based on third party payments has involved a company that did no meaningful due diligence at all.
FCPA enforcers tell us in the FCPA Guidance that companies should consider a third party’s qualifications, its business reputation, its relationship with foreign officials, and the business rationale for its use. Due diligence should be heightened when red flags are present. In practice, this means that companies need to conduct reviews to determine issues like whether the third party appears on restricted party databases and watch lists, has owners who are government officials or relatives of government officials, and is a legitimate legal entity.
Above and beyond this, companies should follow some basic principles.
Due diligence should be risk-based. Not all third parties require the same degree of due diligence. A company’s sales agent in Angola will require a deeper level of review than its transportation service provider in Germany. The FCPA Guidance states, “Risk-based due diligence is particularly important with third parties and will also be considered by DOJ and SEC in assessing the effectiveness of a company’s compliance program.” In taking a risk-based approach, companies classify their third parties based on factors like industry, country, size, and the nature of the transaction. They apply a tiered system for reviews depending on where a third party falls on the risk spectrum. Within a specific transaction, a company might further refine its due diligence needs depending on specific risk issues that arise.
Due diligence should make sense. The reasoning behind a company’s third party due diligence program should hold up under scrutiny. Not only should it make sense to enforcers, is should also make sense to those charged with implementing it (FCPAméricas has discussed how business units are performing due diligence roles more often now). The more complex the program is, the harder it will be to implement. When due diligence programs are guided by an overriding logic, companies are able to “tell a story” to enforcement officials if something happens to go wrong. One way that companies can demonstrate the reasonableness of their programs is by benchmarking them against what other companies are doing in the same sector or industry.
Due diligence should be applied consistently. If a third party within a particular risk category is subject to an in-country review of its public records, and another third party in the same category is not, such inconsistent treatment could raise questions. Exceptions to an overall rule might be necessary, but the reasoning behind them should be documented.
Due diligence should be recorded. Companies will want to be able to demonstrate their due diligence steps years after a third party is reviewed. To do this, they must keep records of the steps taken and information obtained. They should keep records, not only on the third parties they engage, but the ones they choose not to hire as well. This allows companies to demonstrate that their programs are functioning.
In addition, companies should remember that third party due diligence is only the first step in the process. Safeguards should be included in written agreements and third parties’ activities should be monitored for compliance. Of late, FCPA enforcers have said that continuing oversight of a relationship is one of the most essential elements of an effective compliance program.
The FCPAméricas blog is not intended to provide legal advice to its readers. The blog entries and posts include only the thoughts, ideas, and impressions of its authors and contributors, and should be considered general information only about the Americas, anti-corruption laws including the U.S. Foreign Corrupt Practices Act, issues related to anti-corruption compliance, and any other matters addressed. Nothing in this publication should be interpreted to constitute legal advice or services of any kind. Furthermore, information found on this blog should not be used as the basis for decisions or actions that may affect your business; instead, companies and businesspeople should seek legal counsel from qualified lawyers regarding anti-corruption laws or any other legal issue. The Editor and the contributors to this blog shall not be responsible for any losses incurred by a reader or a company as a result of information provided in this publication. For more information, please contact Info@MattesonEllisLaw.com.
The author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.
@2013 Matteson Ellis Law, PLLC
Post authored by Matteson Ellis, FCPAméricas Founder & Editor
Comments