Third-Party Due Diligence—Not Just a One Time Thing

^[1]This post was authored by Leah Moushey, an Associate at Miller & Chevalier Chartered.

It is no secret that a company can be held liable under the FCPA for misconduct carried out by third parties. Indeed, the majority of corporate resolutions involve the participation of agents, consultants, distributors, lawyers, accountants, or other third-party intermediaries. Under the FCPA, companies can face liability for “willful blindness” or “conscious disregard” of red flags associated with third parties, even if no actual knowledge of misconduct exists.

What may be lesser known, however, is that a company’s responsibility to assess third-party risks does not cease once a third party is cleared through an initial due diligence process and on-boarded. On the contrary, initial due diligence is merely the first step in an ongoing monitoring process that should continue as long as the company’s relationship with the third party exists. For example, the DOJ and SEC’s Resource Guide to the U.S. Foreign Corrupt Practices Act states that companies should “undertake some form of ongoing monitoring of third-party relationships.” Similarly, the International Organization for Standardization’s standard on Anti-Bribery Management Systems, ISO 37001, recommends that companies update their due diligence on higher-risk business associates “at a defined frequency so that changes and new information can properly be taken into account.”

A company’s approach to monitoring its third-party relationships will vary depending on the nature of the relationship and the specific risks posed. The following list of possible strategies may help guide such an approach:

Document work performance. A company should make sure that any work carried out by a third party is properly documented prior to paying for services. By documenting the work performed, a company can ensure that services are rendered pursuant to the relevant contract, thereby reducing the risk that payments will be used for unauthorized purposes.
Ensure that compensation is commensurate with services provided. It is important for a company to continue to stay abreast of the rates for services in the markets where it operates to ensure that the compensation requested by a third party is appropriate based on the type of services provided. Obtaining excessive compensation is a common way for third parties to facilitate improper payments. If a company understands the markets in which it operates, it will be better situated to identify requests for inflated payments, which, in turn, can help to reduce corruption risks.
Utilize ongoing interactions with third-party representatives to communicate compliance expectations. Company representatives should utilize every opportunity to remind third parties of the company’s commitment to anti-corruption compliance. Whether by making time to periodically discuss the company’s anti-corruption policies with third-party representatives or by attending compliance trainings alongside third-party personnel, reemphasizing a company’s commitment to its anti-corruption efforts on a frequent basis can help to put third parties on notice that misconduct will not be tolerated.
Obtain annual compliance certifications. Another way to ensure that a third party remains aware of a company’s compliance expectations is to request that it complete an annual compliance certification. Certifications can document that the third party understands the rules, has not paid a bribe, and commits to compliance going forward.
Update due diligence periodically. For longer term third-party relationships, a company should adopt procedures so that the appropriate level of due diligence conducted remains current. Periodic due diligence updates allow for the detection of changes in corporate structure, ownership, reputation, and/or services provided—all of which may impact whether a company will continue to work with a given third party. The frequency in which due diligence should be updated will vary depending on the risks associated with the particular third party.
Exercise audit rights, as needed. A company may consider securing audit rights to more closely monitor the activities of third parties. However, exercising audit rights on every third party can be burdensome, especially for companies that work with a large number of third parties. Therefore, companies should adopt a risk-based approach to exercising audit rights, focusing on third parties that have high anti-corruption risk profiles (e.g., third parties that regularly interact with government officials).

Report third-party red flags. Last, but certainly not least, a company should take steps to ensure that its employees are able to identify third-party red flags and know where to report them. They should regularly touch base with business personnel who oversee high risk third parties to ensure no red flags have arisen. Active reporting of third-party red flags is a sign that a company’s compliance program is working and should be encouraged. A list of third-party red flags can be found here ^[2].

The opinions expressed in this post are those of the author in his or her individual capacity, and do not necessarily represent the views of anyone else, including the entities with which the author is affiliated, the author`s employers, other contributors, FCPAméricas, or its advertisers. The information in the FCPAméricas blog is intended for public discussion and educational purposes only. It is not intended to provide legal advice to its readers and does not create an attorney-client relationship. It does not seek to describe or convey the quality of legal services. FCPAméricas encourages readers to seek qualified legal counsel regarding anti-corruption laws or any other legal issue. FCPAméricas gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to FCPAméricas LLC.