Building third party FCPA due diligence programs can be a daunting task. Reviewing all consultants, agents, distributors, suppliers, and other third parties is often overwhelming for companies with thousands of such relationships. Making sure you have dug deep enough when vetting entities is an uncertain exercise. Getting employees to take seriously the need to consider corruption risks before establishing new relationships can be difficult. FCPAméricas has previously discussed these issues here [1] and here [2].
One approach to third party due diligence that is gaining steam among larger companies involves moving responsibilities from legal and compliance departments to business units. Putting commercial and sales teams in charge can address many common challenges.
For one, this approach creates an efficient way of managing large numbers of third party relationships. Relying on the chief compliance officer to vet all third parties can be impractical, so making the business units responsible for basic due diligence helps spread responsibility. It frees up legal and compliance to focus on the more complex compliance issues.
Business personnel are often the closest to the third parties, making them better positioned to obtain information about the entity and walk it through the review. Business units also tend to take the process more seriously when they are required to own it.
Moreover, companies are finding that they can reduce overall risks when business teams are put in charge. This is because business units often choose to use fewer third parties when they know doing so will involve issuing questionnaires, signing certifications, and requesting audit rights in contracts. They think twice about new relationships when they are forced to make the business case for them. For example, Siemens told FCPAméricas in an interview [3] that it reduced its sales agents from 2600 to 1700 when it reviewed them for compliance in 2007. Of the 900 who were dropped, only 20 were due to compliance concerns. The others were simply not needed for the business and they unnecessarily increased FCPA risks.
There are potential downsides to relying on business units to conduct due diligence. Meaningful reviews might not happen and corruption risks might remain. Companies can address this in the following ways:
Implement procedures. Companies can establish procedures for categorizing third parties based on risk, and business personnel can conduct varying levels of review based on the third party’s category. Standardized forms for questionnaires, certifications, and contract clauses can be made available. The more automated the processes, the better.
Train on red flags. Companies should use FCPA compliance trainings to ensure that business units understand common red flags that arise when dealing with third parties. FCPAméricas has discussed third party red flags in Latin America here [4].
Make guidance available. Business teams should feel comfortable seeking guidance from compliance and legal departments on due diligence matters. If a third party is pushing back on audit rights, the legal department can intervene. If a flag is “pink” rather than “red,” the compliance department can offer its perspective. Business units need to know that they have support at every step.
Conduct regular audits. If business units know that their third party due diligence efforts will be audited, they will be more likely to take them seriously.
The FCPAméricas blog is not intended to provide legal advice to its readers. The blog entries and posts include only the thoughts, ideas, and impressions of its authors and contributors, and should be considered general information only about the Americas, anti-corruption laws including the U.S. Foreign Corrupt Practices Act, issues related to anti-corruption compliance, and any other matters addressed. Nothing in this publication should be interpreted to constitute legal advice or services of any kind. Furthermore, information found on this blog should not be used as the basis for decisions or actions that may affect your business; instead, companies and businesspeople should seek legal counsel from qualified lawyers regarding anti-corruption laws or any other legal issue. The Editor and the contributors to this blog shall not be responsible for any losses incurred by a reader or a company as a result of information provided in this publication. For more information, please contact Info@MattesonEllisLaw.com [5].
The author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.
@2013 Matteson Ellis Law, PLLC