Guidelines and Red Flags for Third-Party Due Diligence
As global anti-corruption enforcement continues to gain steam, regulatory agencies are increasingly turning their microscope to third-party affiliates.
Today’s companies don’t have the luxury of simply worrying about their own compliance. They’re also responsible for ensuring their business associates comply with anti-corruption laws.
Considering that 44 percent of business leaders increased their number of suppliers last year and 70 percent were concerned those suppliers weren’t doing enough to minimize risk – compared to 52 percent in 2013 – third-party compliance has become a major area of risk for business leaders. Many have been forced to drastically step up their efforts in performing due diligence on third-party affiliates.
“Third parties, including agents, consultants, and distributors, are commonly used to conceal the payment of bribes to foreign officials in international business transactions,” says the U.S. Department of Justice in its resource guide for the Foreign Corrupt Practices Act (FCPA). “Risk-based due diligence is particularly important with third parties and will also be considered – in assessing the effectiveness of a company’s compliance program.”
Two of the top three anti-bribery and corruption challenges faced by U.S. and UK business leaders involve managing business relationships with third parties: auditing third parties for compliance and performing effective due diligence on foreign third parties. As global compliance expert Kelvin Dickenson says, “the risks of insufficient third-party diligence have never been greater.”
Despite the elevated risks, however, may companies have lagged behind in their due diligence efforts. Of companies with formal anti-bribery and corruption polices, two in five fail to communicate their policies to third-party agents, vendors, brokers or suppliers, while three in five companies whose compliance programs include anti-corruption training don’t require their third-party representatives to participate.
Furthermore, nearly two-thirds of businesses with “right to audit” clauses in their third-party contracts have yet to perform an audit, and half of U.S. companies drop the ball when it comes to obtaining periodic compliance certifications from third parties.
To prevent legal entanglements and devastating penalties moving forward, a significant number of businesses will need to become more vigilant when it comes to performing third-party due diligence.
Guiding Principles for Third-Party Compliance
The degree of third-party due diligence required can vary depending on the industry, size and nature of the transaction, and past relationship with the affiliate. To help companies develop baseline standards for due diligence, the U.S. Department of Justice and the Securities Exchange Commission have provided some guiding principles that always apply.
Qualifications and associations: A company should “understand the qualifications and associations of its third-party partners, including its business reputation and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.”
Business rationale: Companies should also have an understanding of the business rationale for including the third party in the transaction.”Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the services to be performed.”
Ongoing monitoring: Companies should undertake “some form of ongoing monitoring of third-party relationships. This may include updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party.”
The need for ongoing third-party monitoring is a particularly important principle for business leaders to grasp. “A common gap we often see is that once a third party is vetted, there is no ongoing review for changes in status or risk,” Dickenson said.
Recognizing Third-Party Red Flags
Another crucial aspect of third-party due diligence is learning to recognize common red flags that indicate a high compliance risk. Below are some key indicators of a corrupt third-party associate.
Reputational risk. When conducting a background check on a potential affiliate, take heed if the third party:
- Is in a country known for widespread corruption
- Has a history of improper payment practices, including prior or ongoing investigations by enforcement authorities
- Has incurred criminal or civil penalties for illegal or unethical conduct
- Has a poor business reputation
- Has been accused of making corrupt payment to officials or has had its integrity called into question
- Does not have an adequate compliance program or code of conduct in place
- Has been terminated by other companies for improper conduct
Government relationships. Pay close attention to the third party’s associations with government officials, and watch for:
- A family or business relationship with a foreign official or government agency
- Previous experience working in the government at a high level, or in an agency relevant to the work they’ll be performing
- An owner, major shareholder or executive manager who is also a government official
- Rumors that the third party has an undisclosed beneficial owner
- A request by a government official that the third party be selected over others
- Large or frequent political contributions made by the third party
- Private meetings between the third party and government officials
- A propensity for giving lavish gifts or hospitality to government officials
- Insistence on dealing with government officials without your company’s participation
Other common red flags. Other warning signs include:
- Third-party “consulting agreements” that include only vaguely described services
- A third-party consultant who in a different line of business than that for which it has been engaged
- A third party that is merely a shell company incorporated in an offshore jurisdiction
- Request for payment to offshore bank accounts
These are just a few of the potential indicators that a supplier, vendor or affiliate poses a significant compliance risk – and business leaders can no longer afford to ignore them. To navigate today’s enforcement-heavy anti-corruption climate, companies must start taking third-party due diligence seriously or risk paying a heavy price.