FCPA Due Diligence for Third-Parties: Critical Components of a Cost-Effective, Risk-Based Vetting Program

(This article was contributed to Corporate Compliance Insights by Leslie McCarthy, director at The Steele Foundation. Ms. McCarthy can be contacted via email at: lmccarthy[at]wwsteele[dot]com.)

———-

Third-Party Due Diligence for FCPA Compliance

Critical Components of a Cost-Effective, Risk-Based Vetting Program

The severe global economic recession has created a climate ripe with temptation to “get the deal done” at any price –- and just as regulatory authorities are enforcing anti-corruption legislation such as the Foreign Corrupt Practices Act more vigorously than ever.

It’s a landscape that leaves multinationals vulnerable to violations with enormous financial, administrative, and reputational repercussions.

No question: Every company doing business with agents or other third-party intermediaries abroad needs to have a robust, multi-dimensional FCPA compliance program in place. Most compliance and legal teams know what this means:

• Articulate a corporate anti-corruption and anti-bribery policy? Check.
• Implement training to establish that policy across the enterprise? Check.
• Follow up with meaningful internal communication and enforcement? Check.

But there is a fourth, very critical leg to the stool – one that often paralyzes companies: Third-Party Due Diligence.

The task can appear overwhelming. How do you get started on vetting corporate third parties? How do you define them and how many do you need to investigate? To what degree? How do you establish levels of risk exposure and cost-effectively focus resources on the greatest liabilities?

The goal is to develop a roadmap for consistent, credible due diligence that won’t bog down your company in a costly, complex bureaucratic nightmare. This article will look at some internal best practices and basic components for a credible work plan that will meet federal and international anti-corruption compliance standards.

WHAT IS THIRD-PARTY FCPA DUE DILIGENCE?

Third-party intermediaries come in an array as vast and varied as an enterprise itself. Depending on industry type, regional business practice, business model and company size, a legal or compliance department may face a formidably unknown quantity. The numbers and categories of third parties may range from a few dozen resellers doing business on behalf of a small startup software company to tens of thousands of sales/distribution agents inherited through various subsidiary acquisitions or market expansions.

Regardless how they have come to the relationship, as long as they are representing a company that has corporate ties to the U.S., they are a liability under FCPA.

With an eye toward meeting and exceeding the most fundamental regulatory expectations, the following are a few of the components we have found most critical to building out a smart, credible FCPA vetting program.

FCPA DUE DILIGENCE CRITICAL COMPONENT #1
DEFINE TERMS AND TYPES OF DUE DILIGENCE INVESTIGATION

From the outset, it’s important to define terms. In legal parlance, due diligence generally refers to pre-transactional information-gathering and factual verification. These investigations may provide vital preparatory business intelligence but are not specifically FCPA compliance-related, nor are they looking for tell-tale “red flags” for corruption. For the purposes of this discussion, we refer to due diligence as related to the vetting of third-party intermediaries representing your company’s interests overseas. Those would include:

• Resellers
• Vendors
• Marketing and other “consultants”
• Export and other “agents”
• Sales, licensing and other representatives
• Lawyers
• Accountants
• Joint Venture Partners
• Acquisition Targets

Some may believe that a basic database check and cursory media survey is enough, but this is not necessarily the case. Regardless of what a field sales staff or others might say, the fact is that Politically Exposed Persons (people currently or recently holding public positions or performing important public functions, such as senior diplomats, governmental officials, high-level leaders of religious or political organizations, members of ruling royal families, military leaders or judges) are not always identified by global database checks, nor do they necessarily appear in media coverage. In fact, quite the contrary, many slip through the cracks.

Further, it is important to understand that — despite what some self-described due diligence firms might claim — there are a finite number of databases and none is capable of such things as an exhaustive search of international criminal convictions, real estate holdings, or credit reports. There is no replacement for having dedicated in-country resources to find the information needed. There is also the question of whether self-reporting by third parties is reasonable in countries having high levels of corruption or whether independent verification would be expected by regulatory authorities.

The list of things any company should review before engaging with a third party should include:

• Has the subject cooperated in completing a due diligence questionnaire and other relevant disclosures and anti-corruption declarations?
• Who are the subject’s social and business associates?
• What is known about their past social relationships and to what extent are they connected with government officials?
• Have any recommendations to use this third party originated among government officials?
• Have they ever held office, been an official in a political party or been connected with government officials? Is this foreign representative in fact qualified for the work they are to perform for your company?
• What is the service being requested? Is compensation commensurate with market rates or disproportionate to the job being done? If there’s a payment involved, where is it going? Offshore account? Is the payment to be made in the name of the corporation or some other individual or relative of the individual? Is the payment to be in cash or cash equivalent?
• Have any unusual payment patterns or financial arrangements emerged?
• Are the types of representations and warranties from the third party contractually binding and appropriate? Has the third party been properly notified of and educated on FCPA, your company’s anti-corruption commitment and other anticorruption law?
• Has the subject committed to financial transparency and full disclosure of expenses, corporate licensing, history and other accounting?
• Has the subject agreed to produce documentation and be audited?
• Has a place of business been confirmed and staffing determined to be proportionate to remuneration for services rendered?

While there are many customized levels and parameters for investigation, most corporate compliance departments conduct their vetting programs based on two commonly commissioned levels of investigation on the third party and at least one principal:

I. Global Database Investigation (GDI)
This would include a comprehensive check of all available sanctions, embargo and watch lists, PEP (politically exposed persons) databases as well as a survey and analysis (optimally in both English and local language) of the full range of business journals, websites, industry publications, mainstream and local media.

II. Enhanced Due Diligence (EDD)
This would include above synthesis of GDI findings as well as field investigations carried out by an in-country investigator, including visiting the business address of record, authenticating and validating public records, identifying potentially vulnerable corporate relationships, interviewing associates in political, business, and social circles to determine reputation, reviewing corporate, civil, and criminal documents, and validating financial records where and when available.

These two levels of investigation include overlapping but different components that together control for “red flag” indicators of vulnerability to corruption, such as questionable history, familial relationships to government representatives, criminal allegations, civil entanglements and other relevant issues.

FCPA DUE DILIGENCE CRITICAL COMPONENT #2
PERFORM A RISK INVENTORY TO LOCATE AND ASSESS THIRD-PARTY RISK

You know that your company has a substantial number of third-party relationships in various regions around the world with varying job descriptions and functions. Where do you begin? Some multinationals have tens of thousands of such intermediaries overseas and no methodology for determining which partners need to undergo due diligence and to what degree/depth they should be investigated. It would be cost-prohibitive and administratively overwhelming to conduct a complete field investigation on each and every one. Rather, what makes sense is to take a systematic inventory to help categorize and assign a level of risk exposure to various broad affiliate types.

Some companies prefer to take a “meat grinder” approach, running each and every intermediary through a rudimentary list of attributes in order to establish any baseline risk. This can work for the smaller company operating on a limited scale abroad. But for the mid-size and larger corporations, whose business dealings include significant numbers of intermediaries, the system is unwieldy and vulnerable to inconsistency and gaps.

A more programmatic approach will leverage a complete and accurate inventory of third-party types to build a due diligence protocol that is comprehensive as well as efficient and cost-effective. Companies are constantly assessing the balance between conducting appropriate, comprehensive, and “reasonable” due diligence while remaining fiscally and administratively conservative. No one wants to over-allocate resources to vetting third parties unnecessarily. This process must be customized according to individual corporate profile, but at the macro level will always:

1. Define category types for all intermediaries overseas
2. Identify specific ways in which third parties do business
3. Quantify corruption vulnerability based on a multi-point matrix encompassing a series of relevant variable indices
4. Systematically calculate and weight predetermined risk exposure
5. Establish consistent tiers of due diligence investigation required based on internally identified levels of tolerance for risk
6. Collect/Cleanse/Aggregate individual third-party data to enable execution of consistent, quality-assured global due diligence investigative program

The above methodology will guide companies through steps necessary to understanding what attributes promote or diminish corruption risk. This calculus is based on a number of variables (STEELE runs its clients through a 25-point intake matrix that defines specific vulnerabilities within varying business units/functions).

A fulsome risk inventory will take into account a 360° analysis of risk factors, including but in no way limited to regional/country and industry risk. Being systematic in this assessment is critical. Regulatory scrutiny is in large part based on intentionality and the ability to demonstrate that standards for compliance were applied without variation across the enterprise. The credible third-party risk inventory assessment will include both a clear categorization of types of intermediaries, identification and weighting of corruption risk based on multiple factors followed by the application of predetermined levels of due diligence investigation performed in accordance with established corporate thresholds for risk.

FCPA DUE DILIGENCE CRITICAL COMPONENT #3:
EXECUTE CREDIBLE INVESTIGATIONS TO PROFESSIONAL STANDARDS

You’ve defined who and how you’re at risk for third-party corruption. Now it’s critical to execute appropriately tiered, quality-assured global due diligence investigations. Collecting the data necessary to commence this process can be daunting, but it is not only vital business intelligence that serves a dual business intelligence function –- it is also the roadmap for demonstrating both internally and externally that you know who you are doing business with and have put adequate anti-corruption controls in place.

When it comes to vetting third-party intermediaries, it is surprising how many compliance programs at major corporations are either scattershot or non-existent. In many instances, due diligence is performed internally, perhaps by local in-house resources who have no investigative skill set or perhaps have a conflict of interest. We’ve also seen well-intentioned programs predicated on the assumption that a baseline check of sanction and embargo databases and a review of search engine results are sufficient to meet FCPA compliance standards. This may be a sincere effort, but federal enforcement authorities have a different set of expectations, even if these are not spelled out as a matter of law. Putting in place an effective due diligence process requires several basic steps, all of which must be undertaken while balancing competing priorities.

• Who will perform this due diligence?
• Do they have credible investigative backgrounds?
• At what price?
• How long will it take and what impact it might have on sales culture and process?
• Is uniformity important from region to region, business practice to business practice?
• Are there defined levels at which to vet third parties?
• What are the standards that must be met?
• Does thorough compliance require vetting each and every third party worldwide?
• Going back how many years?
• How intensive does the investigation have to be?
• Does it need to be periodically repeated? At what frequency?

In setting the bar for what constitutes a reasonable due diligence program that meets the expectations of regulators, multinationals will want to be deliberate and be able to demonstrate how they came to the process instituted internally. A variety of federal laws and regulations have spawned compliance programs and schools of thought on corporate ethics generally. But in the specific realm of FCPA compliance, there is still disagreement and discussion around what constitutes an adequate level of third-party due diligence.

Due diligence efforts typically balance federal expectations with the realistic availability of information and internal personnel and budgetary resources. Compliance, legal, and other officers can and do debate approaches to vetting third parties exhaustively, but ultimately the most important thing is to get a reasonable program in place. It can be refined and improved over time.

FCPA DUE DILIGENCE CRITICAL COMPONENT #4
HAVE A PLAN FOR YOUR PROCESS: PUT A PLATFORM IN PLACE FOR CONSISTENCY

For myriad reasons, a surprising number of global companies have taken a piecemeal approach to investigating risks associated with their intermediaries overseas. In some instances companies will have hundreds, if not thousands or tens of thousands, of backlogged due diligence investigations. The numbers and potential expenses are understandably daunting.

But just as many companies have turned to online technology to implement training, establish hotlines, and disseminate ethics policies out in the field, numerous multinationals have also found it helpful to deploy a reliable FCPA-customized software tool to manage their due diligence caseloads and associated workflow.

Automating the process of vetting third parties overseas drives consistency, efficacy, and transparency across the enterprise. A robust platform enables companies to effectively and efficiently manage a decentralized program. You’ve got one system and everyone is using it.

So what components constitute a robust, “reasonable” FCPA third-party due diligence process? We believe there are several and that centralizing them will eliminate the common challenge multinationals face: Controlled paperwork chaos.

For many the current system is a patchwork endeavor with differing processes from region to region and department to department. In one business unit due diligence reports may be conducted internally and recorded somewhere in a spreadsheet stored on a sales manager’s desktop. Elsewhere, there may be a series of pdf-format questionnaires circulated among would-be intermediaries, faxed, and then stored perhaps randomly at some centralized compliance department. But where are these reports stored subsequently? It’s the equivalent of file folders stacked here and there, full of information, but none of it securely retained or readily accessible.

An automated case management system will help establish and drive an end-to-end process that does not vary or drop valuable information. You can systematically avoid doing business with intermediaries who have been rejected or “red flagged” and at the same time enhance anti-corruption measures to preclude any confusion among those with whom you choose to do business.

What does this process look like and how do you accomplish it efficiently and cost-effectively? Establish a protocol, which might include:

• Automated issuance of a standardized corporate Due Diligence Intake questionnaire to be completed by all current and prospective third parties.
• Automated issuance of corporate FCPA policy and accompanying anti-corruption agreement letter to be signed by current or prospective third parties.
• Review of “reject list” to ensure third party has not previously been associated with corruption risk or activity.
• Engage a basic due diligence investigation at the level of intensity appropriate to the subject. (This is determined through a comprehensive risk inventory to establish types of intermediaries, identify levels of exposure and define appropriate degrees of investigation.) Levels of investigation might include:
• Analyze any “red flags” and determine whether or at what level of business relationship in which to engage.
• Review completed investigation and “Reject,” “Request Additional Information” or “Accept.”
• Automate third-party agreement, including relevant representations and warranties.
• Optional: Offer automated online training module.
• Retain all cases and accompanying documentation in secure, encrypted archive.
• Customize timeline for renewal of vetting process (usually cycles of every 18-24 months).
• Automate a system-generated notification to re-engage with third-party intermediaries in a way that provides consistent messaging and up-to-date investigation cost-effectively and consistently.

Putting in place such a systematic due diligence software program provides invaluable integrity, particularly for companies with limited knowledge of legacy relationships, complex agent, or joint venture activity or idiosyncratic business practices and customs that may be industry or country-specific. And there are technology tools that automate flat-fee FCPA-specific investigation services and practical timelines and roadmaps. Coming into and maintaining third-party compliance only grows easier as your program matures and becomes progressively more familiar, well-practiced, and established.

When it comes to avoiding the multi-million dollar fines, jail time, and reputational damage incurred by increased DoJ and SEC enforcement activity, self-policing is absolutely crucial. A thoughtful compliance program is the best preventative strategy for ensuring FCPA compliance that is both practical and of which your company can be proud.

**********

Leslie McCarthy is a director at The Steele Foundation, where she is a subject matter expert in the area of third-party due diligence for global FCPA compliance. Prior to her work at Steele, she was for 15 years a New York-based national correspondent and investigative reporter for The Associated Press covering news events domestically and abroad.

ABOUT STEELE:
Over the course of two decades, THE STEELE FOUNDATION™ has executed due diligence functions in more than 120 countries on behalf of more than 500 multinational companies, including nearly half of the Fortune 100. As the result of a global footprint and deep field experience encompassing tens of thousands of business investigations, STEELE has defined essential common elements that unify an effective overall FCPA compliance due diligence program. Together with its technology partner, Securimate™, the company has evolved an automated web-based solution that organizes and drives FCPA compliance to meet highest regulatory standards for third-party vetting on a fixed-price, fixed-scope basis.

For more information about third party due diligence for FCPA compliance, click on the link below to view a whitepaper recently released by the Steele Foundation:

Steele Whitepaper: Setting the FCPA Compliance Standard

Tags: Compliance, compliance program, FCPA compliance, FCPA due diligence, FCPA third party due diligence, Leslie McCarthy, Steele Foundation