3 Important Points to Remember About Third-Party Risks

How Much Due Diligence is Enough?

It’s easy to get in over one’s head when conducting third-party due diligence. How deep is it necessary to dive to ensure your vendors and suppliers are doing business above board? Michael Volkov provides some expert insight into what “due diligence” means – and what it doesn’t.

If you want to learn and read about managing third-party risks, you will have no trouble finding articles, white papers, webinars and more available to you on the internet.  And for good reason.

Third parties create significant risks, and these risks are not just limited to bribery; they extend into sanctions, money laundering, privacy and cybersecurity, human trafficking, child labor and reputational damage.  The compliance marketplace offers lots of solutions, including automation, due diligence, risk ranking and a host of alternative solutions.

Before you leap into the due diligence world, however, it is important to understand exactly what you are trying to accomplish and why you need to tailor your solutions to your specific needs.

When assessing the issue, there are three important points to understand about due diligence:

What is the Legal Standard?

The term “due diligence” is defined to mean “reasonable inquiries.”  I know that sounds like mumbo jumbo, but it is important to recognize what “reasonable inquiries” does not mean.  As an attorney and a former prosecutor, I know the importance of focusing on burdens of proof — “reasonable inquiries” does not mean “beyond a reasonable doubt,” nor does it mean by a “preponderance of evidence.”  In fact, the standard of “reasonable inquiries” means reasonable questions and follow-up.  It does not mean boil the ocean.

Life always depends on context, and so does due diligence.  A reasonable inquiry in one circumstance may not be reasonable in another.  Everything has to be assessed through the eyes of relevant risks.  Adjusting your due diligence review of a third party to the specific risk profile is imperative.

Agents/Distributors v. Vendors/Suppliers

The FCPA expressly prohibits corrupt payments made through third parties or intermediaries. Specifically, it covers payments made to “any person, while knowing that all or a portion of such money or thing of value will be offered, given or promised, directly or indirectly,” to a foreign official.  The “knowing” requirement includes a representational component, meaning that a person who receives payment (i.e., a third-party) must be acting on behalf of the payor of the money.  If I make a payment to someone who is representing me and I know that the person will be paying a foreign official on my behalf, I am liable for that bribe.

On the other hand, if I pay a vendor who is not representing me or acting on my behalf for a good or service, and that vendor pays a bribe to further its business (not necessarily just mine, but for his overall business operations), then I am not liable for the bribe paid by the vendor.

As an example, if my company buys potato chips from a vendor (along with thousands of other companies in a specific country) and the vendor ends up paying a bribe to customs officials in that country to favor its shipments, as a customer of the vendor, I am not liable for the vendor’s bribery payments, because the vendor is not acting on my behalf.

That does not mean you can ignore the risks created by your vendors and suppliers.  On the contrary; vendors and suppliers pose many risks and are often involved in bribery or fraud schemes.  My point is that vendors and suppliers, in the absence of a specific representational function, do not create classic bribery risks, and they should be screened in accordance with this risk profile.

Third-Party Professionals

The third-party universe includes professionals.  As we have seen in the anti-corruption world, bribes can be paid by lawyers, tax professionals, lobbyists and consultants.  These representatives act on behalf of their client companies and therefore create potential corruption risks.

A foreign law firm should be screened like any other third-party candidate based on the specific risks involved. Moreover, law firms should be subject to the same controls, invoicing requirements, description of services and fees that are commensurate with the specific project and the market.

History is replete with instances where lobbyists have been used (and continue to be used) to funnel illegal payments to government officials (e.g., Abscam and Abramoff, just to name a few). For that reason, lobbyists in foreign countries may create significant corruption risks and should be subjected to a commensurate level of controls.

This article was republished with permission from Michael Volkov’s blog, Corruption, Crime & Compliance.