DOJ and SEC Raising the Stakes on Third Party Risk Management


If you review the last ten years of FCPA enforcement, the unmistakable pattern is rising expectations with regard to corporate compliance programs, particularly with regard to third party due diligence and risk management. Over the course of numerous enforcement actions, DOJ and the SEC have reached the point now where they are questioning not just the conduct of due diligence but the quality of due diligence.

It is well established that companies have to identify and resolve all red flags, indicating a potential risk of corruption, or else suffer the consequences if bribery occurs. DOJ and the SEC expect high quality due diligence reviews and assessments of potential third party intermediaries.

DOJ and the SEC have to be careful here and apply the law fairly in cases where a third party engages in bribery. A post hoc review of a company’s due diligence review has to reflect the standard for due diligence – “reasonable inquiries.” The danger is that DOJ and the SEC could apply a strict liability formulation and use it to second-guess every exercise if discretion.

To this end, companies have to be mindful of a possible post hoc review by the government, and document its efforts to identify red flags and to resolve such issues before deciding whether to engage the third party. In recent cases, DOJ and the SEC have cited due diligence reviews and relied on failures of judgment to support an inference of corrupt intent.

As companies implement more robust risk management programs, we can expect to see more post hoc analyses and questioning of due diligence programs. Companies have to design their systems in response to this rising expectation.

A larger percentage of companies are implementing automated due diligence systems. A recent NAVEX Global survey showed that over 80 percent of companies have implemented an automated due diligence system.

Unfortunately, even in these situations, companies have to continue building their system to ensure they rely on reliable data, identify red flags, and document their resolution of each and every red flag. If a due diligence system is built on these principles, DOJ and the SEC will have a difficult time questioning a company’s decision to engage a third party.

Companies cannot blindly conduct due diligence, document each step and avoid careful analysis of third party risks. The recent Och-Ziff enforcement action underscored this point when Och-Ziff conducted due diligence of the Israeli businessman, DRC Partner, and raised serious questions about DRC Partner’s integrity. In fact, DOJ cited the internal disagreement within Och-Ziff management over whether to engage DRC Partner or not.

The government’s interest in citing internal debates or the manner and quality of resolution of red flags raises some interesting questions. If three officials argue to move forward with a third party and two disagree, can the company move forward or will DOJ/SEC cite the two opponents as evidence of an “unresolved” red flag.

To the extent the government continues to rely on such evidence, raises a serious question about unintended consequences. Rather than encouraging a robust internal analysis and debate, companies may streamline or modify the internal review function to avoid creating potentially negative evidence of its due diligence program. By discouraging debate, the government may restrict careful consideration of due diligence factors and decisions.

Third party risk management will continue to be the focus of DOJ and SEC FCPA enforcement actions. Companies have to design their programs in response to increasing scrutiny of third party due diligence reviews. As robust programs are implemented, companies have to be careful how they design, document and analyze specific risk factors.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Michael Volkov, The Volkov Law Group | Attorney Advertising

Written by:


The Volkov Law Group on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.