I am sure Justice Department and Securities and Exchange Commission lawyers sometimes sit back and marvel at the world they have helped create – Companies are devoting more resources to the due diligence process for screening third parties. Companies are building due diligence screening procedures and more sophisticated protocols to minimize risk. The message has come through loud and clear – conduct due diligence and control your third-party risk.
In building these due diligence systems, companies are facing a number of interesting issues. It is a sign of the times that these are the issues that are bubbling up in the third-party compliance area. Here are a few of the most significant questions:
1. How should a company define and apply the term “third-party intermediary”?
A company has to have a clear definition of third parties subject to due diligence review. Companies deal with a variety of third parties, including traditional commercial sales agents who develop business opportunities with foreign government customers. The term should apply to a variety of parties such as distributors, contractors and sub-contractors, customs agents and freight forwarders, lobbyists, lawyers, tax professionals, advertising agents, event organizers, Visa agents, consultants and other professionals. Not all of these categories carry the same level of risk since they may vary in the number and nature of foreign government interactions.
Many managers and employees may not be familiar with the scope of the third party definition used in a company policy. It is important to communicate the broad application of the policy to ensure that the presumption when dealing with a potential third party is to run them through the due diligence program.
2. How should a company assess risk for an initial due diligence?
The key is to keep your eye on the ball – it is easy to categorize someone as a “third party” falling under the third-party due diligence policy, but it is more important to focus on the nature and number of foreign official interactions. A risk assessment will focus on this issue and should give a company a way to rank most third parties, extending even to risk ranking of a whole category of third parties (e.g. directors of local subsidiaries from the local country).
The problem in the initial assessment phase is the absence of any track record of performance or data. The company is starting from scratch and has limited information. But you have to start somewhere and the company may be wise to conduct a more comprehensive due diligence then necessary at renewal or when dealing with a third-party with whom the company has had prior relations.
3. How do I apply due diligence requirements to suppliers/vendors?
One of the most intractable issues is the application of due diligence to suppliers/vendors. Many companies have thousands and thousands of suppliers/vendors. There are two basic questions which can be applied to the list to remove several of the suppliers/vendors from the due diligence process.
First, there is a definitional issue. Not all suppliers/vendors are created equal when it comes to FCPA liability. What do I mean?
If a supplier/vendor provides the company with goods or services, which the company in turn uses to provide its product, the risk may be lower. For example, the risk to the company may be that the supplier/vendor would bribe a customs official to allow delivery of the goods to the company. It is not clear that the company, the purchaser of the goods and services, would be liable for the bribe paid by the vendor/supplier since it is unlikely that the specific bribe can be tied to the benefit of the purchasing company since the bribing supplier/vendor likely has a number of customers who would benefit from the bribe. Further, the transaction does not fit under the traditional third-party representative model under the FCPA statute. The purchasing company, however, would face reputational risks for associating with a company engaged in bribery.
Second, a number of suppliers/vendors can be removed from due diligence review based on annual revenues. The company should establish a minimum threshold below which due diligence may not be applied. Moreover, a review of active suppliers/vendors is likely to result in the removal of a number of suppliers/vendors who are no longer active.