Try to imagine what DaVinci said to himself when he painted his last brush stroke on the Mona Lisa. Or consider what Tolstoy muttered to himself when he put down his pen after writing the last word of War and Peace.
Consider the same scenario when a Chief Compliance Officer and his/her team have designed and implemented their third-party due diligence system. Beginning with a routine financial credit check on third-party agents and distributors, the company has now implemented a robust third-party screening system which is carried out completely outline and includes detailed questionnaires, open source intelligence checks, detailed questionnaires, risk-ranking and rating systems, and detailed contractual requirements, topped off with an advice of counsel memo completed by outside counsel.
The compliance team deserves a huge pat on the back. They should stand around for a minute or so and admire their handiwork. Unfortunately, for the compliance team, their work is just beginning.
Many FCPA enforcement actions involve bribes paid by third-party agents and distributors. We all know that by reading the facts of the FCPA settlement actions. The violations, however, are not just limited to failures to conduct proper due diligence of agents and distributors, either initially or at renewal of their agreements.
It is pretty clear that many of the violations of third-party agents and distributors are actions which occurred because of a failure to monitor the third-party’s activities. Companies need to address this issue – there are some steps companies can take but more work is needed in this area to improve monitoring techniques.
Some of the basic techniques for monitoring third-party activities include:
Financial Controls – At the heart of every inquiry is the fundamental question – what specific services does the third-party provide and is the compensation commensurate with these activities? Third-party contracts need to include a specific condition for payment – the third party must provide a detailed description of the services he or she provides. This is more relevant for agents than distributors. The company has to review the invoice and carefully determine whether payment is warranted. If not, follow-up inquiries must be made.
Auditing – It is extremely rare for a company to audit a third-party. This has to change and companies need to develop proactive auditing programs. The Justice Department and the SEC are requiring companies to conduct audits in high-risk countries. Companies should take their cue from the government and implement such programs. The audits should be targeted to high-risk countries and high-risk agents or distributors. If an agent or distributor refuses to permit such an audit or resists the audit, the company has to re-examine its relationship immediately.
Training — In-person training programs are invaluable for communicating information to agents and distributors. More importantly, such training programs are important sources of information from questions and reactions to information presented. A training program should be conducted in-person with an emphasis on interactions with the audience. If necessary, break the groups down into smaller groups to facilitate such interactions. Questions need to be memorialized and follow-up steps should be taken to work with particular agents and distributors.
Questionnaires – There is nothing which prevents a company from asking a third-party agent or distributor to update a questionnaire during the term of a contract. If the third-party resists updating the information, that is a huge red flag. If the information is updated and there is no change, the company should retain the document in its files to justify continuing the relationship.
Certifications and Notifications – While technically not a monitoring activity, a company should take steps to build a compliance file by requiring more frequent certifications of compliance and notifications of compliance obligations for high-risk agents and distributors. It may not be the most effective step for identifying problem agents and distributors but it certainly can protect a company in the event an agent or distributor breaks bad.
As you can see, the possibilities are fairly limited. New approaches are needed for monitoring third-party conduct, particularly efforts which are less costly and require less manpower.
One thing you can count on – if there is a demonstrated compliance need, the compliance industry will respond.