Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Extending Compliance To Third Parties reported this week the results of a survey conducted by the Society of Corporate Compliance & Ethics (SCCE). The group asked a random sample of compliance professionals about their use of codes of conduct with third parties, such as suppliers, and received back 400 responses.

The findings: Fifty-three percent of companies don’t disseminate their internal codes of conduct to third parties; only 26% require third parties to certify to their own codes; and just 17% of the respondents have any third-party codes of conduct to begin with.

Those results are consistent with KPMG’s 2008 Anti-Bribery and Anti-Corruption Survey that we talked about here. It revealed that around three quarters of the bosses surveyed think their companies aren’t able to handle the compliance risks that come from third parties — including overseas acquisition targets, joint venture partners, distributors and agents. The execs responding to KPMG’s survey complained about difficulties doing effective due diligence and auditing third parties for compliance.

This is serious. Third parties, after all, cause most Foreign Corrupt Practices Act offenses. They deserve lots of compliance attention but aren’t getting it. Why not?

Most foreign third parties push back hard against compliance pressures from outside. A lot of them don’t want to risk being in breach of contract if they don’t comply. They view U.S.-style compliance regimes as highly technical, which only increases their contract risks. Some overseas suppliers have an irrational fear of being dragged into the jurisdiction of the Justice Department if they agree to FCPA compliance language. Others resist on the reasonable grounds that they don’t understand exactly what’s intended by the compliance language — and no one from the other side can give them a clear explanation.

The survey results published by the above-mentioned Society of Corporate Compliance & Ethics are part of an article written by attorney Rebecca Walker of Kaplan & Walker LLP. She’s smart — Georgetown undergrad, Harvard Law School, author of the book Conflicts of Interest in Business and the Professions: Law and Compliance.

We haven’t read her book or other articles yet. But a couple of her comments in this article got our attention. She said organizations should be “cautious” about extending codes of conduct to third parties. “Companies,” she said, “should be careful not to create compliance and ethics standards that are difficult to monitor or enforce and that could potentially create their own risks of ‘associative liability.’ Extending compliance and ethics obligations to third parties could lead to reputational harm when a company holds itself out as requiring others’ compliance, when in fact the company’s ability to ensure compliance by third parties may be limited, a problem which could be compounded if the third-party compliance requirements more closely link the company to the third party in the minds of the public (and press). There is also a risk that unsatisfied standards could be used against a company in the context of litigation or a government investigation.”

Her words remind us of executives and even some company lawyers who used to talk that way about their own FCPA compliance. They reasoned that if they adopted a program but something went wrong, they might be held accountable against whatever measuring stick they’d created. So it was better, they thought, not to have any program at all.

That argument, of course, was wrong. The Federal Sentencing Guidelines make it clear that an effective compliance program — with written guidelines — is always to everyone’s advantage. The only time that’s not true, we suppose, is when an organization intentionally adopts a program as pure window dressing, knowing from the outset it won’t comply. But anyone in that category is already well down the road to disaster.

Ms. Walker isn’t suggesting that companies shouldn’t have compliance programs. She’s just cautioning against possibly futile attempts to extend codes of conduct beyond an organization’s actual range of influence. Her advice sounds practical, but it’s a controversial idea. We’d like to hear from others on this question, pro and con. Should companies even try to impose codes of conduct on suppliers and other third parties? Are there risks that outweigh the rewards? Let us know what you think.

The SCCE’s survey is available for download by registration here.

Share this post



  1. I recall the post you did earlier about audit rights – it’s bad to have them and not have the cojones to use them if something pops up. In regard to imposing compliance requirements, it occurs to me that you have the same issue. The DoJ said in 04-02 that part of their expectation is “Independent audits by outside counsel and auditors, at no longer that three-year intervals, to ensure that the Compliance Code, including its anti-corruption provisions, are implemented in an effective manner.” If you extend your compliance program to third parties, you need to have audit rights and the cojones to use them. Furthermore, the audit rights can’t be limited to financial data relating to the third party’s business – it has to be completely “open kimono,” with access to the business partner’s own compliance policies, contracts, etc. That’s a tough sell, but if it’s a high-risk country/industry/entity, it may be the only way to truly mitigate FCPA risk.


    Pete from DC

  2. This is a very good post, but doesn’t address one of the main reasons why ethical standards and law compliance provisions are extended to third parties in the first place. Many times these extensions are made for commercial reasons in the contracts with the third parties. One of the key risk considerations with contracts involves avoiding competing commercial obligations that conflict with a compliance or ethical requirement for the company. For example, this dilemma could arise if there is a red flag that a contractor may be passing on a payment to a foreign official, but there is also a competing contractual obligation to make that payment. A well drafted contract will provide the company with an “out” if it is concerned that one of its contractors may violate the FCPA or other law even if those laws are not actually applicable to the contractor. Therefore, contracts typically incorporate by reference those requirements where third party contractors can create liability for the company. Besides the FCPA, these can include references to other U.S. laws such as export controls, sanctions and anti-boycott as well as the company’s own policies.

    It’s important to know the commercial as well as the compliance rationale behind the so-called extension. Including these provisions in contracts is a good and increasingly common commercial practice that helps to achieve the long term aims of anti-corruption and other legislation through commercial influence. If the inclusion of these standards results in a greater exposure to the companies who include them, that’s definitely a “con” and surely an unintended consequence.

Comments are closed for this article!