When the student is ready, the proverb says, the teacher will appear. We must have been ready last week because two great teachers appeared. First, David P. Burns, who helped us understand the charging decisions in the Halliburton / KBR enforcement actions. Then came Rebecca Walker, left. We mentioned her concept of “associative liability” in a discussion about extending codes of conduct to third parties. She noticed that our perspective was limited to the Foreign Corrupt Practices Act (guilty as charged). And she generously helped by sending the primer (below) on the broader application of her ideas. We’ve read it a half dozen times and it keeps getting better. Here’s what she said:
Dear FCPA Blog,
I took a look at the discussion in your post Extending Compliance To Third Parties, and I would like to point out that the survey and my article were not actually limited to the FCPA context. Indeed, in the FCPA context, when companies are often dealing with agents for whom liability for misconduct is pretty much a given, I would encourage organizations to implement appropriate compliance program controls, including pre-relationship due diligence, contractual requirements, written policies, auditing, monitoring, and all those tools that you are undoubtedly very familiar with (even including, in some instances, special approaches to training and encouraging reports of violations directed to relevant third parties.)
But, as mentioned, the survey was a general survey, asking organizations in a wide variety of industries about third party codes. In that, more general, context, I do think that it is important that organizations exercise caution when extending compliance requirements to third parties. Part of my concern flows from the fairly well-accepted theory in the compliance world that standards that are neither monitored nor enforced can be detrimental to a compliance program. They can corrode employees’ and other stakeholders’ belief in the program and cause a general loss of program credibility. So to the extent that an organization promulgates a code but doesn’t take any steps to implement or monitor compliance with the code, it can actually be detrimental to the organization’s compliance program and the culture of compliance and ethics more generally.
In addition, and to get to the question you posed, there is the “associative liability” risk that I mention in the article – an important consideration in some settings (although, I should stress again, it is not really relevant to FCPA compliance). That is a term that I like to think I coined, but I Googled it, and I found a couple of references to it before I first used the term a few years ago.
The manner in which this risk most often arises for organizations is in the context of third parties who are temporary employees or employees of a contractor or subcontractor of the organization. These employees may claim an employment relationship based in part on compliance program elements (typically policies, codes and/or training) that the organization sought to apply to them, and bring a claim based in part on that alleged relationship. In the supplier context, there have been a few suits claiming that supplier codes have created liability for the misconduct of the suppliers, but they have been largely unsuccessful. For example, there was a fairly famous case against Wal-Mart a few years ago (Doe v. Wal-Mart, Cal. Sup. Ct. Los Angeles (Sep. 13, 2005)), in which the International Labor Rights Fund brought suit against Wal-Mart on behalf of a purported class of Bangladeshi, Chinese, Indonesian, Nicaraguan, Swazilander and U.S. workers for alleged violations of Wal-Mart’s code of conduct for suppliers. The allegation was basically that Wal-Mart assumed a duty (in contract) to the employees of the suppliers when it promulgated the code and made it a part of the supplier contracts, and that it breached its contractual duty (claiming that the employees are third-party beneficiaries). However, in Chen v. Street Beat Sportswear, Inc., 226 F.Supp.2d 355 (E.D.N.Y. 2002), the court did find liability, although the facts of that case are fairly unique.
There is also the risk that I mention in the article of reputational harm. There are examples of organizations receiving bad press for promulgating standards for third parties that they fail to monitor or enforce, including, e.g., Levi-Strauss and Starbucks.
As you indicate in your blog post, I in no way seek to discourage organizations from extending any compliance standards to third parties. In my view, third-party compliance standards can be extremely helpful in decreasing the risk of third-party misconduct, which can harm an organization as much as the misconduct of its own employees. I simply suggest that they do so carefully, in light of the particular risks caused by the particular category of third party, the practicalities of whether it is possible to monitor or enforce the standards they seek to apply, and the potential associative liability risks
A note to our readers: Rebecca’s book, Conflicts of Interest in Business and the Professions: Law and Compliance, is available here. The publisher’s description says, “This treatise covers how to identify, detect, manage and resolve conflicts of interest. It details the knowledge gap about conflicts of interest by discussing various situations and analyzing compliance steps to cope with conflicts. The goal is to help those who deal with conflicts of interest in the business and professional worlds do so more effectively. Discussion includes conflicts of interest within organizations including corporations, employer/employee relationships, shareholders, partnerships, associations and government, as well as professional conflicts including lawyers, investment advisors, retail brokerage, auditors, lobbyists, journalists, research analysts and trustees.”