Our posts about extending codes of conduct to third parties (here and here) attracted some thoughtful comments from readers. We first heard from Pete from DC, an old friend of the FCPA Blog. He helps out whenever he senses we’re in over our head. This time he wisely tied the issue of third-party compliance to audit rights. Here’s what he said:
Dear FCPA Blog,
I recall the post you did earlier (here) about audit rights – it’s bad to have them and not use them if something pops up. In regard to imposing compliance requirements, it occurs to me that you have the same issue. The DOJ said in FCPA Opinion Procedure Release 04-02 that part of their expectation is “Independent audits by outside counsel and auditors, at no longer that three-year intervals, to ensure that the Compliance Code, including its anti-corruption provisions, are implemented in an effective manner.”
If you extend your compliance program to third parties, you need to have audit rights and the guts to use them. Furthermore, the audit rights can’t be limited to financial data relating to the third party’s business – it has to be completely “open kimono,” with access to the business partner’s own compliance policies, contracts, etc. That’s a tough sell, but if it’s a high-risk country / industry / entity, it may be the only way to truly mitigate FCPA risk.
Pete from DC
Another reader took a darker view — that is, using third-party compliance to “paper over” red flags that come up with intermediaries. We wouldn’t recommend that medicine to anyone, but here’s what our reader said about it:
Dear FCPA Blog,
Your post doesn’t address one of the main reasons why ethical standards and law compliance provisions are extended to third parties in the first place.
Many times these extensions are made for commercial reasons in the contracts with the third parties. One of the key risk considerations with contracts involves avoiding competing commercial obligations that conflict with a compliance or ethical requirement for the company. For example, this dilemma could arise if there is a red flag that a contractor may be passing on a payment to a foreign official, but there is also a competing contractual obligation to make that payment.
A well drafted contract will provide the company with an “out” if it is concerned that one of its contractors may violate the FCPA or other law even if those laws are not actually applicable to the contractor. Therefore, contracts typically incorporate by reference those requirements where third party contractors can create liability for the company. Besides the FCPA, these can include references to other U.S. laws such as export controls, sanctions and anti-boycott as well as the company’s own policies.
It’s important to know the commercial as well as the compliance rationale behind the so-called extension. Including these provisions in contracts is a good and increasingly common commercial practice that helps to achieve the long term aims of anti-corruption and other legislation through commercial influence. If the inclusion of these standards results in a greater exposure to the companies who include them, that’s definitely a “con” and surely an unintended consequence.
We also heard from Doug Cornelius at the Compliance Building blog. Doug’s posts about compliance and business ethics are part of our daily diet. His comment raised a neat point about the dangers of inconsistent standards. He said:
Dear FCPA Blog –
Dealing with key third party vendors is a difficult area. As Rebecca Walker points out (here), there is potential liability of you do it wrong.
I have found the situation where vendors are a bit behind you in their focus on compliance or ahead of you. But since every company has different needs for compliance, you end up with different policies. As a result, you have a battle of policy forms.
There are no easy answers.
I find the first step to be letting your key vendor know that you care about these issues.
Doug Cornelius / Compliance Building
That’s some of what we’ve heard (the printable parts, anyway) on the subject of third-party compliance. The topic stirs plenty of interest, warnings and fear. That makes sense. Most Foreign Corrupt Practices Act offenses involve intermediaries, and yet most executives don’t think their companies are dealing successfully with third-party risks. That was the conclusion from KPMG’s 2008 Anti-Bribery and Anti-Corruption Survey that we talked about here, and the recent survey by the Society of Corporate Compliance & Ethics. That one found that most companies don’t disseminate their internal codes of conduct to third parties or require third parties to certify to their own codes.
So the problem of third party compliance is still looking for a solution.