By Scott Moritz
Who are your highest-risk third parties and what are you doing about them? Most FCPA enforcement actions involve payments through agents and other intermediaries. That’s why the DOJ and SEC and their overseas counterparts are watching what companies do to identify high-risk third parties, and the standard of care used to manage the relationships.
Global companies — often with tens of thousands of suppliers and other third parties to keep track of — can and should use risk-based compliance. Here are some first steps to make it work:
1. Knowing what you don’t know.
Typical vendor-information files are thin — the company’s legal name, billing address, tax ID number, and payment instructions. But to evaluate compliance risk, more is needed. Basic information can often be extracted from proprietary databases, such as the names of owners and key executives, standard industry code (SIC), and parent / subsidiary relationships. Going further may require a questionnaire covering any ties with current or former government officials; foreign government ownership; sales commission percentages (if applicable); ultimate customer names; annual sales volumes; and the like.
2. Privacy, please.
EU countries and many others now have laws protecting personal information. Before transmitting any data, consider privacy laws in each potentially relevant jurisdiction. Data should be subjected to some level of formal privacy review, scrubbing, storage, and transmission using encryption.
3. Categorization is key.
A consistent way to categorize third-party relationships, and the relative risk each category represents, is a critical success factor. Labels describing relationships should be functional — how do they interact with your company? Creating accurate labels requires input from finance, procurement and individual business units. Common relationships include: reseller (sometimes referred to as channel partner), distributor, joint venture partner, agent (or sales agent), freight forwarder, customs broker, lobbyist, law firm, accounting firm, consultant, and so on. Once established, the categories need to be sorted by risk and assigned an appropriate point value as a precursor to final risk scoring.
4. Do some spring cleaning.
Most master-vendor files contain entries that are no longer active, are duplicates, or are other forms of clutter. Remove duplicates. Delete dormant entities — those inactive for two years or more. Try a first round of replacing high-risk entries with less risky alternatives. And after due diligence investigations, relationships showing unresolvable red flags should be ended as well.
5. Education and accountability.
Radar detectors don’t just reveal police locations. Over time, they teach you where police officers are likely to be. A well implemented third-party FCPA compliance program can do the same thing — over time, it teaches business people to recognize the causes of risk in third-party relationships. Such awareness doesn’t come easy. Most often, it’s a result of driving accountability by compelling business units to make a case to retain a high-risk third party despite red flags, and forcing them to accept responsibility for any liability that follows.
Scott Moritz is an executive director with Daylight Forensic & Advisory LLC where he leads their FCPA and Investigative Due Diligence practices. He’s a former FBI Special Agent with 23 years experience investigating international corruption, transnational crime and money laundering. He can be emailed here.