At every FCPA conference, someone comments that over 90 percent of FCPA matters involve third party intermediaries. It’s an interesting statistic and can be useful if it helps motivate the team to take due diligence seriously and encourages management to fund the program.
But buried in that number is a more interesting question: what percentage of those third parties engaged in misconduct at the express direction or with the active collusion of company employees?
A company can easily take a third party with a clean record and turn it into a legal liability by paying a commission well outside customary bounds and encouraging them to “take care of whatever comes up.” Or by directing the otherwise clean agent to hire dodgy subagents as happened in the Panasonic matter.
(As the Department of Justice noted, my organization, TRACE, uncovered insurmountable red flags on two agents, but the company employees got around that obstacle by having vetted agents hire the flagged entities as subagents.)
Or an employee can simply direct the agent outright to deliver a bribe on the company’s behalf, or agree to such a suggestion originating from the intermediary.
The problem with the statistic about the number of cases involving third party intermediaries — agents, sales representatives, distributors, service providers — is that it encourages the compliance community to think of third party risk in a vacuum, as something “out there” that can be solved if only enough due diligence is performed. Instead, the risk should be viewed as woven through the company’s risk profile at every stage: assessment, selection, tasking, management, payment and monitoring.
It’s worth bearing in mind three truths about due diligence on third parties:
1. While robust due diligence can help companies understand the level of risk that a third party is likely to bring, a clean past is no guarantee against future misconduct. Relationships have to be managed, commissions monitored, ongoing disclosure requirements enforced, suspicious conduct audited, and complacency avoided. I have said it before, but due diligence is a process, not an event. This has been discussed here on the FCPA blog by Scott Shafer, my colleague Pia Vining, and others.
2. Due diligence should fit not only the risk profile of the agent, but the risk profile of the deal. We routinely hear of situations where an employee slips a third party through the company’s lowest level of due diligence (perhaps in connection with a low dollar, non-contingent arrangement involving no government customers) while actually intending to engage them in a much riskier transaction. Bill Waite has discussed risk management assessments previously on the FCPA Blog.
3. Third parties work closely with and are an extension of a company’s sales and marketing team. If your compliance program considers them in isolation from that, you risk missing the possibility of collusion with your employees—not only to pay bribes, but also (and arguably more commonly) to engage in kick-back schemes.
Due diligence is a judgment laden and value driven process; that’s unavoidable. If you ask a room full of passionate compliance professionals to rank ten red flags in order of relevance, you will be lucky to escape the room without a brawl. I know, because I have led this exercise at a number of companies — in fact, it was the subject of our podcast interview this week. But the process of evaluating those red flags can’t even begin until you assess the risk the deal presents and the level of scrutiny its specifics require.
So, first: what is the risk of this deal? Followed by: what is the risk associated with this intermediary? Only then can you fully assess whether the risk associated with the intermediary is too great in light of the risk associated with the deal. You may be able to accept multiple minor red flags associated with an intermediary selling to the private sector in Denmark; for an intermediary working on a vast infrastructure project in Indonesia, even one red flag may be too much.
Alexandra Wrage, pictured above, is President and Founder of TRACE, a globally recognized anti-bribery business organization and provider of third party risk management solutions. She is the author of Bribery and Extortion: Undermining Business, Governments and Security, and co-editor of How to Pay a Bribe: Thinking Like a Criminal to Thwart Bribery Schemes and What You Should Know about Anti-Bribery Compliance. She has a Forbes blog and hosts the popular podcast: Bribe, Swindle or Steal. Before founding TRACE, she was international counsel at Northrop Grumman. She’s a Canadian-American and read law at King’s College, Cambridge University.