Around 90 percent of all FCPA enforcement actions involve third-party intermediaries. So it’s no wonder the DOJ’s updated guidance for evaluating corporate compliance programs devotes an entire section to “Third-Party Management.”
What is Third-Party Management supposed to do? Most importantly: prevent bribery. For the DOJ the efficiency matters. As the DOJ puts it in one of the “fundamental questions” to ask when evaluating a compliance program: “Does the corporation’s compliance program work in practice? See JM § 9-28.800.”
With that in mind, Third-Party Management in a compliance program should is predominately preventive. That is, it should be designed not only to detect compliance lapses and mitigate them, but also to prevent them, at least to a reasonable extent.
That preventive aspect starts during the evaluation and onboarding of a third party, before any contractual obligations arise, by knowing who are the key executives, shareholders and beneficiaries. From a technical perspective, this early process should result in easy-to-use information, rule-based user authorization, and proper notification functions to facilitate timely and efficient decision making, including a quick-stop feature based on a compliance determination.
Third-Party Management will fall short of its purpose, however, if it’s limited to onboarding procedures. Further downstream, a good practice is to flank the contract management with standard compliance clauses and to consinuously identify red flags related to third parties arising out of political developments, regulatory changes, and undesirable events.
Moreover, the experience gathered from a business relationship should be reflected and employed in the ongoing operation of the Third-Party Management system. Internal blacklists are as critical as external information sources. In other words, Third-Party Management should be a reliable closed-loop process used for continuous evaluation.
Despite its deep integration into the commercial function, the Third-Party Management doesn’t need to be burdensome. A team with an interdisciplinary approach can continuously fine tune the process and increase efficiencies without compromising on the quality of information gathering, evaluation, and mitigation measures.
In fact, a well-designed and operated Third-Party Management system can also be a valuable commercial resource. The data it produces can be strategically mined to help reveal and understand market interdependencies, business vulnerabilities, and risk profiles, while at the same time preventing harm to the reputation and revenue of the company.
_______
Sviatlana Pisaryk, pictured above, is Compliance Manager at Bilfinger SE, a leading industrial services provider that fundamentally transformed its corporate culture and successfully concluded a deferred prosecution agreement with the DOJ in December 2018. She can be contacted here.
2 Comments
Great post! However, it may unintentionally exclude the more active audit of higher-risk business partners that at least the US government seems to expect. As an example, see my FCPA Blog post on the 2012 Oracle settlement, Distributor Doldrums…
Don’t forget, while diligence is important and you should certainly know who your third parties are, you may also be fighting overly aggressive but ambiguous privacy laws, including the GDPR. The fact that your intentions are pure may not be a defense to ambitious privacy enforcers. Be sure to work with your privacy experts, but also be aware of the political environment and the need to push back against legal developments that impair corporate self-policing. Cheers, Joe
Comments are closed for this article!