Third Parties: The Achilles' Heel of FCPA Compliance

The alleged use of third-party intermediaries to pay bribes to foreign government officials soared from 42% of U.S. Foreign Corrupt Practices Act (FCPA) enforcement actions in 2005 to 100% in 2011, according to our analysis of U.S. Securities & Exchange Commission (SEC) and U.S. Department of Justice (DOJ) FCPA enforcement actions reported in the Sherman & Sterling LLP 2012 FCPA Digest. (See Chart 1 below).

Nevertheless, some companies may not be adapting their FCPA compliance programs quickly enough to keep up with this trend. According to an informal online poll of business executives taken in December 2011 during a Deloitte webcast, “Third-Party Business Relationships: Emerging Issues and Regulatory Risks,” 42.9% of 1,339 respondents estimated that their organizations perform due diligence and risk assessments on only half or fewer of third-party business partners, while just 13.4% estimated that their assessments covered between 76% and 100% of such third parties.

Third Parties and Risk

Third parties, such as agents, may play a key role in guiding U.S companies through market structures and cultural issues that can make growth in emerging markets challenging. When the ultimate customer for your goods or services may be considered a foreign government or state owned entity, third-party intermediaries acting for you may create a heightened risk of violations of the FCPA and other anti-corruption laws and regulations, including the UK Bribery Act.

There's an old proverb that states, “If you lie down with dogs, you will rise with fleas.” Our experience suggests this remains true today. The use of third parties was cited as a “significant risk” by 52% of respondents in the Deloitte Forensic Center's Anti-corruption Practices Survey 2011, and was the source of corruption risk most frequently cited by the 276 executives participating. See Chart 2 below. Unfortunately, 43% also responded that identifying and managing third-party relationships was a significant challenge. Partly due to this, only 29% of respondents were very confident that their companies' anti-corruption program would prevent or detect corrupt activities. This low level of confidence indicates that many companies may need to evaluate and upgrade their anti-corruption efforts.

Due Diligence

Performing due diligence on third-party business partners is a common element of a corporate FCPA compliance program, but the quality and effectiveness of the due-diligence activities vary quite widely in practice.

Of the executives surveyed who said their companies conducted due diligence on third parties, roughly two-thirds searched watch lists, performed financial background checks and conducted personal background checks. Roughly half of the executives said their company also searched for negative media coverage, employed external consultants, and conducted interviews as part of their due diligence. See Chart 3 below. Since most of these items may be considered part of the core of an effective due diligence process, these statistics suggest substantial opportunity for enhancements.

Common Due Diligence Pitfalls

Actions filed by the SEC and DOJ reveal some common due diligence pitfalls to consider when designing an effective compliance program, including:

• Failing to conduct timely and sufficient due diligence ' Many companies often rely on their own employees to complete internal documents without requiring the overseas business partner to answer specific questions. SEC and DOJ enforcement actions have even cited situations where companies engaged business partners and conducted due diligence after the fact.
• Failing to adequately verify information provided by business partners ' Numerous SEC and DOJ enforcement actions have criticized companies for failing to verify information disclosed on questionnaires completed by business partners.
• Failing to act on identified red flags ' The DOJ has also opined on the need for companies to act on risk factors identified during the due diligence process.

While cost is often cited as a significant obstacle to implementing a companywide third-party risk assessment and due diligence program, the increase in enforcement actions in this area may merit reconsideration of historic cost-benefit tradeoff decisions.

Approaching Due Diligence

As of the time of writing, there appears to be no law or regulation specifying exactly the process for, or the sufficiency of, international FCPA due diligence on a potential business partner. In-house counsel may find it useful to apply three steps that can help to drive an efficient approach by:

• Requiring the business partner to self-disclose information on a questionnaire.
• Using a risk-based approach to verify the information provided and independently identify adverse information. Taking action on any identified “red flags” uncovered in the process.

Requiring Self-Disclosure

Companies can design an effective and robust questionnaire for business partners that asks reasonable questions and puts the business partner “on the record” regarding certain key issues. In our experience, while this may lead some parties to withdraw from consideration, this outcome may be viewed by in-house counsel as successfully avoiding potentially serious legal and regulatory issues.

A questionnaire should be designed by working in conjunction with legal counsel containing, at a minimum, the following elements:

• Company background, including identifying and registration information.
• Ownership and management information, including beneficial owners and others able to exercise influence over the entity and any relationships with government officials, along with information on these individuals.
• Disclosure of any civil, criminal and regulatory matters, to identify a history of issues that may present risk factors.
• Anti-corruption knowledge and compliance information, including answers to questions about knowledge of laws and the company's compliance regime and training efforts.
• References from individuals knowledgeable about the business partner who can provide verification of business relationships and experience.
• The signature of a responsible party who attests to the veracity of the information and agrees to abide by all applicable laws and policies of the company in carrying out its activities.

Using a Risk-Based Approach

How are leading companies resolving the conflicting pressures of risk- and cost-management in third-party due diligence? Essentially, a risk-based, data-driven strategy may be used to focus due diligence efforts on those third parties that present the greatest risks. Companies can use the information collected in the questionnaire to conduct an assessment of each business partner's risk level. Factors considered in the assessment include the type of relationship, corruption risk associated with the jurisdiction, interaction with government officials, compliance regime, and known adverse information about the business partner.

Business partners may be divided into three categories: high-risk, medium-risk and low-risk. High-risk business partners could include those located in a country with a considerable risk of corruption, those having significant interaction with government officials, or those for which red flags have been identified in the due diligence process. Medium-risk business partners may have a lesser degree of contact with government officials, such as lawyers or accountants, yet are located in a high-risk jurisdiction. Low-risk business partners might include vendors of goods and services that are not acting in an official capacity for the company.

In-house counsel may want to consider having an outside firm conduct background research, to benefit from access to sources otherwise not readily available, and to demonstrate independence in the vetting process. For example, when vetting a representative who has a high degree of contact with government officials, or one located in a high-risk jurisdiction, single-database resources may prove insufficient. Local resources may be required for record retrieval and for human source inquiries regarding the potential business partner's reputation and background.

Following Up on Red Flags

Resolving red-flag issues may involve more in-depth research, or a simple inquiry with the business partner for clarification. However, it is critical that the company resolve issues and take appropriate steps to conduct business with reputable individuals and organizations, and to document these efforts. When companies have been put on alert by adverse or conflicting information, enforcement actions indicate regulators expect resolution.

Conclusion

In an era of strong FCPA enforcement, it is concerning that only 29% of executives in the Deloitte Forensic Center's anti-corruption practices survey were very confident that their company's anti-corruption program would prevent or detect corrupt activities. Many companies may need to enhance their programs to be effective in mitigating today's FCPA and other corruption risks. Since the use of third parties has been cited as the most common source of corruption risk, in-house counsel may wish to consider prioritizing the enhancement of third-party FCPA due diligence processes.

[IMGCAP(1)]

[IMGCAP(2)]

[IMGCAP(3)]

Toby J.F. Bishop is director of the Deloitte Forensic Center and John Leonard is a senior manager in the Forensic & Dispute Services practice at Deloitte Financial Advisory Services LLP. They may be contacted at [email protected] and [email protected]. The views expressed in this article are those of the authors and may not be those of Deloitte Financial Advisory Services LLP. This publication contains general information only and is based on the experiences and research of Deloitte Financial Advisory Services LLP practitioners. Deloitte Financial Advisory Services LLP is not, by means of this publication, rendering accounting, auditing, business, financial, investment, legal or other professional advice or services. Copyright ' 2012 Deloitte Development LLC. All rights reserved.

The alleged use of third-party intermediaries to pay bribes to foreign government officials soared from 42% of U.S. Foreign Corrupt Practices Act (FCPA) enforcement actions in 2005 to 100% in 2011, according to our analysis of U.S. Securities & Exchange Commission (SEC) and U.S. Department of Justice (DOJ) FCPA enforcement actions reported in the Sherman & Sterling LLP 2012 FCPA Digest. (See Chart 1 below).

Nevertheless, some companies may not be adapting their FCPA compliance programs quickly enough to keep up with this trend. According to an informal online poll of business executives taken in December 2011 during a Deloitte webcast, “Third-Party Business Relationships: Emerging Issues and Regulatory Risks,” 42.9% of 1,339 respondents estimated that their organizations perform due diligence and risk assessments on only half or fewer of third-party business partners, while just 13.4% estimated that their assessments covered between 76% and 100% of such third parties.

Third Parties and Risk

Third parties, such as agents, may play a key role in guiding U.S companies through market structures and cultural issues that can make growth in emerging markets challenging. When the ultimate customer for your goods or services may be considered a foreign government or state owned entity, third-party intermediaries acting for you may create a heightened risk of violations of the FCPA and other anti-corruption laws and regulations, including the UK Bribery Act.

There's an old proverb that states, “If you lie down with dogs, you will rise with fleas.” Our experience suggests this remains true today. The use of third parties was cited as a “significant risk” by 52% of respondents in the Deloitte Forensic Center's Anti-corruption Practices Survey 2011, and was the source of corruption risk most frequently cited by the 276 executives participating. See Chart 2 below. Unfortunately, 43% also responded that identifying and managing third-party relationships was a significant challenge. Partly due to this, only 29% of respondents were very confident that their companies' anti-corruption program would prevent or detect corrupt activities. This low level of confidence indicates that many companies may need to evaluate and upgrade their anti-corruption efforts.

Due Diligence

Performing due diligence on third-party business partners is a common element of a corporate FCPA compliance program, but the quality and effectiveness of the due-diligence activities vary quite widely in practice.

Of the executives surveyed who said their companies conducted due diligence on third parties, roughly two-thirds searched watch lists, performed financial background checks and conducted personal background checks. Roughly half of the executives said their company also searched for negative media coverage, employed external consultants, and conducted interviews as part of their due diligence. See Chart 3 below. Since most of these items may be considered part of the core of an effective due diligence process, these statistics suggest substantial opportunity for enhancements.

Common Due Diligence Pitfalls

Actions filed by the SEC and DOJ reveal some common due diligence pitfalls to consider when designing an effective compliance program, including:

• Failing to conduct timely and sufficient due diligence ' Many companies often rely on their own employees to complete internal documents without requiring the overseas business partner to answer specific questions. SEC and DOJ enforcement actions have even cited situations where companies engaged business partners and conducted due diligence after the fact.
• Failing to adequately verify information provided by business partners ' Numerous SEC and DOJ enforcement actions have criticized companies for failing to verify information disclosed on questionnaires completed by business partners.
• Failing to act on identified red flags ' The DOJ has also opined on the need for companies to act on risk factors identified during the due diligence process.

While cost is often cited as a significant obstacle to implementing a companywide third-party risk assessment and due diligence program, the increase in enforcement actions in this area may merit reconsideration of historic cost-benefit tradeoff decisions.

Approaching Due Diligence

As of the time of writing, there appears to be no law or regulation specifying exactly the process for, or the sufficiency of, international FCPA due diligence on a potential business partner. In-house counsel may find it useful to apply three steps that can help to drive an efficient approach by:

• Requiring the business partner to self-disclose information on a questionnaire.
• Using a risk-based approach to verify the information provided and independently identify adverse information. Taking action on any identified “red flags” uncovered in the process.

Requiring Self-Disclosure

Companies can design an effective and robust questionnaire for business partners that asks reasonable questions and puts the business partner “on the record” regarding certain key issues. In our experience, while this may lead some parties to withdraw from consideration, this outcome may be viewed by in-house counsel as successfully avoiding potentially serious legal and regulatory issues.

A questionnaire should be designed by working in conjunction with legal counsel containing, at a minimum, the following elements:

• Company background, including identifying and registration information.
• Ownership and management information, including beneficial owners and others able to exercise influence over the entity and any relationships with government officials, along with information on these individuals.
• Disclosure of any civil, criminal and regulatory matters, to identify a history of issues that may present risk factors.
• Anti-corruption knowledge and compliance information, including answers to questions about knowledge of laws and the company's compliance regime and training efforts.
• References from individuals knowledgeable about the business partner who can provide verification of business relationships and experience.
• The signature of a responsible party who attests to the veracity of the information and agrees to abide by all applicable laws and policies of the company in carrying out its activities.

Using a Risk-Based Approach

How are leading companies resolving the conflicting pressures of risk- and cost-management in third-party due diligence? Essentially, a risk-based, data-driven strategy may be used to focus due diligence efforts on those third parties that present the greatest risks. Companies can use the information collected in the questionnaire to conduct an assessment of each business partner's risk level. Factors considered in the assessment include the type of relationship, corruption risk associated with the jurisdiction, interaction with government officials, compliance regime, and known adverse information about the business partner.

Business partners may be divided into three categories: high-risk, medium-risk and low-risk. High-risk business partners could include those located in a country with a considerable risk of corruption, those having significant interaction with government officials, or those for which red flags have been identified in the due diligence process. Medium-risk business partners may have a lesser degree of contact with government officials, such as lawyers or accountants, yet are located in a high-risk jurisdiction. Low-risk business partners might include vendors of goods and services that are not acting in an official capacity for the company.

In-house counsel may want to consider having an outside firm conduct background research, to benefit from access to sources otherwise not readily available, and to demonstrate independence in the vetting process. For example, when vetting a representative who has a high degree of contact with government officials, or one located in a high-risk jurisdiction, single-database resources may prove insufficient. Local resources may be required for record retrieval and for human source inquiries regarding the potential business partner's reputation and background.

Following Up on Red Flags

Resolving red-flag issues may involve more in-depth research, or a simple inquiry with the business partner for clarification. However, it is critical that the company resolve issues and take appropriate steps to conduct business with reputable individuals and organizations, and to document these efforts. When companies have been put on alert by adverse or conflicting information, enforcement actions indicate regulators expect resolution.

Conclusion

In an era of strong FCPA enforcement, it is concerning that only 29% of executives in the Deloitte Forensic Center's anti-corruption practices survey were very confident that their company's anti-corruption program would prevent or detect corrupt activities. Many companies may need to enhance their programs to be effective in mitigating today's FCPA and other corruption risks. Since the use of third parties has been cited as the most common source of corruption risk, in-house counsel may wish to consider prioritizing the enhancement of third-party FCPA due diligence processes.

[IMGCAP(1)]

[IMGCAP(2)]

[IMGCAP(3)]

Toby J.F. Bishop is director of the Deloitte Forensic Center and John Leonard is a senior manager in the Forensic & Dispute Services practice at Deloitte Financial Advisory Services LLP. They may be contacted at [email protected] and [email protected]. The views expressed in this article are those of the authors and may not be those of Deloitte Financial Advisory Services LLP. This publication contains general information only and is based on the experiences and research of Deloitte Financial Advisory Services LLP practitioners. Deloitte Financial Advisory Services LLP is not, by means of this publication, rendering accounting, auditing, business, financial, investment, legal or other professional advice or services. Copyright ' 2012 Deloitte Development LLC. All rights reserved.