Vetting Business Partners

compliance-week-blue

My notes, live, from Vetting Business Partners, with Alexandra Wrage of Trace International to talk about how leading companies have approached this challenge in a global company.

Due diligence on business partners is one of the most important things a company can do, but also one of the least interesting things. She points out that the FCPA has a “should have known” standard. So ignorance is not a defense.

Sales consultants are some of the higher risk because they are usually paid on a commission basis. Consultants, paid by the hour, are a lesser risk merely because of the different compensation model. Distributors and resellers can be a risk. Merely having a third party in between your company and the corrupt official is still bad and is not a defense to charges.

Resellers are a new problem. The take title to your product and are your customer. But if there is evidence that the resellers are paying bribes to their customers, your company can be potentially be pulled in.

She turned to focus on some problem areas in due diligence when working with third parties.

Ownership – This is the most important and should be a deal-breaker if true beneficial ownership is not disclosed. (You can also work in the negative- not a government official or blocker person. This is not a good practice. The hidden identity should be a red flag. It would certainly be a red flag in a government investigation.)

Government relations. You need to find out if a clse relative is in the government. It is not a deal-breaker, but you need to be aware of the relationship.

Expertise. What is this person being paid to do if they do not have any particular expertise.

Financial stability. If they are acting as your agent, their financial failing will rub off on you.

Media searches. You need to know if your business partner is in the headlines.

Training. You need to letting them know what they need to do.

Periodic review and certifications. You want to make sure that you update things when the contract is renewed. You also want to check periodically to make sure there has not been a big change in the business partner. Certifications can be included on each invoice so they certify each time they paid that they have not bribed a foreign official.

It is important to keep red flags in mind, but you should standardize your contracts and review and not target specific areas. Many of the biggest FCPA cases have come from individuals acting in countries that are not known for being corrupt.

You can have a tiered due diligence program, depending on the nature of the relationship, the basis of compensation,and  the reputation of the company. The most common is three tiers: not risky, standard, and more risky. That allows you to target your resources.

She sees the divide in the DOJ cases where companies are either do due diligence or not doing any diligence. Not doing diligence almost moves you into a strict liability position. You have no defense.

There has been a surge in FCPA cases over the last few years. Most involved problems with intermediaries.

She points out that corruption due diligence is a two-way street. Increasingly, foreign companies are conducting due diligence on American companies.

She also takes a controversial position that you may be better off not having audit rights if you do not intend to actually do audits. She advocates triggered audit rights instead of a matter of course if you are not going audit on a regular basis. You want to have a meaningful conversation with your intermediary that these audit rights are real.

There is an increasing turf battle on international enforcement. The SFO (Britain’s version of the DOJ) has stated that reporting to the DOJ first is not a voluntary disclosure for their purposes and reserve the right to still enforce.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Cost-effective Compliance Risk Assessment

rees morrisonRees Morrison, publisher of Law Department Management,  is hosting a series of articles on Cost-effective Compliance Risk Assessment. This series is written by Jeff Kaplan of Kaplan & Walker LLP.

The first article was on Three trends regarding the costs of ineffective compliance. Jeff first focused on the increasing occurrence of the “mega fine.” Then noted that desperate times tend to breed desperate deeds. Lastly he noted that the new attorney-general is the same official who set compliance and ethics standards as part of the DOJ’s enforcement decisions.

The second article was on non-costly ways to achieve C&E program successes. Jeff noted that it is more cost-efficient to build the compliance assessment into other functions.

The third article focused on how to embed risk assessment into the process of drafting “third-party” codes of conduct. Jeff points out that handing your employee to third parties will just lead to confusion. In drafting a code, make sure you elicit comments from the people in the company with direct third party dealings.

A Benchmarking Survey on Third-Party Codes of Conduct

Society of Corporate Compliance & Ethics

Rebecca Walker of Kaplan & Walker LLP is the author of a report on A Benchmarking Survey on Third-Party Codes of Conduct (register to download) sponsored by The Society of Corporate Compliance and Ethics. The SCCE received survey results from more than 400 compliance professionals on how they deal with third-party compliance policies. As Rebecca point out in the report: “Organizations are also subject to risks of misconduct by virtue of the actions of agents and other third parties who act on their behalf or partner with the organization in some way.”

Among the relevant findings in the survey:

  1. Only 47% of companies disseminate their internal employee code of conduct to to third parties.
  2. Only 26% of companies require that third parties certify to their codes of conduct.
  3. Of those 26%, 92% did not have a threshold as when they required certifications.
  4. Only 17% of organizations have a code of conduct that is applicable to third parties.

Rebecca points out the U.S. Sentencing Guidelines provide incentives to have your compliance programs reach out to third parties:

Sentencing Guideline §8B2.1(4):

(A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

(B) The individuals referred to in subdivision (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

One of the problems with pushing out your compliance program to third parties is that they may have the may have their own which differs with your program. The bigger problem is you setting the compliance standards but not enforcing them. Rebecca offers some ways to extend compliance and ethics requirements to third-parties. These are some highlights:

  • Conduct due diligence regarding business partners’ compliance and ethics programs.
  • Incorporate language into contracts with third parties requiring compliance.
  • Train third parties on the ethics and compliance program or on particular company policies or procedures.

Thanks to Corporate Compliance Insights for pointing out this survey: Third Party Controls Lacking In Ethics and Compliance Expectations Says SCCE Survey.

Roundtable Discusses Supply Chain Risks

compliance_week_logo

On Jan. 27, 2009, Compliance Week and Integrity Interactive presented an editorial roundtable focusing on supply chain and vendor management risks. They were kind enough to invite me to participate. There is an article about the roundtable in the next issue of Compliance Week and a copy is available on line: Roundtable Discusses Supply Chain Risks. (subscription required)

One theme from the discussion was a desire for an industry or third party standard for compliance. We all thought it would be great if some industry association or auditing firm could review vendors and give the reliable ones a seal of approval.

Dave Curan, the Chief Executive Officer of Integrity Interactive, recommended that all companies have a separate code of conduct that applies to their suppliers. Many in the audience pointed out that vendors often have there own code of conduct which precipitates a “battle of the codes.”