Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – The Third Party Risk Management Process

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending January 20, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  1. The Singapore Transportation Minister resigns due to corruption allegations. (CNN)
  2. China’s war on corruption becomes a policy.  (Reuters)
  3. Higher sanctions and penalties are coming. (WSJ)
  4. JPMorgan will pay $18 million for whistleblower protection violations. (WSJ)
  5. Anti-corruption advocate sworn in as Guatemalan President.  (Bloomberg)
  6. Crypto firm Genesis Trading was fined $8 million for compliance failures. (WSJ)
  7. Is the Chinese military as corrupt as the Russian army?  (Business Insider)
  8. Ackman threatens a law suit against Business Insider.  (FT)
  9. The Russian war reigned over Ukrainian oligarchs.  (NYT)
  10. A former A&F CEO faces a criminal investigation.  (BBC)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day here.

Connect with Tom:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

The Third Party Risk Management Process

As every compliance practitioner is well aware, even in 2023, third parties still present the highest risk under the FCPA. The 2023 ECCP devotes an entire prong to third-party management. It begins with the following:

Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

1. Business Justification by Business Sponsor;

2. Questionnaire to Third-party;

3. Due Diligence on Third-party;

4. Compliance Terms and Conditions, including payment terms; and

5. Management and Oversight of Third Parties After Contract Signing.

Business Justification. The first step breaks down into two parts: business sponsor and business justification. The purpose of the business justification is to document the satisfactoriness of the business case to retain a third-party. The business justification should be included in the compliance review file assembled on every third-party at the time of initial certification and again if the third-party relationship is renewed. It is mandatory this document be filled out and completed by the business sponsor, who will be the primary contract with the third-party for the life of the business relationship.

Questionnaire. The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Resource Guide. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. This requirement is not only a key step but also a mandatory step for any third-party that desires to do work with your company. If a third-party does not want to fill out the questionnaire or will not fill it out completely; run, don’t walk, away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, most proposed agents that have done business with U.S. or U.K. companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to U.S. businesses.

Due diligence. Most compliance practitioners understand the need for a robust due diligence program to investigate third parties but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

The purpose is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from engaging in bribery and corruption on their behalf. Due diligence acts as both a procedure for anti-bribery risk assessment and a risk mitigation technique. Further, both operate as compliance internal controls.

With this due diligence, you should then perform a triage. Triage is how you determine where each third party falls in the ranking of priorities. Asha Palmer, EVP at Convercent by One Trust, has noted that: “Appropriate due diligence may vary based upon company size, transaction, and type of third party. These categories and several others may determine how you choose to design your triage process.” Some of the common factors that determine how high-risk a third-party relationship may be:

• Type of third party (bank, consultancy, reseller, etc.)

• Contract value

• Country

• Government interaction

• Industry

After you have completed Steps 1–3 you are ready to move onto to Step 4, the contract. According to the 2012 FCPA Resource Guide, additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third-party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

The contract. You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are red flags, which have appeared, these red flags must be cleared, or you must demonstrate how you will manage the risks identified. In other words, you must document that you have read, synthesized and evaluated the information garnered in the business justification, questionnaire and due diligence steps beforehand. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a “check the box” exercise.

Management of the relationship. While the work done in the four steps above are absolutely critical, if you do not manage the relationship, it can all go downhill very quickly, and you might find yourself with a potential FCPA violation. There are several different ways that you should manage your post-contract relationship. The Evaluation clearly is focused on several key components that you need to evaluate and then re-evaluate during the pendency of the relationship. Incentivizing through compensation issues, training and ongoing monitoring through oversight and auditing are all key tools that the DOJ expects you to use going forward after the contract is signed.