Author: admin

Categories
Adventures in Compliance

The Return of Sherlock Holmes – Introduction to The Book ‘The Return of Sherlock Holmes’

Welcome to a review of all the Sherlock Holmes stories that are collected in the work “The Return of Sherlock Holmes.“. It is a collection of thirteen detective stories written by Sir Arthur Conan Doyle, marking the reappearance of the brilliant detective Sherlock Holmes after his apparent death in “The Final Problem.” The collection spans various intriguing cases and mysteries that Holmes and his loyal friend Dr. John Watson tackle.

From solving murders and thefts to uncovering complex deceptions and conspiracies, Holmes demonstrates his unmatched deductive skills and remarkable analytical mind. “The Return of Sherlock Holmes” not only showcases Holmes’s triumphant return but also delves into the depths of his character, illustrating his unwavering commitment to justice and his enduring friendship with Watson. The collection is a testament to Doyle’s storytelling prowess and the enduring appeal of the iconic detective, making it a must-read for fans of mystery and detective fiction. I will be exploring each story from the leadership and compliance angles, with some ethical lessons thrown in for good measure. Today we are celebrating the return of Sherlock Holmes after a three-year hiatus from his final confrontation with Professor Moriarty.

How did Holmes survive his final confrontation at Reichenbach Falls with Professor Moriarity? Where did Holmes travel during the great Hiatus? What of his friend, Dr. Watson? Has Holmes changed in the interim 3 years? Explore these questions and a host of others as Tom Fox begins a new season of the Adventures in Compliance podcast as he delves deeper into how the methods of Sherlock Holmes can be applied to uphold ethical standards and leadership principles in the world of compliance through stories from the book The Return of Sherlock Holmes.

Key Highlights:

  • The enigmatic survival of Sherlock Holmes
  • The Return of Sherlock Holmes
  • How did Doyle handle the hiatus?
  • What did Holmes do during the hiatus?

Resources:

The New Annotated Sherlock Holmes

Connect with Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Jay Rosen on SAP’s Road to FCPA Compliance

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Jay Rosen who discusses the recent FCPA enforcement action involving the software giant SAP.

Jay Rosen is a seasoned compliance professional with a deep understanding of the SAP FCPA enforcement case. His perspective on the topic of SAP’s FCPA enforcement case and the importance of cooperation and self-disclosure is shaped by his belief that self-disclosure is paramount in any FCPA investigation or enforcement action. He points out that SAP did not initially self-disclose, but began to cooperate only after investigative reports were made public in South Africa. Despite this, Rosen acknowledges SAP’s commendable efforts in providing regular, prompt, and detailed updates to the fraud section, producing relevant documents, and undertaking extensive remediation actions. He underscores the importance of conducting a root cause analysis, implementing data analytics, and enhancing compliance programs and internal controls, asserting that companies can recover if they follow these steps and use data-driven analytics to counterbalance any negative facts. Join Tom Fox and Jay Rosen as they delve deeper into this topic on this episode of the FCPA Compliance Report.

Key Highlights:

  • The facts and underlying bribery schemes
  • Lack of self-disclosure and what it means
  • Extensive cooperation
  • Extensive remediation
  • A superior result achieved

Resources:

Jay Rosen on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Levels of Due Diligence

Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward. Identifying key risk areas is essential to risk mitigation and the protection of your company’s reputation. Corporate and institutional investors need to know who they will be doing business with especially given heightening regulatory compliance actions by the US and other government agencies, and increasing geopolitical risk concerns.

The 2023 Evaluation of Corporate Compliance Programs (ECCP) stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed in Opinion Release 10-02, in which the DOJ discussed the due diligence that the requesting entity performed:

First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources … Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI [microfinance institution] to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.

This Opinion Release sets out a clear break that every compliance practitioner should use in considering an appropriate level of due diligence to engage with third-party risk management process or when considering the level of due diligence required on a potential business venture partner.

Further in October 2023 the DOJ announced the new Mergers and Acquisitions Safe Harbor Policy, which encourages companies to self-report corruption and criminal misconduct found during an acquisition. Companies that cooperate with federal regulators, investigate, and then remediate such misconduct may be eligible for criminal declination by the federal government. This process must be initiated within 6 months of the M&A transaction and is heavily dependent on effective due diligence.

Importantly, you can’t disclose what you don’t know. Understanding FCPA risks in foreign jurisdictions requires a deep level of due diligence based on local and regional intelligence.

Given the increasing sanctions and geopolitical risk environment it behooves a company to identify these risk factors. Due diligence investigations also help to identify national security risks ranging from corruption, and sanctions violations to terrorist financing. The stakes are increasingly serious for all companies working internationally and domestically within the US.

Due diligence investigations can reveal reputational risk, litigation issues, fraud and corruption risks, financial sanctions, criminal activity, supply chain risk, regulatory risk and environmental, social & governance (ESG) risks.

A very good description of the three levels of due diligence was presented by Candice Tal, Founder and CEO of Infortal Worldwide, in an article entitled, Deep Level Due Diligence: What You Need to Know.

Level I. First level due diligence typically consists of checking individual names and company names through over 1400 Global Watch lists comprised of AML, anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures—demonstrating a broad intent to actively comply with international regulatory requirements.

Level I should also consider beneficial ownership records when they are available, and company tax information to assess whether the third party is financially sound and in compliance with tax payments as required within its primary country of business, plus a check of perceived business risks in that country. Additionally, the third party’s website should also be reviewed; it is unusual for a company not to have a website and this can be a preliminary flag that there are issues. Tal recommends verifying that the company address also exists; a non-verifiable address should be considered a potential red flag that would indicate the need for a deeper-level due diligence investigation.

Level I will reveal some of the key information needed to make preliminary risk exposure ranking decisions, especially for larger corporations who may have several hundred thousand vendors in their supply chains. However, Level I is very basic in scope and will not identify the majority of corruption risks; it should therefore only be considered a first step.

Level II. Level II due diligence encompasses a broader public records search and supplementing Global Watch lists with a negative keyword screening of international media, typically major newspapers and periodicals from all countries, plus detailed internet searches. Negative keywords are not the same as deep media/ OSINT searches as these focus on a smaller selection of keywords only. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third-party’s key executives and associated parties.

Level II should also include everything found in Level I searches plus in-country database searches. Other types of information you should consider obtaining are country of domicile and international government records, use of in-country sources to provide assessments, a check for international derogatory electronic and physical media searches, which should be performed in both English and foreign-languages, in its country of domicile. Further, if you are in a specific industry, use technical specialists and obtain information from sector specific sources.

Level III. This level is a deep dive due diligence with a far more thorough investigation than the Level II scope, enabling a comprehensive assessment of corruption and business risks.

I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence plus a deep dive investigation of online records to identify known and more importantly unknown conditions. It will also require an in-country “boots-on-the-ground” investigation in the country involved. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.”    Further, Tal notes that:

Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points. These are security-based recommendations designed to highlight issues and themes of information found across different investigative avenues. Without this understanding companies may miss critical information necessary to make informed risk and compliance decisions.

Significantly, thorough Level III due diligence can provide an additional level of fiduciary duty of care for the company’s board.

Level III should include deep web, accessible dark web, and historical Internet searches, also known as Open-Source Intelligence Investigations (OSINT). Although AI can be used for some of this work, it should be noted that AI without investigative analysis will yield less adverse information. AI can ignore  critical information that it cannot identify as missing, also there may be indicators inferring an outcome which is likely to be missed by AI currently. Investigative analysis looks at hidden and undisclosed information and searches for information that should have been found but was not. It is an integrated approach incorporating “boots on the ground”, intelligence gathering, and due diligence investigations. Relying on basic Google searches is a certain mistake as hidden and undisclosed information are unlikely to be discovered.

But more than simply an investigation of the company, including a site visit and coupled with onsite interviews, Tal says that some other things you should investigate include:

An in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.

Tal believes that an in-depth background check should also look for such “Reputational information, undisclosed involvement in other businesses, direct or indirect involvement in other lawsuits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.”

Further, you may need to engage a foreign law firm to investigate the third-party in its home country to determine their compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third-party in the eye and get a firm idea of the third party’s cooperation and attitude towards compliance—as one of the most important inquiries is based on the response and cooperation of the third-party. More than simply trying to determine if the third party objected to any portion of the due diligence process or objected to the scope, coverage or purpose of the FCPA, you can use a Level III due diligence investigation to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party?

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 21 – Managing Your Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation, and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area that the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

1. Have a strategic approach to third-party risk management.

2. Rank third parties based upon a variety of factors, including compliance and business performance, length of relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.

3. Managing the relationship is where the real work begins.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Sunday Book Review

Sunday Book Review: January 21, 2024 The Books on HR Edition

In the Sunday Book Review, I consider books that would interest the compliance professional, the business executive, or anyone who might be curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest me. Over the month of January, we will review some of the best books reported by People Managing People in various categories. In today’s edition of the Sunday Book Review, we look at four books on HR you should read in 2024.

  • The Essential HR Handbook by Sharon Armstrong and Barbara Mitchell
  • Irresistible: The 7 Secrets of the World’s Most Enduring, Employee-Focused Organizations by Josh Bersin
  • Built for People: Transform Your Employee Experience by Jessica Swaan
  • Remote Not Distant by Gastavo Ruzzetti

Resource:

28 Best HR Books You Should Read in 2024

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Managing Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

The 2023 ECCP posed the following questions:

Risk-Based and Integrated Processes—How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?

Appropriate Controls—How does the company ensure there is an appropriate business rationale for the use of third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

Management of Relationships—How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks? How does the company monitor its third parties? Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past? How does the company train its third-party relationship managers about compliance risks and how to manage them? How does the company incentivize compliance and ethical behavior by third parties? Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?

Real Actions and Consequences—Does the company track red flags that are identified from due diligence of third parties and how those red flags are addressed? Does the company keep track of third parties that do not pass the company’s due diligence or that are terminated, and does the company take steps to ensure that those third parties are not hired or re-hired at a later date? If third parties were involved in the misconduct at issue in the investigation, were red flags identified from the due diligence or after hiring the third party, and how were they resolved? Has a similar third party been suspended, terminated, or audited as a result of compliance issues?

The key is to have a strategic approach to how you structure and manage your third-party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to control risk while optimizing the performance of your third parties.

Amalgamate third parties but have fallbacks. It is incumbent to consolidate your third-party relationships to a smaller number to more fully operationalize your compliance program. This will make the entire third-party lifecycle easier to manage. However, a company must not “over-consolidate” by going down to a single source. You should build a diversified base, with through “dual-sourcing.” From the compliance perspective, you may want to have a primary and secondary third-party that you work with in a service line or geographic area to retain this redundancy.

Monitor any subcontracted work. This is one area that requires an appropriate level of compliance management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third-party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

Legal Protections. This is where your compliance terms and conditions will come into play. Consider a full indemnity if your third-party violates the FCPA and your company is dragged into an investigation because of the third-party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the DOJ or SEC during the pendency of an investigation. Finally, you need a clause that requires your third-party to cooperate in any compliance investigation. This means cooperation with you and your designated investigation team, but it may also mean cooperation with U.S. governmental authorities as well.

Keep track of your third parties’ financial stability. This is one area that is not usually discussed in the compliance arena around third parties, but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third-party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward red flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third-party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished.

Formalize incentives for third-party performance. One of the key elements for any third-party contract is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third-party. If you have a long-term stable relationship with a third-party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third-party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance.

By linking compensation to performance, there should be an increase in third-party performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked. This would seem to be low hanging fruit for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs.

You should rank third parties based upon a variety of factors including performance, length of relationship, benchmarking metrics and compliance KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them.

Auditing third parties. Critical to any best practices compliance program and an important tool in operationalizing your compliance program, this is a key way a company can manage the third-party relationship after the contract is signed and one which the government will expect you to engage in going forward.

Document review and selection is important for this process, you should ask for as much electronic information as possible well in advance of your audit. Request the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer.

Regarding potential interviewees, focus on those who interact with government entities, foreign government officials or third parties, including those personnel involved with:

• Business leadership;

• Sales/marketing/business development;

• Operations;

• Logistics;

• Corporate functions such as human resources, finance, health, safety and environmental, real estate and legal

For the interview topics, there are several lines of inquiry. Remember this is an audit interview, not an investigative interview. Avail yourself of the opportunity to engage in training while you are interviewing people. The topics to interview on include:

• General policies and procedures;

• Books and records pertaining to compliance risks;

• Test knowledge of FCPA or other anti-corruption laws and their understanding of your company’s prohibitions;

• Regulatory challenges they may face;

• Any payments of taxes, fees or fines;

• Government interactions they have on your behalf; and

• Other compliance areas you may be concerned about or that would impact your company, including trade, anti-boycott, anti-money laundering (AML), anti-trust.

Managing your third parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – The Third Party Risk Management Process

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending January 20, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  1. The Singapore Transportation Minister resigns due to corruption allegations. (CNN)
  2. China’s war on corruption becomes a policy.  (Reuters)
  3. Higher sanctions and penalties are coming. (WSJ)
  4. JPMorgan will pay $18 million for whistleblower protection violations. (WSJ)
  5. Anti-corruption advocate sworn in as Guatemalan President.  (Bloomberg)
  6. Crypto firm Genesis Trading was fined $8 million for compliance failures. (WSJ)
  7. Is the Chinese military as corrupt as the Russian army?  (Business Insider)
  8. Ackman threatens a law suit against Business Insider.  (FT)
  9. The Russian war reigned over Ukrainian oligarchs.  (NYT)
  10. A former A&F CEO faces a criminal investigation.  (BBC)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day here.

Connect with Tom:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

The Third Party Risk Management Process

As every compliance practitioner is well aware, even in 2023, third parties still present the highest risk under the FCPA. The 2023 ECCP devotes an entire prong to third-party management. It begins with the following:

Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

1. Business Justification by Business Sponsor;

2. Questionnaire to Third-party;

3. Due Diligence on Third-party;

4. Compliance Terms and Conditions, including payment terms; and

5. Management and Oversight of Third Parties After Contract Signing.

Business Justification. The first step breaks down into two parts: business sponsor and business justification. The purpose of the business justification is to document the satisfactoriness of the business case to retain a third-party. The business justification should be included in the compliance review file assembled on every third-party at the time of initial certification and again if the third-party relationship is renewed. It is mandatory this document be filled out and completed by the business sponsor, who will be the primary contract with the third-party for the life of the business relationship.

Questionnaire. The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Resource Guide. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. This requirement is not only a key step but also a mandatory step for any third-party that desires to do work with your company. If a third-party does not want to fill out the questionnaire or will not fill it out completely; run, don’t walk, away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, most proposed agents that have done business with U.S. or U.K. companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to U.S. businesses.

Due diligence. Most compliance practitioners understand the need for a robust due diligence program to investigate third parties but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

The purpose is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from engaging in bribery and corruption on their behalf. Due diligence acts as both a procedure for anti-bribery risk assessment and a risk mitigation technique. Further, both operate as compliance internal controls.

With this due diligence, you should then perform a triage. Triage is how you determine where each third party falls in the ranking of priorities. Asha Palmer, EVP at Convercent by One Trust, has noted that: “Appropriate due diligence may vary based upon company size, transaction, and type of third party. These categories and several others may determine how you choose to design your triage process.” Some of the common factors that determine how high-risk a third-party relationship may be:

• Type of third party (bank, consultancy, reseller, etc.)

• Contract value

• Country

• Government interaction

• Industry

After you have completed Steps 1–3 you are ready to move onto to Step 4, the contract. According to the 2012 FCPA Resource Guide, additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third-party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

The contract. You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are red flags, which have appeared, these red flags must be cleared, or you must demonstrate how you will manage the risks identified. In other words, you must document that you have read, synthesized and evaluated the information garnered in the business justification, questionnaire and due diligence steps beforehand. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a “check the box” exercise.

Management of the relationship. While the work done in the four steps above are absolutely critical, if you do not manage the relationship, it can all go downhill very quickly, and you might find yourself with a potential FCPA violation. There are several different ways that you should manage your post-contract relationship. The Evaluation clearly is focused on several key components that you need to evaluate and then re-evaluate during the pendency of the relationship. Incentivizing through compensation issues, training and ongoing monitoring through oversight and auditing are all key tools that the DOJ expects you to use going forward after the contract is signed.

Categories
Kerrville Weekly News Roundup

Kerrville Weekly News Roundup: January 20, 2024

Welcome to the Kerrville Weekly News Roundup. Each week, veteran podcaster Tom Fox and his colleagues Andrew Gay and Gilbert Paiz get together to go over a couple of their favorite stories from the past week from Kerrville and the greater Hill Country. Sit back, enjoy a cup of morning coffee and listen in to get a wrap-up of the Kerrville Weekly News. We each consider two of our favorite stories and talk about the upcoming weekend’s events, which we will enjoy or participate in this weekend.

In this episode, Tom and Andrew discuss the following stories that caught their attention over the past week:.

  • Tom discusses the Belew appeal and property taxes being due on January 31. He gives a special shout out to Jackie Burke, the oldest living Masters champion, who died last week at age 100. He is looking forward to a great weekend of the NFL playoffs
  • Andrew discusses the Barry Corbin appearance at Arcadia Live and the Family Fun Night at the Dietrich Center.
  • Gilbert runs down the City Election slate to date and discusses some new commercial businesses coming to Kerrville.

Resources:

Tom Fox on LinkedIn

Gilbert Paiz on LinkedIn

Andrew Gay on LinkedIn

Texas Hill Country Podcast Network

The Lead

Kerrville Daily Times