In a 2015 speech before the SIFMA Compliance and Legal Society New York Regional Seminar, former Assistant Attorney General Leslie Caldwell for the first time, laid out metrics the DOJ would consider in evaluating a corporate compliance program around third-parties. Caldwell began with the following question, “Does the institution sensitize third-parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?” This inquiry was brought forward into the DOJ’s 2017 Evaluation and all subsequent updates.
In addition to monitoring and oversight of your third-parties, you should periodically review the health of your third-party management program. The robustness of your program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out herein, you need to fully document the steps you have taken so that any regulator can test your metrics. Caldwell’s remarks around compliance metrics portended the Evaluation and what the DOJ will be reviewing and evaluating going forward, so it is clear what will be expected from your company’s compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program.
Three key takeaways:
- It all starts with a Relationship Manager.
- Have company oversight of all third-parties.
- Audit, monitor, and remediate on an ongoing basis.