As every compliance practitioner is well aware, third-parties still present the highest risk under the FCPA. The DOJ 2023 ECCP devotes an entire prong to third-party management. It begins with the following: A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.
This set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance program must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party management: 1) business justification; 2) questionnaire to third-party; 3) due diligence on third-party; 4) compliance terms and conditions, including payment terms; and 5) management and oversight of third parties after contract signing.
I continually give my mantra of compliance, which is “Document, Document, and Document”. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program.
Three key takeaways:
- Use the full five-step process for third-party management.
- Make sure you have Business Development involvement and buy-in.
- Operationalize all steps going forward by including business unit representatives.
For more information, check out The Compliance Handbook, 4th edition, here.