The 2023 Evaluation of Corporate Compliance Programs stated, “Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials.” This standard articulates one of the most basic tools to operationalize your compliance program and should form the basis of your third-party risk management process. Indeed, this is viewed as an internal control with the 2023 ECCP going on to pose the following question, “How does the company ensure there is an appropriate business rationale for the use of third parties?”
What should go into your business justification? At the most basic level, you should craft a document, which works for both you as the compliance practitioner and the business folks in your company, that details some basic concepts which includes the following: 1) The name and contact information for both the Relationship Manager and the proposed third party; 2) How the Relationship Manager came to know about the third party because it is a red flag if a customer or government representative points you towards a specific third party; 3) What services the third party will perform for your company, the length of time and compensation rate for the third party; and 4) An explanation of why this specific third party should be used as opposed to an existing or other third party, if such were considered. All this information should be documented and then signed by the Relationship Manager.
Remember, the purpose of the business rationale is to document the satisfactoriness of the business case to retain a third party. The business rationale should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. This means “Document, Document, and Document.”
Three key takeaways:
1. You should always have a business reason for using a third party which is articulated by the business folks, not compliance.
2. A Relationship Manager is the key going forward in operationalizing your compliance program through the life of the third-party relationship with your company.
3. Always remember to “Document, Document, and Document”.