The 2020 Update stated, “Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials.” This standard articulates one of the most basic tools to operationalize your compliance program and should form the basis of your third-party risk management process. Indeed this is viewed as an internal control with the 2020 Update going on to pose the following question, “How does the company ensure there is an appropriate business rationale for the use of third parties?”
Another way to think about this issue is by considering the competence of a foreign business partner to provide services to your organization. Such considerations include a review of the qualifications of the third-party candidate for SME, the resources to perform the services for which they are being considered and the third-party’s expected activities for your company. More detailed inquiries include requiring the relevant business unit which desires to obtain the services of any third-party to provide you with a business rationale including current opportunities in territory, how the candidate was identified and why no currently existing third-party relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive.
Remember, the purpose of the business rationale is to document the satisfactoriness of the business case to retain a third-party. The business rationale should be included in the compliance review file assembled on every third-party at the time of initial certification and again if the third-party relationship is renewed. This means “Document, Document, and Document”.
Three key takeaways:
- You should always have a business reason for using a third-party which is articulated by the business folks, not compliance.
- A Relationship Manager is the key going forward in operationalizing your compliance program through the life of the third-party relationship with your company.
- Always remember to “Document, Document, and Document”.