Anti-Corruption Compliance: Mitigating Risks of Third Party Misconduct
By Keith Korenchuk, Marcus Asner and Samuel Witten
Marcus Asner, a parter at Arnold & Porter LLP, has extensive experience with investigations and prosecutions under the Foreign Corrupt Practices Act. Previously, Mr. Asner was an Assistant U.S. Attorney in New York for nine years, where he served as Chief of Major Crimes and in the Public Corruption unit.
Keith Korenchuk, also a partner at Arnold & Porter, counsels companies on regulatory and compliance matters worldwide, focusing on compliance program effectiveness, implementation and operations in addition to related regulatory counseling.
Samuel Witten, counsel at Arnold & Porter, is a member of the firm’s international practice and was formerly Deputy Legal Adviser at the U.S. Department of State.
Nearly every multi-national company does business using a combination of its own employees and third parties it hires to help perform essential tasks. Companies routinely engage third party agents to assist in winning government contracts or to obtain permits to do business and perform services. Third party agents also help companies comply with local law and regulations, and with the tasks of moving personnel and goods across borders. But while third parties often can serve key roles in a company’s business, in today’s environment of heightened enforcement of anti-corruption laws they may expose a company to major liabilities if those third parties act corruptly in violation of applicable law.
Under the U.S. Foreign Corrupt Practices Act1 (FCPA), the U.K. Bribery Act,2 and many other anti-corruption laws, a company can be held liable not only for the corrupt actions of its employees, but also a third party’s actions when that third party acts on its behalf. The FCPA, for example, prohibits offering or paying a bribe or something of value to a foreign government official “for the purpose of obtaining or retaining business for or with, or directing business to, any person,” including where the bribe or offer is made indirectly through a third party.3 U.S. criminal law has an expansive view of corporate criminality, under which an agent’s criminal acts may lead to a corporate criminal conviction.4 The U.K. traditionally has had a much more narrow concept of corporate criminality, but vastly expanded criminal liability in Section 7 of the Bribery Act so that a corporation may be held responsible criminally if it fails to have adequate procedures to prevent a third party agent from bribing.
To reduce the risk of liability, companies need to be vigilant in selecting and monitoring the third parties that act on their behalf. To meet the expectations of governments world-wide, this means developing and implementing a rigorous third party due diligence procedure to properly identify, mitigate and respond to the specific risks associated with the use of third parties. Effective due diligence will help a company guard against having a third party acting corruptly, but it also will help mitigate any exposure if the third party nevertheless acts corruptly, contrary to the company’s wishes. This article outlines the key legal considerations and practical steps companies can take to protect themselves from undue risks in working with third parties.
Overview of Legal Framework
There are many types of third party actions that regularly implicate anti-corruption laws such as the FCPA or the Bribery Act. For example, in the area of government procurement, third parties might seek to obtain lucrative contracts by offering bribes to government officials with decision-making authority on issues ranging from the structure of the contract bidding or procurement process to the selection of the winner and the administration of the contract. Outside of procurement, many other third parties interact on behalf of companies with government officials: regulatory agents (such as vehicle licensing agents and visa processors), shipping agents (such as customs brokers and freight forwarders), and professional services providers (such as lawyers, accountants, regulatory consultants, travel agencies interacting with government officials and lobbyists) regularly deal with government authorities. Significantly, a bribe for purposes of the FCPA can include not only money but “anything of value,”5 which could include, for example, gifts, meals, entertainment and travel.
In a large number of settled cases, companies have been held liable for the conduct of third parties operating on their behalf.6 For example, on May 29, 2013, Total S.A. (Total), a French oil and gas company whose securities trade on the New York Stock Exchange, resolved parallel enforcement actions brought by the Justice Department and the Securities and Exchange Commission based on allegations that the company violated the FCPA by paying over US$60 million in bribes to intermediaries of an Iranian official as part of a scheme to obtain and retain oil rights in Iran.7 On April 22, 2013, Ralph Lauren Corporation (Ralph Lauren) resolved parallel FCPA investigations actions through a non-prosecution agreement (NPA) with the SEC–the Commission’s first-ever NPA in a matter involving the FCPA–and a separate NPA with the DOJ. The SEC and DOJ investigations stemmed from bribes allegedly paid by Ralph Lauren’s subsidiary in Argentina (RLC Argentina) to government officials. According to the SEC’s NPA, between 2005 and 2009 the General Manager and other employees of RLC Argentina approved approximately US$568,000 in payments to a customs broker to bribe Argentine customs officials in order to secure the importation of Ralph Lauren products into Argentina.8 The corrupt payments included agreements with consultants to pay bribes in exchange for contracts and nonpublic information regarding tenders, as well as payments to consultants who never performed work for the company. U.S. regulators have vigorously enforced cases involving third parties and DOJ has made clear in its recent series of deferred prosecution agreements under the FCPA that companies must develop and implement robust anti-corruption compliance programs to guard against corrupt payments by third parties.
U.S. corporate criminal law is especially onerous. Under U.S. law, companies technically can be liable if the agent pays a bribe to help the company obtain or retain business, even if the bribed was not approved by a company employee. To make matters worse, an individual company employee also can be held criminally responsible for the agent’s crimes if the employee knew of the agent’s deed or if she was aware of a “high probability” that the agent was bribing someone (unless the employee actually believed that the agent was not paying bribes).9 Thus, both the company itself and its individual employees who are supervising third parties will be well served to provide oversight of the conduct of their agents to ensure their activities are lawful.
Conducting appropriate due diligence as part of a robust compliance program also helps a company if a third party agent, despite the company’s due diligence, nevertheless violates the anti-corruption laws. Under the U.S. Attorney Manual, federal prosecutors will consider the existence and effectiveness of the company’s compliance program when deciding whether to charge the company criminally.10 Moreover, if a corporation is criminally charged, the fact that it has an effective compliance program can help mitigate the penalty under the United States Sentencing Guidelines.11 The U.K. Bribery Act takes things a step further. Under the Bribery Act, having an effective compliance program can serve as an affirmative defense, absolving the corporation of any criminal liability.12
Third party liability is of particular concern under the FCPA and other anticorruption laws because third parties conducting business in other countries often operate under different cultural norms and expectations, and some third parties may view illicit actions as consistent with, and even necessary for success, in local markets.13
The following steps provide a roadmap, based on our experience in assisting companies worldwide in designing, implementing and operating third party due diligence procedures, combined with our analysis of language on third party reviews in recent FCPA deferred prosecution agreements.14
Implementing an Appropriate Third Party Due Diligence Procedure
As detailed below, a properly designed third party anti-corruption due diligence procedure will have a number of essential elements, all of which should be implemented for the effort to be effective.
• The framework should be based upon a risk assessment of how the company conducts business, how, when, where and why it uses third parties, and how it supervises the work of those third parties.
• The diligence procedures should be formalized in writing as a policy or procedure, and should be supported by a clear top-down instruction about the importance of following those procedures (the “tone at the top” must be clear).
• Third parties who are “in scope” for the review need to be determined; for example, third parties that interact with government officials15 in known risk areas and/or working in high-risk locations for corruption typically would be good candidates for due diligence.
• The nature of the review should be risked-based, varying by the nature of the anticipated interaction with the governments.
• The company should use contractual clauses and certifications from the third parties to formalize the commitment to compliance, employ mechanisms to provide effective oversight of third party conduct, and in appropriate cases, train third party agents on company policies and procedures.
• The company should monitor and audit the company’s payment to third parties, including in many cases the payments made by the third parties, to ensure that the third party’s actions comply with the company’s policies and relevant anti-corruption laws.
• All due diligence of third parties should be documented to ensure that there is a record of consideration of risks and appropriate supporting documentation should be retained in an easily accessible database.
• Finally, the company should consider who should actually conduct and oversee the review procedure, as every company should organize its compliance framework to meet its particular needs with decisions being made at the appropriate local, regional and global levels.
To facilitate implementing these program elements, the following analytical framework is suggested.
The first step to implementing any due diligence review is a well considered cost/benefit analysis and risk assessment of the hiring, retention and oversight of third parties.16 Every company will have a different assessment process depending on a number of factors, such as the types of business in which the company is engaged, the markets in which it operates, the contemplated interactions with government officials, the types of third parties typically used for such interactions, the way the company is governed and the company’s anticipated growth and business plan. A risk assessment identifies key types of interactions creating risk, the types and locations of third parties who perform work on behalf of the company and the frequency of those interactions. A comprehensive risk assessment serves as the cornerstone of the design and operation of the third party due diligence review procedure, as it informs such key program design questions such as the scope, intensity, resources, organization and controls in the review. It need not be a lengthy or complex process.
In terms of assessing risk another task is to evaluate certain functions of employees (and the third parties they supervise) that by their nature create incentives for the use of bribery. For example, if compensation for a particular employee is based on obtaining regulatory approvals, the employee might have incentives to bribe to ensure that such approvals are forthcoming, and may hire regulatory agents who might be prone to doing the same. In other words, if the employees have incentives, those same incentives will exist for the third parties, but the company may have less control over the third party, making the risk of corruption greater.
A key threshold question is whether the use of any particular third party is necessary to achieve the company’s business objectives or whether the actions contemplated can be handled “in house.” Performing a function “in house” frequently brings with it better oversight, more accountability and potentially significant cost-savings. Because a company generally has less control over third parties than it would over its own internal operations, a company should consider whether the potential liability engendered by the use of third parties is appropriate and worth the risk in each particular situation.
Once a company conducts its assessment and confirms the necessity of using third parties for particular tasks, the next step is to develop and implement clear anti-corruption policies and procedures detailing the third party review. These policies and procedures must be known to all company directors, officers and employees as well as to actual and potential third parties.17These written materials should:
• Provide a framework for identifying, reporting and resolving warning signs of corruption arising out of the third party review.
• Minimize actual corruption risks.
• Ensure the company is partnering with appropriately qualified third parties for proper business purposes.
The risk assessment and the written policies and procedures the company creates will drive the questions asked in the actual review process outlined below.
Most importantly, the written policies and procedures cannot be simply announced on paper–they must be accompanied by clear support from the top of the company that the compliance framework in general and the review of third parties in particular are essential and non-discretionary, and that there are substantial consequences for failing to follow the review procedure. In some circumstances, third parties interacting with government employees should themselves receive training directly from the company to help ensure that they understand the policies and procedures and the consequences of non-compliance.
The first level of review is to determine which third parties are “in scope,” and thus subject to heightened due diligence review. In this respect, all third parties that deal with foreign government officials on behalf of a company present corruption risks and should therefore be presumptively “in scope.” Because each company will need to develop its risk analysis based on its own circumstances, it may decide that certain third parties are automatically “in scope” if they have contracts with the company over a certain monetary threshold. Companies may also want to consider the type of government interactions likely to be pursued by third parties and also the country or countries in which the third party operates. For example, because of endemic corruption risks in a particular country, a company may decide that all third parties operating in that country are “in scope,” even if their primary responsibilities do not include significant government interactions on behalf of the company. If the third party is not “in scope” (e.g., it is not expected to have dealings with foreign governmental authorities on behalf of the company or otherwise not subject to additional scrutiny), then companies may choose to limit or adapt the due diligence described below or may decide it is ultimately unnecessary.18
For those third parties “in scope,” a review should follow, both in vetting for suitability and risk signs and in overseeing their work for the company. The type, scope and control/decision-making structure of such a review will be a highly individualized decision for each company, based on important issues of timing, manner and the depth of review of existing third parties and new third parties. However, there are some common elements that should be present in any effective procedure:
After the initial determination of which third parties are “in scope,” the company should ask those parties preliminary questions on a variety of relevant issues, including, but not limited to, qualification to perform the work, staffing, level of experience, references and company history. These responses are typically provided by the third party in a written questionnaire.
The company should also conduct reference checks with other parties with whom the third party conducts business, but should not include any references who may receive compensation from the third party under review. The results of these inquiries should be thoroughly documented.
A background search for news concerning the third party’s prior conduct, as well as the conduct of the third party’s owners, officers, directors, senior management, and those executives who are principally involved in the relationship with the company is also an essential part of the review. These searches will also assist in identifying any connections or relationships with government officials. Options for conducting these types of searches include commercial databases, the Internet, local news sources, the local U.S. or other relevant embassy or a combination of these resources.
During any review, company personnel should be alert for the classic warning signs of corruption, such as excessive requests for compensation, substantial amounts sought in advance, payments going to third party subcontractors, payment only upon “success” or involvement of government officials in the company or its operations. If there are still questions or unresolved warning signs, the company should always leave open the option of a further review with additional follow up questions and due diligence review relating to actual or possible problems, which could involve further questions, a background search and/or a site visit. The situation may also require the hiring of an outside expert to conduct a more detailed diligence review.
In the course of conducting the due diligence review, if warning signs cannot be resolved, the company may decline to begin a relationship with a new third party or terminate its relationship with an existing third party. Companies may seek to address potential warning signs–if possible and prudent–through enhanced reporting, more training, a more robust compliance program for the third party, anti-corruption contract clauses, more auditing, ongoing monitoring and/or other risk mitigation strategies.
Once a third party completes the review, the company should establish a policy on how often a third party should be subject to a new review. Many companies will elect to review each third party relationship at set periods, for example, every two to three years, or sooner if there is a fundamental change in the relationship.
Companies should have available a number of tools to mitigate third party corruption risks. The finance function at the company should conduct an independent review of any expenses and reimbursement requests sought by the third party prior to authorization of payment. This might include checking claims for payment against the obligations under the contract, ensuring adequate supporting documentation exists and generally being alert for warning signs of corruption. The company should also require annual compliance certifications. Finally, companies should include standard anti-corruption provisions in third party contracts. Depending on the circumstances, and as noted very clearly by the DOJ in recent deferred prosecution agreements, these contractual clauses could include:
(a) anti-corruption representations and undertakings relating to compliance with the anti-corruption laws;
(b) rights to conduct audits of the books and records of the agent or business partner [third party] to ensure compliance with the foregoing; and
(c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.19
An important aspect of implementing a third party due diligence procedure is including a systematic and consistent way to monitor, audit and review third party relationships.
Monitoring may be built into a company’s internal controls through its finance function (i.e., a reconciliation of expenses and reimbursement claims against contractually required documentation and supporting documentation). In addition to the finance check, another control that many companies use is to identify a person within the company who is designated as the point of contact with the third party and manages the relationship between the company and the third party. This lead point of contact should have actual and ongoing knowledge of all relevant activities of the third party on behalf of the company.
Companies also should establish a written audit plan that is based on a reasonable sample of third parties, that considers the nature of the third parties’ activities, and the risks inherent in specific countries or regions where corruption risks with the use of third parties are greater. This determination of the sample size and third parties selected should be based on assumptions that are articulated in the audit plan. The auditing function may already exist as a discreet function in a company, and if so, auditing should be integrated with that existing function.
No matter the type and extent of the monitoring and auditing, the company should be sure to document its oversight so that this monitoring and auditing process itself can be reviewed periodically to ensure effective operation.
A successful third party due diligence procedure needs staff and resources to conduct the review and oversight. Each company should consider a number of factors in deciding who actually conducts the review and administers the overall procedure, and each organization will have its own approach on these issues. Relevant considerations include:
• The type of business involved and how it operates, with considerations including size, complexity, lines of business and decision makers.
• The extent to which a company is decentralized or centralized and the roles to be undertaken by headquarters versus regional and local operations.
• The role of the legal department at various phases of the development and oversight of third party relationships.
• Whether the due diligence relating to third parties should be conducted internally or externally, and if externally, at what point these external reviewers are involved in the process.
Company personnel who actually conduct this due diligence review must understand the level of risk of relevant third parties, be specifically trained to address this risk, and understand how to raise concerns within the company when they arise.
It is also clear that, to be effective, a review procedure must have built-in mechanisms to ensure consistency of review across the company, a mechanism to create and maintain a complete review “file” to document the work undertaken and resolution of any warning signs, and appropriate oversight of program operation by senior management regardless of how decentralized a review procedure operates. Accountability of those conducting the review for the company is also essential for program success.
Governments have made clear in recent guidance and settlements that they expect a robust review of third parties as part of an overall effective anti-corruption compliance program. Companies that implement a third party anti-corruption due diligence procedure will minimize the risks that arise when working with third parties.
While the principles stated above provide guideposts and checklists, the nature of a review must be individually tailored to particular company risks, needs, capabilities and markets. In this era of heightened enforcement of anti-corruption laws, inaction or a failure to properly oversee the actions of one’s third parties is simply not an option.
1 The FCPA prohibits a broad range of persons and businesses, including U.S. and foreign issuers of securities registered in the U.S., from making a corrupt payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, any person. These provisions also apply to foreign persons and companies that take any act in furtherance of such a corrupt payment while in the U.S.
The FCPA also requires companies with securities listed in the U.S. to meet its provisions on recordkeeping and internal accounting controls. These accounting provisions were designed to operate in tandem with the anti-bribery provisions of the FCPA and require companies covered by the law to make and keep books and records that accurately and fairly reflect the transactions of the company and to devise and maintain an adequate system of internal accounting controls.
2 2010 U.K. Bribery Act, available at http://www.legislation.gov.uk/ukpga/2010/23/pdfs/ukpga_20100023_en.pdf. For a detailed analysis of the law, see Arnold & Porter, U.K. Bribery Act 2010: An In-Depth Analysis (May 2010) available at http://www.arnoldporter.com/public_document.cfm?id=15833&key=23D1.
4 A corporation can be held liable for the actions of its agents, even where the agent may have acted for mixed motives, so long as one motivation of its agent is to benefit the corporation. See United States v. Potter, 463 F.3d 9, 25 (1st Cir. 2006) (stating that the test to determine whether an agent is acting within the scope of employment is “whether the agent is performing acts of the kind which he is authorized to perform, and those acts are motivated, at least in part, by an intent to benefit the corporation”).
6 For example, in the recent non-prosecution agreement involving Ralph Lauren, the Justice Department determined that corrupt payments were being made to Argentine customs officials by a customs clearance company hired by Ralph Lauren’s Argentine subsidiary. See http://www.justice.gov/opa/pr/2013/April/13-crm-456.html.
7 See Press Release, Justice Dep’t, French Oil and Gas Company, Total, S.A., Charged in the United States and France in Connection with an International Bribery Scheme (May 29, 2013), available at http://www.justice.gov/opa/pr/2013/May/13-crm-613.html; Press Release, SEC, SEC Charges Total S.A. for Illegal Payments to Iranian Official (May 29, 2013), available at http://www.sec.gov/news/press/2013/2013-94.htm.
8 SEC Non-Prosecution Agreement with Ralph Lauren Corporation (Apr. 18, 2013) at Ex. A, Statement of Facts ¶¶ 5, 7, available at http://www.sec.gov/news/press/2013/2013-65-npa.pdf.
13 The U.K. Bribery Act is likely to be interpreted even more widely in scope than the FCPA, prohibiting bribes not just to foreign officials but to commercial parties as well. The Bribery Act was enacted on April 8, 2010 and came into force on July 1, 2011.
14 Keith M. Korenchuk, Samuel M. Witten, & Dawn Y. Yamane Hewett, Advisory: Building an Effective Anti-Corruption Compliance Program: Lessons Learned from the Recent Deferred Prosecution Agreements in Panalpina, Alcatel-Lucent, and Tyson Foods, March 2011, available at http://www.arnoldporter.com/resources/documents/Advisory-Building_an_Effective_Anti-Corruption_Compliance_Program_Lessons_Learned_031611.pdf.
16 See, e.g., Deferred Prosecution Agreement, United States v. Total S.A., Crim. No. 1:13CR00239 (E.D. Va. May 29, 2013), Dkt. Entry No. 2, at Attachment C-5, available at http://www.justice.gov/iso/opa/resources/9392013529103746998524.pdf (“To the extent that the use of agents and business partners [third parties] is permitted at all by [the company], it will institute appropriate due diligence and compliance requirements pertaining to the retention and oversight of all agents and business partners, including: … Properly documented risk-based due diligence pertaining to the hiring and appropriate and regular oversight of all agents and business partners”).
17 The DOJ has required in connection with settling FCPA matters that companies inform all third parties of the company’s “commitment to abiding by laws on the prohibitions against foreign bribery, and of [the company's] ethics and compliance standards and procedures and other measures for preventing and detecting such bribery.” See, e.g., Deferred Prosecution Agreement, United States v. Total S.A., Crim. No. 1:13CR00239 (E.D. Va. May 29, 2013), Dkt. Entry No. 2, at Attachment C-5, available at http://www.justice.gov/iso/opa/resources/9392013529103746998524.pdf.
18 Of course, simply because a third party is not “in scope” for the heightened due diligence review, the company should not ignore the possibility of corruption issues and may want to take additional steps to ensure compliance with these or other laws, including appropriate reviews and certifications.
19 See, e.g., Deferred Prosecution Agreement, United States v. Total S.A., Crim. No. 1:13CR00239 (E.D. Va. May 29, 2013), Dkt. Entry No. 2, at Attachment C-5-6, available at http://www.justice.gov/iso/opa/resources/9392013529103746998524.pdf.