Risk considerations for third-party relationships

This article was originally published in Practical Law The Journal. The printed bi-monthly publication of The Journal is included with Practical Law subscriptions.

In-house counsel often need to gather information internally for a preliminary risk assessment of the bribery and corruption risk associated with third parties that the company seeks to engage. A company that enters into cross-border transactions often contracts with third parties (such as accountants, advisors, agents, attorneys, brokers, consultants, contractors, distributors, freight forwarders, sales representatives, suppliers, vendors, and other intermediaries and goods and services providers) to help advance its interests and perform key business activities.

For example, these third parties can assist the company in:

• Complying with local laws and regulations
• Interacting with government officials and regulatory agents
• Obtaining necessary business licenses and permits
• Understanding a foreign market
• Moving goods across borders
• Meeting with customers and developing business
• Marketing and selling products in a designated territory
• Sourcing parts and other supplies
• Performing outsourced functions, such as technology, data management, and consumer call center support

Risk of third-party agreements

Third parties pose a significant compliance risk for companies under anti-bribery and anti-corruption laws, such as the US Foreign Corrupt Practices Act of 1977 (FCPA) and the UK Bribery Act 2010 (Bribery Act). Agents and other intermediaries authorized to represent the company pose the highest bribery and corruption risk. Suppliers and vendors can also pose substantial risk involving, for example, kickbacks, bid-rigging, conflict minerals, and human rights abuses.

The corrupt activity of a third party can expose the company to criminal and civil liability under US and non-US laws and result in the prosecution of company managers and employees. Corrupt activity by a third party can also harm the company’s reputation and damage the company’s ability to conduct business in certain jurisdictions.

Risk-based due diligence

The US Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have stated that companies using third parties should perform risk-based due diligence on those third parties based on the risk profile of the proposed relationship. This risk-based due diligence should be part of the company’s overall compliance program to prevent, detect, remedy, and report misconduct. It is also considered one of the minimum requirements for a compliance program to be effective and can help the company reduce liability for third-party misconduct (see DOJ Criminal Div. and SEC Enforcement Div., A Resource Guide to the US Foreign Corrupt Practices Act Second Edition (2020), available at justice.gov).

To determine the extent of due diligence required, the company should conduct a preliminary risk assessment of the third party. A business unit questionnaire is a useful tool for counsel to gather third-party information internally for the preliminary risk assessment. The company should also engage in third party risk management throughout the life of the business relationship.

Performing a preliminary risk assessment

The preliminary risk assessment should follow a written process to identify key risk indicators (also known as risk factors or red flags) and determine the extent of the due diligence required. Information to be gathered should include:

• The name, addresses, and websites of the third party, including any other names used by it to conduct business
• The name, title, and contact information of the organization's primary business contact at the third party
• Information about the third party's shareholders, principals, and key employees
• A description of the business opportunity that creates the reason for the third-party relationship
• The services to be provided by the third party
• How the third party was identified and why it was selected
• Terms of the proposed business relationship (such as payment, duration, and location)
• Any other information about the third party and the proposed business relationship that may help the due diligence process (such as information about the third party's reputation or financial status or particular issues relating to the relevant market)

Once a risk assessment is performed, in-house counsel can create a risk profile for each third party to conduct due diligence that matches the risk level and the complexity of the third-party relationship. Third parties should also be continuously monitored throughout the business relationship.

Performing ongoing third party monitoring

In the 2020 edition of the FCPA Resource Guide, the DOJ and SEC emphasized the importance of monitoring third parties during the course of their business relationship with the company. Practical suggestions include:

• Periodically updating initial due diligence results 
• Exercising audit rights
• Providing periodic training to third party relationship managers
• Requesting annual compliance certifications by the third party
• The presence or absence of ongoing third party monitoring will be considered by DOJ and SEC in assessing the effectiveness of a company’s compliance program.