Third Party Agents: What Kind of Due Diligence
While on Vacation, I am re-posting some earlier postings which you may find interesting.
Almost all FCPA enforcement actions involve the failure of a company to adequately screen or prevent a third-party agent from bribing a foreign official. The company’s relationship with the third-party agent is where the rubber hits the road: economic pressure to use the agent is strong when the agent can get the company the contract, and compliance officers know that third-party agents are the ones most likely to bribe a foreign official to win a contract, obtain a license, or secure a regulatory permit. In the absence of a company’s systematic failure to comply with the FCPA, companies need to focus on third-party agent relationships and laser their compliance efforts to make sure they do not cross the FCPA boundary.
Too many articles about this issue have been written without focusing on the structural question that needs to be answered: who in the company is going to be responsible for reviewing the creation or the renewal of a company’s hiring of a third-party agent? This does not mean for each transaction, but for the relationship itself. Where is the responsibility going to reside, and how will it be exercised? What procedure will be used to ensure that due diligence reviews are completed in a timely manner?
Depending on the size of the company and the overall structure, our response is “aim high” within the organization – meaning the parent company’s compliance office or general counsel’s office should have overarching responsibility to review and approve each and every third-party agent relationship. Once the relationship is approved, then subsidiary counsels can take responsibility for reviewing individual transactions with that particular agent. A centralized framework means consistent standards for review, information to be reviewed and overall approval process. Not that one-size-fits-all is always the way to go, but a consistent review process is critical to protect against varying standards across an organization.
In addition to a centralized review process, steps must be taken to break down information silos among company components or subsidiaries so that timely and accurate information is gathered for review. Sales people will ignore the process if it takes too long. If it can be done quickly and reliably, sales and reviewing personal will adapt, particularly once they start to learn what criteria are applied in the review process and what information is needed for such a review.
Once your procedure has been established, a company should tailor monitoring and training to match the structure for review. Employees who are going to gather information about an agent, assemble a due diligence package, review an agent contract, and individual transactions all need to be trained. This should be a separate session, program and focus of any training program. And, monitoring of such compliance work is critical.
Finally, once an agent is now representing a company, an ongoing due diligence process needs to be put in place to monitor that relationship going forward. How will the organization know if an agent is being investigated for corruption locally? Or tied to a crime that would put the relationship at risk?
If there is one message that needs to be heard, it is the importance of documenting every step in the process. Information needs to be developed through a checklist of basic items which need to be included in a due diligence package. But do not stop there. Documenting the entire fact-gathering process – information requested but denied, or information which was difficult to obtain, or information which was ultimately secured through extraordinary steps – should all be included in the due diligence package to demonstrate the steps taken by a company to learn what it could about a third-party agent.
There are certain basic issues that every checklist needs to include (see below), but an example of a more detailed checklist can also be accessed here.
— Basic personal information that is confirmed through an identity verification check.
Detailed questions concerning the relationship between the agent and any foreign official, including relatives and distant connections, business connections, and focusing on relatives or even friends responsible for the government’s purchasing or licensing process.
— The agent’s prior history or allegations of illegal conduct, bribery, fraud or other economic or regulatory violations.
— The specific nature of the agent’s proposed services and the compensation for such services: What exactly is the agent proposing to do, how will he/she do it, and what is the price for such services?
— The specific manner in which the agent is requesting to be paid: obviously, payments through intermediaries, out-of-country bank accounts, and other questionable schemes need to be flagged and investigated, and potentially altered.
— Confirmation that the agent will agree to an FCPA compliance warranty in the contract, along with an inspection right for the company to audit the agent’s books.
The checklist needs to be tailored to the particular circumstances, so developing a standardized form is not necessarily the way to conduct compliance. Instead, taking a basic set of issues and modifying the checklist to reflect local conditions is a way to ensure compliance is tailored to the specific risk assessment in that country.
Michael Volkov is a partner at Mayer Brown LLP in Washington, D.C. His practice focuses on white collar defense, compliance and litigation. He regularly counsels and represents clients on FCPA and UK Anti-Bribery Act issues. He can be contacted at [email protected].
Ryan Morgan is an FCPA/Anti-Money Laundering Compliance Specialist from World Compliance, in Miami, Florida. He assists businesses in developing due diligence screening programs and services to ensure FCPA and Bribery Act compliance. He can be contacted at [email protected].