DOJ and SEC Raising the Stakes on Third Party Risk Management
If you review the last ten years of FCPA enforcement, the unmistakable pattern is rising expectations with regard to corporate compliance programs, particularly with regard to third party due diligence and risk management. Over the course of numerous enforcement actions, DOJ and the SEC have reached the point now where they are questioning not just the conduct of due diligence but the quality of due diligence.
It is well established that companies have to identify and resolve all red flags, indicating a potential risk of corruption, or else suffer the consequences if bribery occurs. DOJ and the SEC expect high quality due diligence reviews and assessments of potential third party intermediaries.
DOJ and the SEC have to be careful here and apply the law fairly in cases where a third party engages in bribery. A post hoc review of a company’s due diligence review has to reflect the standard for due diligence – “reasonable inquiries.” The danger is that DOJ and the SEC could apply a strict liability formulation and use it to second-guess every exercise if discretion.
To this end, companies have to be mindful of a possible post hoc review by the government, and document its efforts to identify red flags and to resolve such issues before deciding whether to engage the third party. In recent cases, DOJ and the SEC have cited due diligence reviews and relied on failures of judgment to support an inference of corrupt intent.
As companies implement more robust risk management programs, we can expect to see more post hoc analyses and questioning of due diligence programs. Companies have to design their systems in response to this rising expectation.
A larger percentage of companies are implementing automated due diligence systems. A recent NAVEX Global survey showed that over 80 percent of companies have implemented an automated due diligence system.
Unfortunately, even in these situations, companies have to continue building their system to ensure they rely on reliable data, identify red flags, and document their resolution of each and every red flag. If a due diligence system is built on these principles, DOJ and the SEC will have a difficult time questioning a company’s decision to engage a third party.
Companies cannot blindly conduct due diligence, document each step and avoid careful analysis of third party risks. The recent Och-Ziff enforcement action underscored this point when Och-Ziff conducted due diligence of the Israeli businessman, DRC Partner, and raised serious questions about DRC Partner’s integrity. In fact, DOJ cited the internal disagreement within Och-Ziff management over whether to engage DRC Partner or not.
The government’s interest in citing internal debates or the manner and quality of resolution of red flags raises some interesting questions. If three officials argue to move forward with a third party and two disagree, can the company move forward or will DOJ/SEC cite the two opponents as evidence of an “unresolved” red flag.
To the extent the government continues to rely on such evidence, raises a serious question about unintended consequences. Rather than encouraging a robust internal analysis and debate, companies may streamline or modify the internal review function to avoid creating potentially negative evidence of its due diligence program. By discouraging debate, the government may restrict careful consideration of due diligence factors and decisions.
Third party risk management will continue to be the focus of DOJ and SEC FCPA enforcement actions. Companies have to design their programs in response to increasing scrutiny of third party due diligence reviews. As robust programs are implemented, companies have to be careful how they design, document and analyze specific risk factors.