Keeping Track of Third Party Risks – Bribery and Sanctions
We have heard it over and over, again and again – third-parties pose significant risks of bribery for all global businesses. Almost every FCPA enforcement action includes some form of third-party misconduct. The current picture from the Stanford FCPA Resource confirms the story.
A cottage industry of automated platforms, data analytics, due diligence and monitoring strategies have grown around third-party bribery risk. Companies have designed and implemented innovative risk mitigation strategies, built on automated platforms and including new monitoriong and measurement protocols to test financial transactions and identify other potential risks stemming from third-party business interactions in risky countries.
Third-party risks, however, have grown exponentially with the addition of economic trade sanctions risks. The Department of Treasury’s Office of Foreign Asset Control (“OFAC”) and the US Department of Justice have been pursuing aggressive civil and criminal prosecution of OFAC sanctions violations involving third-party misconduct.
Just as in the case of third-party bribery schemes, in the OFAC sanctions context, third parties that resell goods and services to prohibited entities and individuals and to end users in prohibited countries, create significant enforcement risks. Combining third-party risk mitigation strategies to include bribery and sanctions risk is a basic compliance program requirement.
OFAC’s reach to third-party liability is well established. Companies can be held liable for sanctions violations when they ship a product to a third party in another country and know or “have reason to know” that the third party intends to reship the product to a prohibited country, or a prohibited entity or individual. This standard was affirmed in 2018 in the Epsilon case, when the U.S. Court of Appeals for the District of Columbia Circuit affirmed OFAC’s use of this standard.
An interesting aspect of this standard is that the US government is not required to establish that the goods actually ended up in the prohibited country or were delivered to the prohibited entity or individual. Instead, the Court of Appeals cited that the company has to have “ reason to know” that the third party intends to ship the goods to a prohibited country, entity or individual.
In the Epsilon case, the government did not cite any evidence that the goods shipped by the defendant were in fact transported to Iran, and instead relied on evidence on the distributor’s website indicating that the third party, through an affiliated entity, distributed the goods in Iran, a prohibited country.
As explained by the US Court of Appeals, the “reason to know” requirement can be established through circumstantial evidence, including “course of dealing, general knowledge of the industry or customer preferences, working relationships between the parties, or other criteria far too numerous to enumerate.”
This principal was reaffirmed this year in the NewTek sanctions enforcement case, which was resolved this year. NewTek’s violations arose from its sales to foreign third-party distributors that it knew or had reason to know were intended for a reseller in Iran.
To address these combined risks, global companies have to conduct careful due diligence of distributors or agents who plan to resell products or services. The due diligence has to focus on information suggesting that the third party may conduct business in a sanctioned country. Adding to robust due diligence, global companies need to include compliance representations and warranties surrounding compliance with all OFAC sanctions restrictions, end user certifications and delivery (or confirmation of) appropriate training on sanctions compliance. Finally, from a practical standpoint, global companies have to monitor sanctions compliance by sampling transactions to confirm end user locations, documentation and shipping information.