The Same Old Song with a Different Meaning — Third-Party Risks and Sanctions Compliance (Part I of IV)
Sorry to start a four-part series with a reference to music from our long-ago past. The Four Tops sang the “Same Old Song, with a Different Meaning” (released in 1965 — Video Here). So, how does that relate to third-party risks? Well, bear with me here for a little.
Legal and Compliance bloggers, compliance vendors, prognosticators, Compliance Podcasters, and everyone in the Paparazzi have written, spoken, and telepathically communicated about the importance of third-party risk management. It is its own cottage industry and one that has rightfully taken its place at the top of company risk assessments. For years, we heard repeatedly about third-party risks and anti-bribery, the FCPA, the UK Bribery Act and on and on.
With the beginning of the era of the “New FCPA,” as coined by DOJ’s Deputy Attorney General Lisa Monaco, we now need to focus on third-party risk and sanctions enforcement. The law, the practice and the risks are important and not just the same as FCPA legal requirements. As we embark on a new criminal enforcement era surrounding sanctions violations, companies have to address this issue and do it correctly. So, let’s turn to this “Same Old Song, with a Different Meaning.”
Like the FCPA enforcement industry, guidance on management of third-party sanctions risks derives from regulatory guidance and enforcement actions, most of which have been generated by OFAC civil enforcement actions.
DOJ’s sanctions enforcement against companies is relatively limited and there has not been the same level of guidance, but rest assured DOJ is poised to begin aggressive sanctions and enforcement actions. However, DOJ has participated in several important Joint Compliance Notices with its regulatory partners at OFAC and the Bureau of Industry and Security (“BIS”).
Let’s begin with some easy divisions — a company has to begin the process like any other risk and that is conducting a risk assessment. OFAC’s Guidance, A Framework for OFAC Complaince Commitments is a document that provides excellent guidance on all facets of an effective sanctions compliance program.
To address a company’s risks, it is good to divide operations into two categories — the distribution side of the business and the supply chain for production purposes. Both need to be defined: on the distribution side, this usually consists of distributors, agents, resellers, dealers, and ultimately the customer; and on the supply side, it requires defining layers of vendors and suppliers, and to the extent possible, all the way to sourcing of materials and goods used to produce items for sale. These tasks, especially on the supply side, are easier said then done — sanctions enforcement can extend to supply chain sourcing and transactions in the supply chain that companies may not be “aware of” or “privy to” (in a legal sense). This is a new and challenging area for companies seeking to implement appropriate due diligence and onboarding controls.
We will break these down into three additional blog posts — one on the distribution side, another on the supply chain side and a final wrap up on best practices for mitigating risk. Frankly, I could devote multiple blog posts on each topic and will try to limit the discussion to precise, focused summaries of law and issues to provide practical guidance.