2016 was a banner year for global anti-corruption enforcement: the U.S. government set records in terms of both the number of FCPA actions brought and the total dollar amount of related fines.
Meanwhile, governments from around the globe—including the United Kingdom and Brazil—brought high-profile actions as well. And 2017 got off to a similar record-breaking start in January.
One feature of several of the most high-profile of these actions—such as the enforcement actions against Rolls-Royce and Och-Ziff, and the recent announcement by Panasonic about an investigation—is a reminder, if any were still necessary, that using third-party intermediaries in foreign markets remains fraught with the potential for illicit conduct.
Indeed, “Third-Party Management” is one of 11 key topics included in DOJ’s recently released guidance on how to evaluate corporate compliance programs.
While engaging and relying on the services of third-party intermediaries may be necessary in some industries and locales, it is vital that companies that do so ensure that they are conducting an appropriate level of due diligence on these intermediaries. Moreover, the due diligence that is performed cannot—or should not—be a “cookie cutter” approach.
Rather, the due diligence must be targeted to the industry and market in question and should seek to identify whether the intermediary has a reputation or history of engaging in corrupt or unethical activity or has any connection to the foreign government. And while public records research is a must, in many jurisdictions the company will also want to conduct targeted and discreet source inquiries, which will require on-the-ground knowledge and a network of sources.
Of course, as the DOJ guidance also makes clear, conducting robust due diligence on third-party intermediaries is not the only measure that companies should take as they seek to avoid the crosshairs of anti-corruption enforcement agencies—especially as those agencies increasingly work and resolve cases multilaterally.
An effective anti-bribery/anti-corruption (ABAC) posture requires measures that are proactive, reactive, and continuously refreshed and updated.
Proactive. Proactive measures begin with companies’ internal governance related to ABAC issues. Specifically, the company must have established and effective ABAC compliance policies, procedures, training, and internal controls designed to constrain, identify, and/or surface possible ABAC concerns. As with the particular due diligence discussed above, these internal governance measures must be tailored to the particular ABAC risks associated with the company’s size, business model, industry, and geography.
To that end, a critical first (and ongoing) step is to perform an ABAC risk assessment to identify potential vulnerabilities and risk areas, such as within the procurement or accounts payable processes or engaging third parties. The risk assessment will also identify the key areas to test underlying transaction or payment data.
Reactive. Companies must also have the ability to respond thoroughly and effectively to allegations of potential corrupt conduct. The response may range from initiating an internal investigation into whistleblower complaints (and protecting the whistleblower from any retributive actions) to conducting a wider investigation with the support of outside experts, such as forensic accountants and investigators with experience and source networks where the conduct allegedly occurred.
Importantly, such outside experts bring distinct skill sets that complement those of outside counsel which also is engaged to help.
An effective investigation to get to the bottom of what may have happened will be increasingly important as the use of Deferred Prosecution Agreements and tangible incentives for voluntary self-disclosure continue, since companies will want to know if there is any “there” there.
Continuously Updated. International ABAC enforcement regimes’ enforcement priorities and interpretations of key statutory provisions can often change, as do the methods that corrupt actors employ to evade those restrictions. (The crackdown on corporate “donations” to charities linked to government officials and the practice of hiring government officials’ otherwise unqualified relatives are but two examples.) Consequently, the steps companies take to constrain, identify, and remediate possible ABAC violations also cannot be static. Rather, constant vigilance is required.
An effective program thus will repeatedly conduct risk assessments to identify new vulnerabilities and/or risk areas. The program will also refresh the testing performed on relevant transaction and payment data as well as the due diligence performed on critical third-party vendors and/or intermediaries.