Third-party relationships can often create ABC issues for a company engaging the third party. The actions of a third party can be imputed to the engaging party if that third party is deemed to be an agent of the engaging party. Even if the engagement of the third party does not meet the requirements of a principal-agent relationship, improper behavior of a third party on behalf of a company can still expose a company to liability. It is therefore critical that companies perform appropriate due diligence on third parties before engaging them.
In assessing a corporate compliance program, prosecutors will specifically assess whether the company knows its third-party partners’ reputations and relationships, if any, with foreign officials, and the business rationale for needing the third party in the transaction.1
Prosecutors will analyze, for example, whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region.2 “Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.”3
A company’s third-party due diligence practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to “detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”4
As a first step, the company should collect background information on the motivation to retain the proposed entity or agent (“third-party representative”), including:
- the company’s business need for hiring the third-party representative;
- the process by which the company identified and selected the third-party representative, including who recommended the third-party representative;
- why this particular third-party representative was selected;
- the proposed compensation plan for the third-party representative; and
- what and how much interaction the third-party representative will have with the government.
The company also should request information about the third-party representative, including:
- the name and address of the third-party representative;
- the names of the principal officers, executives, directors, and ultimate beneficial owners;
- whether any such persons have connections (family, business, or otherwise) with any government entities or government officials, or have been charged or convicted of a criminal offense; and
- business and banking references.
Depending on the risk profile of the potential third-party representative and its scope of work, the company should also consider obtaining a third-party due diligence report to confirm the information collected and identify any red flags. Such a report may:
- include information as to whether any owners, principal officers/executives, or directors have any connections with any government, government entities, or government officials;
- identify any litigation involving the third-party representative during the past five years; and
- check press databases and the Internet for negative information.
If there are any connections to a government, government entities, or government officials, the company should seek, through direct discussions with the third-party representative and the individual, to understand the precise nature of the connection and the government official’s position; the extent to which he/she might have occasion or authority to take official action that could affect the relevant business activity; and his/her understanding and willingness to abide by applicable ABC laws and the company’s ABC policies. The company should retain all documents related to the due diligence.
After the due diligence is completed and any identified red flags have been resolved or mitigated, the third-party representative should be engaged pursuant to a written contract. The company should consider obtaining ABC certifications from the third-party representative, as well as including contractual provisions relating to past compliance with ABC laws, audit and termination rights, and indemnification. Based on the due diligence, the company should determine whether it should require that the third-party representative complete ABC training.
Ongoing due diligence
Due diligence is not a one-time static event; rather, it is an ongoing obligation. When, how, and with what frequency the company should renew or refresh due diligence on a third-party representative will depend on the potential risks presented by the relationship. Business managers should alert the company’s compliance department if they learn of changes to the information previously provided in due diligence, or if they learn of red flags. Red flags to be aware of include:
- the third party requests remuneration that is excessive in light of the services provided;
- the third party requests unusual payment terms, such as payment in cash, advance payment, or payment to a bank account in another person’s name or outside the country where the services are performed;
- the third party acts through a complex corporate structure that could be used to hide its identity, such as an offshore company, and there is no apparent justification for the use of the complex structure;
- the third party requests that the company prepare false invoices or otherwise falsify documentation;
- the third party refuses to provide information requested for due diligence and does not present a good faith justification;
- the customer or other decision-maker recommends or requires that the company use the third party;
- a government official has a direct, indirect, or beneficial ownership interest in the engagement (excluding ownership in publicly traded shares purchased in the ordinary course of business) or may otherwise be involved commercially in the engagement; and
- a government official or government instrumentality involved in the relationship has a reputation for corruption.
1Memorandum, Evaluation of Corporate Compliance Programs (updated June 2020), at 7.
2Memorandum, Evaluation of Corporate Compliance Programs (updated June 2020), at 7.
3Memorandum, Evaluation of Corporate Compliance Programs (updated June 2020), at 8.
4Memorandum, Evaluation of Corporate Compliance Programs (updated June 2020), at 8.