RISK-BASED DUE DILIGENCE FOR SUPPLY CHAIN VENDORS UNDER THE FCPA

Quick, as the Compliance Professional within your organization, which department or group of your company spends the most money annually? Did Supply Chain immediately come to mind? Probably not. Now just as quickly, how much of your compliance efforts are focused on the Supply Chain within your organization? Other than perhaps financial due diligence, such as through Dun & Bradstreet or quality control through your QHSE group, the Supply Chain probably does not command your Compliance Department attention as do other types of third party business partners such as agents, distributors and joint venture partners. This may be coming to an end as most Compliance Professionals recognize that third parties which supply goods or services to a company should be scrutinized similarly to other third party business partners.
There are several methods that could be used to assess risk in the area of supply chain and vendors. The approach suggested by the UK’s Financial Services Authority (FSA) in its settlement of the enforcement action against the insurance giant AON would refer “to an internationally accepted corruption perceptions index” such as is available through Transparency International or other recognized authority. The approach suggested by the Department of Justice, in Release Opinion 08-02 would provide categories of “High Risk, Medium Risk and Low Risk”. Finally, writing in the FCPABlog, Scott Moritz of Daylight Forensic & Advisory LLC has suggested an approach that incorporates a variety of risk-assessment tools, including, “the strategic use of information technology, tracking and sorting the critical elements”.
This commentary proposes an approach which would incorporate all three of the above cited analogous compliance areas into one risk-based assessment program for supply chain vendors. Based upon the assessed risk, an appropriate level of due diligence would then be required. The categories suggested are as follows:
1. High Risk Suppliers;
2. Low Risk Suppliers;
3. Nominal Risk Suppliers; and
4. Suppliers of General Goods and Products.
A. High-Risk Suppliers
A High-Risk Supplier is defined as a supplier which presents a higher level of compliance risk because of the presence of one or more of the following factors:
1. It is based in or supplies goods/services from a high risk country;
2. It has a reputation in the business community for questionable business practices or ethics; or
3. It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions.
B. Low-Risk Suppliers
A Low-Risk Supplier is defined as an individual or private entity located in a Low-Risk Country which:
1. Supplies goods or services in a Low-Risk Country;
2. Is based in a low risk country where the goods or services are delivered, it has no involvement with any foreign government, government entity, or Government Official; or
3. Is subject to the US FCPA and/or Sarbanes-Oxley compliance.
C. Minimal-Risk Suppliers
A Minimal-Risk Supplier is an individual or entity which provides goods or services that are non-specific to a particular job or assignment and the value of each transaction is USD $10,000 or less. These types of vendors include office and industrial suppliers, equipment leasing companies and such entities which supply such routinely used services.
D. Suppliers of General Goods and Products
A Supplier of General Goods and Products is an individual or entity which provides goods or services that are widely available to the general public and do not fall under the definition of Minimal-Risk Supplier. These types of vendors include transportation, food services and educational services providers.