FCPA Compliance and Ethics Blog

February 1, 2012

Third Party Checkup

In a January 29, 2012 editorial in the New York Times (NYT), entitled “Made in the World”, columnist Thomas Friedman wrote about the end of ‘outsourcing’; his thesis being the “world is now so integrated that there is no “out” and no “in” anymore. In their businesses, every product and many services now are imagined, designed, marketed and built through global supply chains that seek to access the best quality talent at the lowest cost, wherever it exists.” However, the ‘cheapest’ does not necessarily mean the best for your company.

What are your company’s risks for not knowing such information? Clearly anti-corruption legislation has remedies for civil and criminal liability. However, equally great may be reputational damage, “even from public investigations into a third party.” Put another way, how do you think the folks at Apple felt when they woke up on the morning of January 25, 2012 to find the following headline on the front page of the NYT “In China, Human Costs are Built into an iPad”?

In a recent White Paper, entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, authors Marjorie Doyle and Diana Lutz posit that in most foreign business partner relationships, your company will be held responsible for the actions of third parties which work for and with your company. The new global expectation is that “you know who they are, you have vetted them and you are in control of the activities for which you hired them.” They further believe that such is even more important when anti-corruption and anti-bribery laws, such as the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other OECD based legislation, are applicable. They note, “Gone are the days when organizations could wash their hands of liability or damage to reputation from outsourced work due to ethics and compliance failure.”

To help companies navigate through the issues, the authors have prepared a checklist to test an “organizations health status concerning your relationship to your third parties.” It is as follows:

  1. Do you have a list or database of all your third parties and their information? Does your company have a full list of all third parties including such basic information as name, location, type of services provided, contract files and dates, principals of the third party and primary contact, due diligence files and any other information you might need to manage the third party relationship going forward?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk? You need to know which third party services present the greatest risk to your company by asking some of the following questions: (a) Is the third party’s service critical to your business?; (b) Is the third party’s service performed with little company supervision or oversight?; (c) Does the third party have access to any company funds, resources or assets?; (d) Can the third party fund the company contractually?; and (e) Does the third party obtain any foreign governmental licenses, certifications or other approvals for your company?
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment? You should use the information determined through the risk assessment to “tailor the level of diligence to the level of risk.” Assign a risk profile to categories, such as high, medium and low. The higher the risk, the more due diligence will be required to vet the third party.
  4. Once the risk categories have been determined, create a written due diligence process. Here you need to have a written policy and defined procedures to implement that policy. The policy should include the following: (a) who is responsible for implementation; (b) list of red flags and how such red flags are to be dealt with and cleared; (c) a procedure to pay for any due diligence performed; (d) reference checks on third parties; (e) procedures for in-person interviews for third parties in a high risk category; (f) conflicts of interest checks, and (g) process for documentation and storage of all of the above information.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations? In addition to your standard commercial terms, your third party contract should also include compliance terms and conditions, which should including the following: (a) anti-corruption and anti-bribery certification; (b)requirement that the third party maintain accurate books and records and that your company has audit rights; (c) indemnity rights; (d) anti-corruption and anti-bribery training for the third party’s employees; (e) an anonymous reporting mechanism for ethics complaints; (f) require the third party to obtain pre-approval to subcontract out any of its work for your company; (g) require the third party to report any ownership change back to your company, and lastly (h) clear termination rights.
  6. Is there someone in your organization who is responsible for the management of each of your third parties? Just as your company would never have an employee who is not supervised, your company should not have a third party which does not have company oversight. You should designate a manager to maintain the third party relationship with your company. Such relationship manager should maintain and update documentation on the third party, work with Internal Audit to schedule and perform audits, meet regularly with the third party and oversee adherence to the third party’s contract with your company.
  7. What are “red flags” regarding a third party? Red flags are generally recognized as signs or situations which should give rise to further investigation by your company. While there are innumerable questions which can be asked and answered, I believe that red flags are generally organized into some or more of the following categories: (a) something seems out of the ordinary; (b) reluctance of party to supply information/difficulty of verifying information; (c) the company/services/principals are not verifiable by data, only anecdotally; and (d) mismatch in business experience with the product or services offered. Whatever red flags you list, if they are undiscovered or left unresolved, it could certainly cost a reputational loss or worse for your company.

Many companies understand the maxim “Know Your Customer (KYC)”, nevertheless, in today’s global economy this maxim may well need to be expanded to “Know Your Third Party”. The authors conclude by agreeing with Thomas Friedman’s observation in his Op-Ed piece “that there is no “out” and no “in” anymore” and that “the rule is: Source everywhere, manufacture everywhere, sell everywhere.” However, with this opportunity brings potential costs. Your company should “apply the same rigor in selecting, training and managing third parties” as it does for its own employees. A good place to start is with a third party checkup.

Episode 29 of This Week in FCPA is up. Howard Sklar and I visit with the winning defense lawyers in the O’Shea case.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Blog at WordPress.com.