OCEG on Third Party Anti-Corruption Due Diligence

My grandfather was a comic book collector. He collected all kinds and types of comics, from super-heroes to the Archie series. One of the series that he collected that I still think about from time-to-time was Classics Illustrated. Classics Illustrated was a comic book series featuring adaptations of literary classics which began publication in 1941 and finished its first run in 1971, producing 169 issues. I won’t divulge how many classic novels that I read in such fashion as a youngster but I will say that that group is the only set of magazines and comics that I collected in the 60s of which I still have a complete set.

There is another illustrated series which may be of more use to the modern day compliance practitioner which can be found in Compliance Week Magazine. In the February 2012 edition OCEG President Carole Switzer continues her series on an illustrated six-part anti-corruption program. In this issue she focuses on third party due diligence. She begins by noting that one of the surest ways to develop and strengthen your anti-corruption compliance program, whether based upon the US Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act is to discover “what you do not understand about the third-parties who help you to do business abroad.” She explains that if your company does not “expand its knowledge of activities of your business partners,” the Department of Justice (DOJ) or UK Serious Fraud Office (SFO) may well do so for you in an enforcement action. Switzer provides a six-step process with a nifty diagram attached to the article.

1.  Define

To begin you should define your objectives and then design your process. This should include all forms that you will use including questionnaires, background checks, references and certifications. You should also delineate your process to review and clear any Red Flags which may arise in the process.

2.      Collect Initial Data

This step should begin with a country review to make an initial determination of risk of corruption. You can use the Transparency International (TI) Corruption Perceptions Index (CPI) or similar resource. Determine how you can make real-time checks, whether through a third-party software provider such as World Compliance or other mechanism for initial due diligence. You will also need to collect data directly from the proposed third party business partner in the form of a questionnaire or other document. There should also be an initial discussion of the “nature, scope and intended relationship” with the third party.

3.  Assess

Under this step, Switzer believes that you should initially set up categories for your third parties of high, moderate and low. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”

4.      Approve/Deny/Approve with Condition

Under this step you should establish business rules and process triggers to “facilitate control and monitoring throughout the life of each contract.” As the risk level increases you should apply more stringent controls on the third party. This would also include more intense monitoring of the relationship on an ongoing basis.

5.      Train/Control

Your company should establish anti-corruption training for each risk level of third party with which you do business. You should administer the training, whether live, computer based or webinar, for different third party audiences “taking cultural issues into consideration and addressing role-specific needs.” You should assess and certify the results of your training or certify third party awareness through its own training program. Lastly the “control” portion of this step relates to compliance terms and conditions, which should be included in any written agreement with your third party.

6.      Monitor/Review

Switzer ends her six-point program by noting that you should “establish monitoring and re-approval requirements for each risk level.” There should be continued contact and monitoring by a combination of business unit sponsor and trusted outside professionals. There should be mandatory re-approval at fixed points as well as an action plan to address any red flags which might arise during the relationship.

I find the OCEG Anti-Corruption Illustrated series to be a very useful tool to help visualize the compliance process. While not in the same league as Classics Illustrated they certainly are a useful tool for the compliance practitioner. I would urge you to visit the OCEG website for their series and many other useful tools.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012