Life Cycle Management of Third Parties – Step 4 – The Contract

This post continues to outline what I believe are the five steps in the life cycle of third party management. Today I will look at Step 4, the contract. However, before we get to the contracting stage a word about what to do with Steps 1-3. You cannot simply obtain the information detailed in these first three steps; you must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 – the contract. Obviously any commercial relationship should be governed by the terms and conditions of a written contract. Clearly your commercial terms should be set out in the contract. In the area of commercial terms the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

In addition to the above analysis from the compliance perspective, you should incorporate compliance terms and conditions into your contracts with third parties. I would suggest that you begin with some type of compliance terms and conditions template, which can be used as a starting point for your negotiations. The advantages of such a template are several; they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption.

What are the compliance terms and conditions that you should include in your commercial contracts with third parties? In the Panalpina Deferred Prosecution Agreement (DPA), Attachment C, Section 12 is found the following language, “Where necessary and appropriate, Panalpina will include standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anticorruption representations and undertakings relating to compliance with the anticorruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.” In the Johnson & Johnson (J&J) DPA, the same language as used in the Panalpina DPA is found in Attachment C, entitled “Corporate Compliance Program”. However, in Attachment D, entitled “Enhanced Compliance Obligations”, the following language is found: “Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.”

Mary Jones, in an article in this blog entitled “Panalpina’s World Wide Web”, suggested the following language be present in your compliance terms and conditions:

• payment mechanisms that comply with this Manual, the FCPA [Foreign Corrupt Practices Act], the UKBA [UK Bribery Act] and other applicable anti-corruption and/or anti-bribery laws during the term of such contract;
• the counterparty’s obligation to maintain accurate books and records in compliance with the Company’s Policy and Compliance Manual;
• the counterparty’s obligation to certify on an annual basis that: (i) counterparty has not made, offered, or promised any payment or gift of money or anything of value, directly or indirectly, to any Government Official (or any other person or entity if UK Bribery Act applies) for the purpose of obtaining or retaining business or getting any improper business advantage; and (ii) counterparty has not engaged in any conduct or behavior prohibited by the Code of Conduct, Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law;
• the Company’s right to audit the counterparty’s books and records, including, without limitation, any documentation relating to the counterparty’s interaction with any governmental entity (or any entity if UK Bribery Act applies) on behalf of the Company, and the counterparty’s obligation to cooperate fully with any such audit; and
• remedies (including termination rights) for the failure of the counterparty to comply with the terms of the contract, the Code of Conduct, the Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law during the term of such contract.

Based on the foregoing experts and the research I have engaged in, I believe that compliance terms and conditions should be stated directly in the document, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant.

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it.

• Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
• Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
• Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
• No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company’s prior written consent (to be based on adequate due diligence).
• Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
• Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
• On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
• Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
• Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years.

Many will exclaim, “What an order, I can’t go through with it.” By this they mean that they do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simply to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the DOJ will require the minimum terms and conditions that it has suggested in the various Attachment Cs to the DPAs I have discussed. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator from other third parties who have not gone through the life cycle management of a third party as this series has discussed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

How Cole Porter Informs the Debate: Ethical Compliance v. Legal Compliance

In an article in the October 2011 issue of the ACC Docket, entitled “Who Needs Business Ethics When You’ve Got the Law on our Side?”, author James Nortz explores the question, “What good is this business ethics crap when there’s a law for everything?” While perhaps phrased in a different manner, most lawyers were certainly trained in law school to focus on the question of whether something was ‘legal’ in performing an analysis of whether a client could engage in some action. Lawyers were generally not trained on whether a client should engage in some action. Nortz looks at some of the differences.

Nortz frames the question more along the lines of “let the law be your guide” and recognizes this approach has “a certain simple, minimalistic, free-market appeal, avoiding messy questions regarding whose sense of right and wrong will prevail.” Within the Foreign Corrupt Practices Act (FCPA) compliance world this approach can be shown by contrasting the examples of the requirements of the Us Sentencing Guidelines and the Department of Justice’s best practices compliance program as set out in various Deferred Prosecution Agreements (DPAs) over the past 14 months.

USSG’s 7 Elements of an Effective Compliance Program	Panalpina DPA Best Practices  Compliance Program
1. Standards and procedures to prevent and detect criminal conduct.	1. Clearly articulated and visible compliance program.
2. Leaders understand/oversee the compliance program to verify effectiveness and adequacy of support, specific individuals vested with implementation.	2. Sr. management’s strong and explicit visible support.
3. Deny leadership positions to people who have engaged in misconduct.	3. Develop and promulgate compliance standards and procedures governing gifts, hospitality, travel, etc.
4. Communicate standards and procedures of the compliance program and conduct effective training.	4. Risk assessment as basis for standard and procedures.
5. Monitor and audit, maintain reporting mechanism.	5. Annual review of program.
6. Provide incentives; discipline misconduct.	6. Assign responsibility to one or more senior corp. execs for implementation and oversight; directly reporting to the BOD; adequate level of autonomy and sufficient resources.
7. Respond quickly to allegations and modify program as required.	7. System of financial and accounting procedures.
	8. Effective communication and periodic training and certifications.
	9. System for guidance, confidential reporting and response.
	10. Disciplinary procedures.
	11. Agent and business partner due diligence.
	12. Agent and business partner agreements.
	13. Period review and testing of standards and procedures.

A review of the above shows additional detail in the Panalpina DPA best practices compliance program. Simply following the law in the FCPA context will not provide a company with the detail which a compliance program should sustain to adequately protect a company. Nortz also notes that an approach of “let the law be your guide” will also fail because “it implies, in the absence of a definitive rule that anything goes” (and here he is NOT referring to the Cole Porter revival.)

Nortz concludes by noting that a more rounded ethical approach will not only prevent more absurd results but provide for greatly employee productivity and more loyalty from third parties, whether those third parties are customers, agents or vendors. While noting what may seem like the obvious, that business professional must take ethical obligations into account, lawyers must remember that simply complying with legal compliance is not always sufficient.

————————————————————————————————–

Please join Mike Volkov, Stephen Martin, Jim Feltman and myself on Oct. 6 in NYC for a presentation on ” The Gathering Storm: Anti-Corruption Compliance for Private Equity and Hedge Funds”. The presentation is hosted by World Check and Ethisphere and the event is complimentary. More information and registration details can be found at http://ethisphere.site-ym.com/events/event_details.asp?id=179863. If you are in the NYC area I hope you can attend.

————————————————————————————————–

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011