Richard L. Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Elizabeth K. Spahn Editor Emeritus

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor

FCPA Blog Daily News

« Dear OFAC, How do I get off the sanctions list? | Main | Elizabeth David-Barrett: Pharmas and the repeated failure of anti-bribery compliance »

Tom Fox on third parties: A check up from your desktop

When was the last time you did a third-party program check-up? Not a full review of all your third parties but something you can perform on a quarterly, semi-annual or annual basis with desktop tools available to you or your compliance team.

I suggest that a more ongoing, holistic review of your third parties can help you to spot issues before they become concerns, problems, compliance program violations or FCPA disruptions.

1. Change in business ownership or key personnel. While you probably have mandated that should there be any ownership change in a third-party relationship, your company be notified, when was the last time this was tested? Often key personnel join with or depart from a business but counter-parties with a contractual right to be made aware are not notified. Here your Relationship Manager should keep abreast of any changes to leadership or other important contacts and report to compliance. You may need to perform new or additional due diligence.

2. Change in entity status. While not as significant as a change in personnel, it is also important as it may signify new parties or persons are now involved with the third party. It may well require a new round of due diligence. If there is a business reason for the entity change, your Relationship Manager should be made aware of the business justification. The compliance and legal function should determine what impact, if any, such a change would have on your contract, your organization and your compliance efforts going forward.

3. Existing contracts. First and foremost, do you have contracts with every third party and are they filed or electronically stored in a place from which they can be retrieved. This may sound too basic but I have worked in corporate legal departments where this was a significant issue. You should review the contracts to see if the compliance terms and conditions need to be updated.

4. Website review. When was the last time you reviewed a third party’s website? Shell company specialist Ryan Hubbs has consistently maintained an unprofessional designed, non-updated and inaccurate website are key indicia of a shell company. While this review was most probably accomplished in the due diligence process, has it been updated? If so, when?

*     *     *

Obviously, this list is not all-inclusive but they are some of the steps you can use in an ongoing third party monitoring program. Moreover, they can all be accomplished from your desktop. Finally, by using such techniques you can further work to operationalize your compliance program.


Tom Fox is a Contributing Editor of the FCPA Blog. He has practiced law in Houston for 30 years. He's the creator of the award winning FCPA Compliance and Ethics website. He is the Compliance Evangelist. His best-selling seminal book, "Best Practices Under the FCPA and Bribery Act: How to Create a First Class Compliance Program” (available from Amazon here) is widely viewed as one of the top volumes on the nuts and bolts of compliance.