Entries in Audit Rights (8)
At November’s 32nd ACI Foreign Corrupt Practices Act conference in Washington, DC, the DOJ’s new Compliance Counsel, Hui Chen, emphasized that compliance programs need to be real and not just paper programs.
Companies increasingly understand the importance of strong vendor-compliance programs, but costly enforcement actions stemming from supply-chain mismanagement remain.
Two experts have a few training, monitoring and evaluating tips to share with us.
Our posts about extending codes of conduct to third parties (here and here) attracted some thoughtful comments from readers. We first heard from Pete from DC, an old friend of the FCPA Blog. He helps out whenever he senses we're in over our head. This time he wisely tied the issue of third-party compliance to audit rights. Here's what he said:
Dear FCPA Blog,Another reader took a darker view -- that is, using third-party compliance to "paper over" red flags that come up with intermediaries. We wouldn't recommend that medicine to anyone, but here's what our reader said about it:
I recall the post you did earlier (here) about audit rights - it's bad to have them and not use them if something pops up. In regard to imposing compliance requirements, it occurs to me that you have the same issue. The DOJ said in FCPA Opinion Procedure Release 04-02 that part of their expectation is "Independent audits by outside counsel and auditors, at no longer that three-year intervals, to ensure that the Compliance Code, including its anti-corruption provisions, are implemented in an effective manner."
If you extend your compliance program to third parties, you need to have audit rights and the guts to use them. Furthermore, the audit rights can't be limited to financial data relating to the third party's business - it has to be completely "open kimono," with access to the business partner's own compliance policies, contracts, etc. That's a tough sell, but if it's a high-risk country / industry / entity, it may be the only way to truly mitigate FCPA risk.
Pete from DC
Dear FCPA Blog,We also heard from Doug Cornelius at the Compliance Building blog. Doug's posts about compliance and business ethics are part of our daily diet. His comment raised a neat point about the dangers of inconsistent standards. He said:
Your post doesn't address one of the main reasons why ethical standards and law compliance provisions are extended to third parties in the first place.
Many times these extensions are made for commercial reasons in the contracts with the third parties. One of the key risk considerations with contracts involves avoiding competing commercial obligations that conflict with a compliance or ethical requirement for the company. For example, this dilemma could arise if there is a red flag that a contractor may be passing on a payment to a foreign official, but there is also a competing contractual obligation to make that payment.
A well drafted contract will provide the company with an "out" if it is concerned that one of its contractors may violate the FCPA or other law even if those laws are not actually applicable to the contractor. Therefore, contracts typically incorporate by reference those requirements where third party contractors can create liability for the company. Besides the FCPA, these can include references to other U.S. laws such as export controls, sanctions and anti-boycott as well as the company's own policies.
It's important to know the commercial as well as the compliance rationale behind the so-called extension. Including these provisions in contracts is a good and increasingly common commercial practice that helps to achieve the long term aims of anti-corruption and other legislation through commercial influence. If the inclusion of these standards results in a greater exposure to the companies who include them, that's definitely a "con" and surely an unintended consequence.
Dear FCPA Blog -That's some of what we've heard (the printable parts, anyway) on the subject of third-party compliance. The topic stirs plenty of interest, warnings and fear. That makes sense. Most Foreign Corrupt Practices Act offenses involve intermediaries, and yet most executives don't think their companies are dealing successfully with third-party risks. That was the conclusion from KPMG's 2008 Anti-Bribery and Anti-Corruption Survey that we talked about here, and the recent survey by the Society of Corporate Compliance & Ethics. That one found that most companies don't disseminate their internal codes of conduct to third parties or require third parties to certify to their own codes.
Dealing with key third party vendors is a difficult area. As Rebecca Walker points out (here), there is potential liability of you do it wrong.
I have found the situation where vendors are a bit behind you in their focus on compliance or ahead of you. But since every company has different needs for compliance, you end up with different policies. As a result, you have a battle of policy forms.
There are no easy answers.
I find the first step to be letting your key vendor know that you care about these issues.
Doug Cornelius / Compliance Building
So the problem of third party compliance is still looking for a solution.
We always enjoy it when Pete from DC drops by the blog. He's a veteran compliance professional and thinks deep thoughts about the Foreign Corrupt Practices Act. Lately, he told us, he's been thinking about audit rights -- the kind mentioned in our recent post about joint ventures.
Compliance-minded companies, we wrote, make sure they have the right to audit any international joint venture they're part of. It's a basic tool for checking the JV's conduct. If there's even a hint of corrupt behavior, the company can use the audit to learn what's happening, and then respond. We also think the threat of audit scrutiny deters illegal conduct in a joint venture.
But, asks Pete, are audit rights always a good idea? What if you have them and don't use them -- perhaps because digging into the books and records of the JV might offend your partner? Will the unused audit rights expose you to more peril from the Foreign Corrupt Practices Act than not having the audit rights to begin with?
Along those same lines, some companies even say they don't want an FCPA compliance program at all -- not because they intend to violate the law, but because they're afraid they won't consistently do everything their program requires. Lax administration, they reason, would aggravate their problems should an offense happen, because the feds might interpret their sloppy housekeeping as evidence of intent to break the law all along.
We don't know any cases that answer the question and neither does Pete. But a Justice Department Opinion Procedure Release is helpful. It's Release 2001-01 from May 24, 2001. We wrote about it last year in a post called The Requestor's French Dilemma.
The Requestor in the Release was a U.S. company forming a joint venture with a French partner. There were doubts about how the French partner landed some of its contracts, so the Requestor kept the right to terminate the JV if the French partner breached the compliance warranty. But the right to terminate only kicked in if the breach caused a “material adverse effect” on the JV's business.
The Justice Department wouldn't endorse the termination clause. The "material adverse effect" threshold, the DOJ said, could result in the Requestor being stuck in a JV that was violating the FCPA but not doing doing material harm to its business. (In fact, a bribe that violates the FCPA by obtaining or retaining business would help the JV, at least until the DOJ or another regulator throws the book at it.) The DOJ said if the Requestor couldn't exit the JV unconditionally after a compliance breach, then continuing in the partnership could constitute "acts in furtherance of original acts of bribery by the French company, [for which] the Requestor may face liability under the FCPA."
What does the Requestor's French dilemma mean? That joint venture-compliance has to be proactive. A company can't let itself become a passive participant in FCPA offenses -- including those caused by a partner, agent or other intermediary. Having, and using, audit rights are a proactive way to determine for certain whether a joint venture is complying with the FCPA. And determining if there's a compliance problem is the first step to avoiding liability for it.
We could add arguments and illustrations from the Federal Sentencing Guidelines, the DOJ's Criminal Resource Manual for U.S. Attorneys, numerous deferred and non-prosecution agreements, and other Opinion Procedure Releases. But here's the bottom line: An active approach to compliance -- in a joint venture or otherwise -- is always the better option. An effective compliance program requires audit rights for international joint ventures and the exercise of those rights when necessary.
International joint ventures bring very high risks under the U.S. Foreign Corrupt Practices Act. Unreliable partners -- those who might pay bribes to foreign officials to help the business -- need to be spotted early and either avoided or controlled. Like any courtship and marriage, the process of finding and keeping a suitable joint venture partner involves lots of work (and a dash of luck). The work part should be reflected through an effective compliance program aimed at managing the risks. Here, for example, are five (of many) joint venture-directed compliance elements:
1. Due Diligence. Take all necessary and prudent precautions through well-documented due diligence to ensure that business relationships are formed only with reputable and qualified joint venture partners.
2. Board or Management Reviews. Examine the suitability of all prospective joint venture partners for purposes of compliance with the Foreign Corrupt Practices Act. Review the adequacy of due diligence performed in connection with the selection of overseas partners, as well as the joint venture's selection of agents, subcontractors and consultants for business development outside the United States. Reviewers should not be subordinate to the most senior officer of the Company's department or unit responsible for the relevant transaction.
3. Compliance Obligations in the Joint Venture Documents. Include in all joint venture agreements representations and undertakings by the joint venture partners, with periodic re-certifications, that no payments of money or anything of value have been or will be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, or candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government or an instrumentality thereof to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the Company is a participant
4. Audits and Approvals. Retain audit rights over the joint venture. Agree with all partners that the joint venture will not hire an agent, subcontractor or consultant without the Company's prior written consent (to be based on adequate due diligence).
5. Right to Terminate. Make sure all joint venture documents allow for immediate and unfettered termination for any breach of compliance-related obligations.
This list is not exhaustive.
See, for example, U.S. v. Monsanto Company, Deferred Prosecution Agreement, Appendix B, Remedial Compliance Program (January 6, 2005).
View the Monsanto Deferred Prosecution Agreement Here.