Harry Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Richard L. Cassin Editor at Large

Elizabeth K. Spahn Editor Emeritus 

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor

FCPA Blog Daily News

« Does FCPA guilty plea signal new trouble for Citgo? | Main | Businessman admits FCPA offenses in Citgo bribe case »

Wanted: Third-party management that's truly ‘preventive’

Around 90 percent of all FCPA enforcement actions involve third-party intermediaries. So it's no wonder the DOJ's updated guidance for evaluating corporate compliance programs devotes an entire section to "Third-Party Management."

What is Third-Party Management supposed to do? Most importantly: prevent bribery. For the DOJ the efficiency matters. As the DOJ puts it in one of the "fundamental questions" to ask when evaluating a compliance program: "Does the corporation’s compliance program work in practice?  See JM § 9-28.800."

With that in mind, Third-Party Management in a compliance program should is predominately preventive. That is, it should be designed not only to detect compliance lapses and mitigate them, but also to prevent them, at least to a reasonable extent.

That preventive aspect starts during the evaluation and onboarding of a third party, before any contractual obligations arise, by knowing who are the key executives, shareholders and beneficiaries. From a technical perspective, this early process should result in easy-to-use information, rule-based user authorization, and proper notification functions to facilitate timely and efficient decision making, including a quick-stop feature based on a compliance determination.

Third-Party Management will fall short of its purpose, however, if it's limited to onboarding procedures. Further downstream, a good practice is to flank the contract management with standard compliance clauses and to consinuously identify red flags related to third parties arising out of political developments, regulatory changes, and undesirable events.

Moreover, the experience gathered from a business relationship should be reflected and employed in the ongoing operation of the Third-Party Management system. Internal blacklists are as critical as external information sources. In other words, Third-Party Management should be a reliable closed-loop process used for continuous evaluation.

Despite its deep integration into the commercial function, the Third-Party Management doesn't need to be burdensome. A team with an interdisciplinary approach can continuously fine tune the process and increase efficiencies without compromising on the quality of information gathering, evaluation, and mitigation measures.

In fact, a well-designed and operated Third-Party Management system can also be a valuable commercial   resource. The data it produces can be strategically mined to help reveal and understand market interdependencies, business vulnerabilities, and risk profiles, while at the same time preventing harm to the reputation and revenue of the company.

Sviatlana Pisaryk, pictured above, is Compliance Manager at Bilfinger SE, a leading industrial services provider that fundamentally transformed its corporate culture and successfully concluded a deferred prosecution agreement with the DOJ in December 2018. She can be contacted here.

Reader Comments (2)

Great post! However, it may unintentionally exclude the more active audit of higher-risk business partners that at least the US government seems to expect. As an example, see my FCPA Blog post on the 2012 Oracle settlement, Distributor Doldrums...
May 31, 2019 | Unregistered CommenterPete Viksnins
Don’t forget, while diligence is important and you should certainly know who your third parties are, you may also be fighting overly aggressive but ambiguous privacy laws, including the GDPR. The fact that your intentions are pure may not be a defense to ambitious privacy enforcers. Be sure to work with your privacy experts, but also be aware of the political environment and the need to push back against legal developments that impair corporate self-policing. Cheers, Joe
May 31, 2019 | Unregistered CommenterJoe Murphy

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.