Guidance for your FCPA Programs
On the 8th of February the Fraud Section of the DOJ released fresh guidance in the form of its “Evaluation of Corporate Compliance Programs,” which provides a list of questions that prosecutors will typically ask about a compliance program.
The document contains 46 questions broken down into the following sections:
- Analysis and Remediation of Underlying Conduct
- Senior and Middle Management
- Autonomy and Resources
- Policies and Procedures
- Risk Assessment
- Training and Communications
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing and Review
- Third Party Management
- Mergers & Acquisitions
Companies should take the time to review the questions and consider how their compliance programs would stand up in light of them.
Third Party Management
The specific questions that the guidance covers for third party management are as follows:
Risk-Based and Integrated Processes – How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?
Appropriate Controls – What was the business rationale for the use of the third parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?
Management of Relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties?
Real Actions and Consequences – Were red flags identified from the due diligence of the third parties involved in the misconduct and how were they resolved? Has a similar third party been suspended, terminated, or audited as a result of compliance issues? How has the company monitored these actions (e.g., ensuring that the vendor is not used again in case of termination)?
Under the section 4. Policies and Procedures, b. Operational Integration, there’s also reference to:
Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?
Vendor Management – If vendors had been involved in the misconduct, what was the process for vendor selection and did the vendor in question go through that process? See further questions below under Item 9, “Third Party Due Diligence and Payments.”
There should be no great surprises here – essentially prosecutors are assessing: whether an integrated, risk-based approach has been taken in respect to third party management; what controls were in place to manage risks and were they appropriate to the level of risk; how risks have been monitored, and; what kind of assurance is in place to deal with exceptions.
Given that these are the types of questions that prosecutors will be asking in the event of misconduct, now is a good time to review your third party management processes, people and technology. Considering that over 90% of FCPA enforcements are due to the actions of third parties, effective third party management should be a priority.
Consider the following:
- It is clear that your TPRM program should not be an afterthought, but be part of the overall enterprise risk management process of the organization. As such, does your TPRM program allow you to:
- Identify risks
- Assess, evaluate and prioritize risks
- Apply controls
- Monitor and report
- Assure and optimize
- There’s a focus on the appropriate controls – particularly on contracts as a control mechanism. Do you understand which of your third parties expose you to the greatest bribery and corruption risks? When you look at the statistics, the types of third-party intermediaries involved in bribery offenses disclosed in all FCPA-related enforcement actions filed over the life of the FCPA, are:
- 79.3% have been Agents/Consultants or Brokers
- 16.22% have been Shell Companies
- 3.7% have been Contractors/Subcontractors
- 0.54% have been Lawyers
- 0.24% have been classified as ‘Other’ (source: http://fcpa.stanford.edu/chart-intermediary.html)
Contracts with these types of third parties in particular, therefore, should be seen as an important control. You should have clear line of sight on the business rationale for the relationship. You will need clear performance and payment metrics and management – with the ability to track, monitor and manage exceptions. For instance, is your TPRM system integrated with your payment systems to flag payments that could be out of threshold for that provider/type of provider/standard payment history?
- There is an expectation of KYTP (Know Your Third Party) – you should understand how these third parties are incentivized, and monitor this against compliance risk. Are your agent’s sales targets, for instance, out of kilter with historical targets? Are they more incentivized to enter an unethical deal, or walk away from it? How is ethical behavior incentivized? Do you embed ethics-based questions in your assessments and does your due diligence include watch-list and adverse media checks to flag potential past misconduct, and ongoing checks to flag present cause for concern?
- Training features prominently in its own section Training and Communications. While this centers on internal training, including that of relationship managers, training of third parties should also be an important consideration of your program – especially for your high-risk category third parties. Some of our clients are now embedding training and attestation for third parties within the system during the registration and qualification process. This dynamic online training helps to ensure that the third party understands the company’s code of conduct and their expectations in regard to ABAC and ethical conduct, before they are on-boarded. It provides a clear audit trail of training and attestation.
- The prosecutors also want to know what due diligence processes have been put in place and, importantly, have they been acted on? Have red flags already been raised on the third party involved in the misconduct? How was the exception handled? How do you generally deal with exceptions – for instance has a similar third party to the one involved in the misconduct had a red flag in the past and how was it dealt with? What the prosecutors will be looking for is how robust your exception management has been. Were you aware of red flags or exceptions in the past but turned a blind eye/deemed follow up unnecessary, or have you had a formal and robust process for remediation and/or termination based on bad conduct?
- For any program, you will need a clear and easily accessible audit trail. If you are unable to clearly track the processes and actions associated with your third parties, this in itself suggests that your third party compliance management is not as robust as it should be.