FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report






All Episodes
Now displaying: April, 2017
Apr 28, 2017

In this episode, Jay and I have a wide-ranging discussion on some of the week’s top compliance related stories. We discuss:

  1. Trump’s First 100 days end with a decided wimper. What does it mean for compliance?
  2. Novartis gets into corruption trouble in South Korea. See article in FCPA Blog.
  3. Shell and ENI are in a big corruption mess in Nigeria. See Tom’s article in the FCPA Blog.
  4. United Airlines tries to clean up its act. See articles in the New York Times and Wall Street Journal.
  5. Jay reports on the ECI conference and tells us what’s in his coloring book.
  6. Tom details his speaking engagements in May. For details and registration information click here.
  7. KBR under investigation by UK SFO for allegations around the company’s use of Unaoil. See article in the Wall Street Journal.
  8. Listeners to this podcast can received a discount to Compliance Week 2017. Go to registrationand enter discount code CW17TOMFOX.
  9. Jay previews his weekend post, which is now up, "It Was the Best of Times, It Was the Worst of Times" or "Ignorance is Strength"
Apr 28, 2017

I end this one month series by taking things a different direction. Today I do not focus on third party risk management but on third parties as a compliance innovation source for your organization. It is universally recognized that third parties are your highest Foreign Corrupt Practices Act (FCPA) risk. What if you could turn your third party from a liability under the FCPA to an innovation partner to your compliance program? This is an area that not many compliance professionals have mined but once again in compliance, you are only limited by your imagination. 

In an article in Third Party Management Review by Jennifer Blackhurst, Pam Manhart and Emily Kohnke, entitled “The Five Key Components for Third  party Innovation”, the authors asked “what does it take to create meaningful innovation across third party partners?” One reason compliance innovation with third parties can be so power is that it cannot only affect costs but can move to gain a competitive advantage. To do so companies need to see their third parties as partners and not simply as entities to be squeezed for costs savings. 

Their findings identified five components common to the most successful innovation partnerships. They are: “(1) Don’t Settle for the Status Quo; (2) Hit the Road in Order to Hit Your Metrics; (3) Send Prospectors Not Auditors; (4) Show Me Yours and I’ll Show You Mine; and (5) Who’s Running the Show?” 

Don’t Settle for the Status Quo 

This means that you should not settle for simply the status quo in compliance. Innovation does not always come from a customer or even an in-house compliance practitioner. Here the key characteristics were noted to be “cooperative, proactive and incremental”. You need to be leading the compliance innovation discussion rather than falling from behind. If a third party can suggest a better method to make compliance more efficient or cost effective, particularly through a technological solution, it may well be something you should consider. 

Hit the Road in Order to Hit Your Metrics 

To truly understand your compliance risk from all third parties, you must get out of the ivory tower and hit the road. This is even truer when exploring compliance innovation. You do not have hit the road with the “primary goal to be the inception point for innovation” but through such interactions, innovation can come about organically, as a part of your ongoing third party relationship. There is little downside for a compliance practitioner to go and visit a third party and have a “face-to-face meeting simply to get to know the partner better and more precisely identify that partner’s needs.” 

Send Prospectors Not Auditors 

While an audit clause is critical in any third party contract, both from a commercial and FCPA perspective, this exercise should be considered as such. You can establish a point of contact as an innovation manager for your third parties” Every third party should have a relationship manager, whether that third party is on the sales side or the Supply Chain side of the business. Moreover, the innovation partners are “able to see synergies where [business] partners can work together for the benefit of everyone involved.” 

Show Me Yours and I’ll Show You Mine 

As with all relationships, trust plays an important role in third party compliance innovation, as “Firms in successful innovations discussed a willingness to share resources and rewards and to develop their partners’ capabilities.” The authors believe that “Through the process of developing trust, firms understand their partner’s strategic goals.” I cannot think of a more applicable statement about FCPA compliance. Another way to consider this issue is that if a third party partner has trust in you and your compliance program, they could be more willing to work with you on the prevent and detect prongs of compliance regimes. Top down command structures may well be counter-productive. 

Who’s Running the Show? 

This means “who is doing what, but also what each firm is bringing to the relationship in terms of resources and capabilities.” In the compliance regime, it could well lead to your third party taking a greater role in managing compliance in a specific arena or down a certain set of vendors. Your local third  party might be stronger in the local culture, which could allow it to lead to collaborations by other vendors in localized anti-corruption networks or roundtables to help move the ball forward for doing business in compliance with the FCPA or other anti-corruption laws such as the UK Bribery Act. 

The authors ended by remarking, “we noticed that leveraging lean and process improvement was mentioned by virtually every firm.” This is true in the area of compliance process improvement, which is the essential nature of FCPA compliance. Another interesting insight from the authors was that utilization can increase through such innovation in the third party. Now imagine if you could increase your compliance process performance by considering innovations from your third parties? 

The authors conclude by stating that such innovation could lead to three “interesting outcomes (1) The trust and culture alignment is strengthened through the partnership innovation process leading to future innovations and improvement; (2) firms see what is needed in terms of characteristics in a partner firm so that they can propagate the success of prior innovations to additional partners; (3) by engaging third party partners as innovation partners, both sides reap rewards in a low cost, low risk, highly achievable manner.” With some innovation, you may well be able to tap into a resource immediately available at your fingertips, your third party. 

Three Key Takeaways

  1. Use your third parties as innovators to assist your compliance program.
  2. Change your thinking about third parties and make them your partners.
  3. Do not settle for the status quo. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for

Apr 27, 2017

In this Part I of a two part series recorded at this month's European Compliance and Ethics Institute in Prague, Roy Snell discuss the DOJ's Evaluation of Corporate Compliance Programs in the context of cavemen and Plato's Analogy of the Cave. We review some of the new information and Roy discusses how it is a compilation of many differing strands of compliance thought over the past 20 year. We then discuss the HCCA-OIG Resource Guide on Measuring Compliance Program Effectiveness. As always we go off on tangents and dive deeply into issues relating to the the compliance profession. 

Apr 27, 2017

One of the areas many companies do not focus on enough is possible corruption in their Supply Chain (SC) for goods and services provided on a company’s behalf. The FCPA risks can be just as great through those entry points as it can be through the sales side of an organization. You need to know who your company is doing business with through the SC as much as you need to know your agents seeking business opportunities on your behalf. 

As most companies have exponentially more vendors than sales agents, this task may seem daunting. However a well thought plan to risk rank your company’s third parties on the SC side can go a long way towards ameliorating this issue. The key is to set reasonable parameters and then management those third parties which present true corruption risk to your organization.

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including, such factors as whether the supplier is (1) located, or will operate, in a high risk country; (2) associated, or recommended or required by, a government official; (3) currently under corruption investigation, or has been recently convicted of any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls; or (5) a provider of widely available services and products that are not industry specific. You should note that any supplier, which has foreign government touch points, should move up into a higher level of scrutiny. 

My suggestion is that you create a three-tiered matrix for SC risks, with the three levels consisting of (1) High-Risk Suppliers, (2) Low-Risk Suppliers, and (3) Minimal Risk Suppliers. Below this final category is another category for providers of goods which are commonly available and pose almost no corruption risk. 

A High-Risk Supplier presents a higher level of compliance risk because of the presence one or more of the following factors: (a) It is based or operates in a country that poses a high risk for corruption, money laundering, or commercial bribery; (b) It supplies goods or services to a company from a high-risk country; (c) It has a reputation in the business community for questionable business practices or ethics; or (d) It has been convicted of, or is alleged to have been involved in, illegal conduct. Other factors you may wish to consider include some or all of the following: (1) the Supplier is located in a country that has inadequate regulatory oversight of its activities; (2) the Supplier is in an unregulated business; (3) the Supplier’s ultimate or beneficial ownership is difficult to determine; (4) your company has an annual spend of more than $100,000 with the supplier; (5) the Supplier was established or registered in a jurisdiction where ownership is not transparent or that permits ownership in the form of bearer shares; (6) the Supplier is registered or conducts business in a jurisdiction that does not have anti-corruption, anti-money laundering (AML) and anti-terrorism laws comparable to those of the US and UK; or (7) the Supplier lacks a discernable and substantial business history. 

A Low-Risk Supplier is an individual or a non-publicly held entity that conducts business in a Low-Risk Country. Some indicia include that it (1) supplies goods, equipment or services directly to a company in a Low-Risk Country; (2) a company has an annual spend of less than $1,000,000 with the supplier; and (3) the supplier is not involvement with any foreign government, government entity, or Government Official. However, if the supplier has other indicia of lower risk such that it is a publicly-held company, it may be considered a Low-Risk Supplier because it is subject to the highest disclosure and auditing and reporting standards such as those under FCPA or similar law.  

Below the high and low risk categories I would add two other categories of suppliers that present very low compliance risks. The first is ‘Minimal-Risk Suppliers’ which generally provide to a company goods and services that are non-specific to a particular project and the value of the transaction is USD $25,000 or less. Some examples might be for the routine purchase of fungible items and services, including, among others: Office supplies, such as paper, furniture, computers, copiers, and printers; Industrial or factory supplies, including cleaning materials, solvents, safety clothing and off-the-shelf equipment and parts; Crating and other standard materials for packing products for shipping; Leasing and rental of company cars and other equipment; and Airline or other travel tickets or services. It may also include legal services from professional firms that are approved and overseen by a company’s Legal Department; Investigative services from professional firms that are approved and overseen by a Legal Department and that do not interact with government agencies on behalf of a company; and Accounting and financial services from professional firms that are approved and overseen by a company Finance Department or Audit Committees and that do not interact with government agencies on behalf of a company. 

Finally, are the category of third parties that provide widely available services and products, ‘Common Product and Services’, that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal-Risk Supplier. These include, among others, wide circulation newspapers, magazines, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services. These third parties raise even less than Minimal Risk to a company, especially when their services and products are provided in a non-high risk country. Suppliers in this category require no FCPA due diligence. 

You need to risk rank your third parties which your company might engage through your SC for FCPA exposure. It should be based on your company’s experience and risk going forward. As with all other third party risk management issues, you must document, document, document. 

Three Key Takeaways

  1. Risk rank you supply chain based well-conceived strata.
  2. Consider not only the compliance risk but also your business risk.
  3. Only manage those suppliers which present a corruption risk. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to






Apr 26, 2017

The Foreign Corrupt Practices Act (FCPA) world is littered with cases involving freight forwarders, brokers and agents in the shipping and express delivery arena. Both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have aggressively pursued third party business relationships where bribery and corruption have been found. This is particularly true where companies are required to deliver goods into a foreign country through the assistance of a freight forwarder or express delivery service. There are several major risk points. These include:

  • Location, location, location;
  • Customs and other governmental agencies;
  • Aviation and postal regulators;
  • Business promotion expenditures for governmental officials;
  • Agents and sub-agents; and
  • Government accounts are a major part of express shipper customers so must analyze this as well.

How can a company respond to protect itself or at least reduce its potential FCPA risk with regarding to a logistics company, freight forwarder or express delivery company? Obviously having a thorough risk assessment program and due diligence program are critical. After determining risk, move to perform due diligence based upon this risk. However, there are some general questions that you should ask, both internally and to your prospective vendor.

  1. Relationship. What is your relationship with the third party? Is it purely arms-length? Is it sales agent making a solicitation? Is it a consortium, which may be a lower risk? Is it partnership of JV, if so what is your control? Is it subcontractor or supplier? All of these have different risk levels.
  2. Business Formation. What is the character of the third party? Is it a US based company, is it subject to a robust national compliance law? Is it private/public? Who else do they represent? Length of time in business? Who are the principals and are they governmental officials?
  3. Compensation. How do you compensate the third party? Is it bonus-based paid at the conclusion of a transaction? Will the representative have an expense account? If so how is it given to them, for instance will you pay on a lump sum v. verified expenditures? How will they be paid, local currency into a bank account, cash or check? What is the level of compensation? Are you over-compensating based upon the market; you are taking a chance that the third party could share it with others.
  4. Location. What is the geographic location and is it one of the usual suspects on the Transparency International Corruptions Perceptions Index (TI-CPI)?
  5. Industry. What is the industry or sector that you are engaged? This can be significant because certain industries/sectors such as infrastructure, medical industry, defense contractors are facing increased DOJ/SEC scrutiny.
  6. Process. What is the process by which the business opportunity arose? What is the bidding process? Who invited you? Is it an open bid? Did you respond to an RFP? Did you compromise you own standards to bid? Is there a mandated partner assigned by the foreign government?

After you ask some of these questions, investigate your risks and evaluate them; you should incorporate these findings into a contract with appropriate FPCA compliance terms and conditions. This contract should announce to your to third party freight forwarder/express supplier of your expectations regarding their compliance program. Your contract should also allow for management of the compliance relationship. Your contract should require training and certification by verified provider or by your company. Your company’s Relationship Manager should ensure the third party’s compliance with your company’s anti-bribery compliance program.

James Min, Vice President, Int'l Trade Law & Global Head of Trade Law Practice Group at DP-DHL Legal Department, developed a risk matrix for the freight forwarders/express delivery industry. In this Min analyzes risks by multiplying factors noted herein and thus scoring. This model shows that location should not be the sole criteria for risk. The factors in the Min Model are the performance of your company’s customers clearance brokers and how far that performance varies from the norm your company normally receives. In the below chart, +1.00 equals average clearance time. >1.0 equals faster than average and <1 means slower than average.

The Min Model






Variance from

Average Performance

Risk Score

Risk Rank


























The key in this approach is how often the Customs Broker/Express Delivery Service varies above the average for customs clearance times. If the percentage of customs clearance performance is so great that your vendors variance is above 100% most of the time, this could be a Red Flag that bribery or corruption is involved. This should lead to further investigation, due diligence, or asking of questions of your vendor.

Almost every business transaction engaged in by a freight forwarder, express delivery service or customs broker, outside the US involves a foreign governmental official. Every time your company sends raw materials into, or brings them out of, a country there is an interaction with a foreign governmental official in the form of a Customs Official. Every customs transaction involves a payment to a foreign government and every transaction involves some form of a foreign governmental regulatory process. While the individual payment per transaction can be small, the amount of total transactions can be quite high, if a large volume of goods are being imported into a foreign country.

Conversely interacting with international tax authorities can present problems similar to those with customs officials, but the stakes can often be much higher since tax transactions may be less in frequency but higher in financial risk. These types of risks include the valuation of raw materials for VAT purposes before such materials are incorporated into a final product, or the lack of segregation between goods to be sold on the foreign country’s domestic market as opposed to those which may be shipped through a free trade zone for sale outside that country’s domestic market.

If you utilize the services of a third party for any of the transactions listed above, that company’s actions will go a long way in determining your company’s FCPA liability. You must have a thoughtful process and document that process.

Three Key Takeaways

  1. Express delivery services and freight forwarders present unique compliance risks.
  2. There must be a business justification to bring on new express delivery services or freight forwarders in high risk jurisdictions.
  3. Consider the Min Model (or something similar) as your risk matrix in this area.

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to




Apr 26, 2017

In this episode I visit with white collar defense and Qui Tam specialist Joel Androphy about prosecution of whistleblower claims at the federal and state level. Androphy explains what type of evidence is required to file such a claim, have the government take over the action and what a whistleblower may expect. It is a fascinating view from a whistleblower expert counsel at the state and federal level. Joel Androphy can be reached at For more information about his practice areas, including whistleblower claims, False Claims Act lawsuits and Qui Tam claims; check out the firm website at 

Apr 25, 2017

One of the issues in any compliance program is the compensation paid to a third party as FCPA exposure arises when companies pay money - either directly or indirectly - to fund bribe payments.  In the traditional intermediary scenario, the company funnels money to the agent or consultant, who then passes on some or all of it to the bribe recipient.  Often, the payment is disguised as compensation to the intermediary, and some portion is redirected for corrupt purposes.  

When companies grant distributors uncommonly steep discounts, bribes can result either: 1) because the distributor is instructed by the company to use the excess amounts to fund corrupt payments; or 2) because the distributor pays bribes on its own, without the express direction or implicit suggestion from the company to do so, in an effort to gain some business advantage. The 2012 FCPA Guidance, it noted that common red flags associated with third parties include “unreasonably large discounts to third-party distributors”.  The distributor enforcement cases offer lessons to combat the scenario, which is where legitimate companies require assistance.  

How can risk that distributors present be managed?  One mechanism is to install a distributor discount policy and monitoring system tailored to the company’s operational structure.  In virtually every business, there exists a range of standard discounts granted to distributors.  Under the approach recommended here, discounts within that range may be granted without the need for further investigation, explanation or authorization (absent, of course, some glaring evidence that the distributor intends use even the standard cost/price delta to fund corrupt payments).  

Where the distributor requests a discount above the standard range, however, the policy should require a legitimate justification.  Evaluating and endorsing that justification requires three steps: (1) relevant information about the contemplated elevated discount must be captured and memorialized; (2) requests for elevated discounts should be evaluated in a streamlined fashion, with tiered levels of approval (higher discounts require higher ranking official approval); and (3) elevated discounts are then tracked, along with their requests and authorizations, in order to facilitate auditing, testing and benchmarking.  This process also works to more fully operationalize your compliance regime as it requires multiple and increasingly upper levels of management involvement, approval and oversight.     

Capturing and Memorializing Discount Authorization Requests           

Through whatever means are most efficient, a discount authorization request (“DAR”) template should be prepared.  While remaining mindful of the need to strike a balance between the creation of unnecessary red tape and the need to mitigate risk, the DAR template should be designed to capture a given request and allow for an informed decision about whether it should be granted.  Because the specifics of a DAR are critical to evaluating its legitimacy, it is expected that the employee submitting the DAR will provide details about how the request originated (e.g., whether as a request from the distributor or a contemplated offer by the company) as well as explain the legitimate justification for the elevated discount (e.g, volume-based incentive).  In addition, the DAR template should be designed to identify gaps in compliance that may otherwise go undetected (e.g., confirmation that the distributor has executed a certification of FCPA compliance).  

Evaluation and Authorization of DARs 

Channels should be created to evaluate DARs submitted.  The precise structure of that system will depend on several factors, but ideally the goal should be to allow for tiered levels of approval.  Usually, three levels of approval are sufficient, but this can expanded or contracted as necessary.  Ultimately, the greater the discount contemplated, the more scrutiny the DAR should receive.  Factors to be considered in constructing the approval framework include the expected volume of DARs and the current organizational structure.  The goal is to ensure that all DARs are vetted in an appropriately thorough fashion without negatively impacting the company’s ability to function efficiently. It also mandates the operationalization of this compliance issue into multiple disciplines within your organization. 

Tracking of DARs 

Once the information gathering, review and approval processes are formulated, there must be a system in place to track, record and evaluate information relating to DARs, both approved and denied.  This captured data can provide invaluable insight into FCPA compliance and beyond.  By tracking the total number of DARs, companies will find themselves better able to determine where and why discounts are increasing, whether the standard discount range should be raised or lowered, and gauge the level of commitment to FCPA compliance within the company (e.g., confirming the existence of a completed and approved DAR is an excellent objective measure for internal audit to perform as part of its evaluation of the company’s FCPA compliance measures).  This information, in turn, leaves these companies better equipped to respond to government inquiries down the road. 

Rethinking approaches to evaluating distributor activities is but one of the ways that the increased number of enforcement actions, 2012 FCPA Guidance and Justice Department’s Evaluation of Corporate Compliance Programs document have provided insight into how the government interprets and enforces the FCPA.  This information, in turn, allows companies to get smarter about FCPA compliance.  With a manageable amount of forethought, companies who rely on distributors can create, install and maintain systems which allow them to spend fewer resources to more effectively prevent violations.  Moreover, these systems generate tangible proof of a company’s genuine commitment to FCPA compliance, by more fully operationalizing this aspect of their compliance program.   

Many companies have been involved in FCPA enforcement actions because of distributors. This sales side channel does not receive the focus equal to that of commissioned sales agents. Yet it can present an equally large compliance risk. By using this DAR approach, you will have created a well-thought out process which will operationalize your compliance program around distributor compensation, in a manner which documents your decision-making calculus. 

Three Key Takeaways

  1. The creation of well-thought out process which operationalizes your compliance program around distributor compensation, in a manner which documents your decision-making calculus is key.
  2. Require multiple levels of approval for an out of range distributor discount.
  3. Tracking distributor discounts globally make your company more efficient. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to




Apr 25, 2017

In this episode, Matt Kelly and I take a very deep dive into two recent speeches by Department of Justice (DOJ) Acting Principal Assistant Attorney General Trevor McFadden in which he addressed multiple topics and issues around the Foreign Corrupt Practices Act (FCPA). The first set of remarks were made in Washington DC at the Anti-Corruption, Export Controls & Sanctions (ACES) 10th Compliance Summit (the “DC speech”). The second set of remarks were made at the American Conference Institute (ACI) 19th Conference on the FCPA in New York City (the “NYC speech”). We consider the evolving rationale for FCPA enforcement which has changed in the 40 years since it was enacted, the mandatory corporate response to FCPA compliance requirements, and how McFadden sees Justice Department enforcement of the FCPA going forward in the Trump administration. 

For Matt Kelly blog post on McFadden's remarks, click here. For Tom Fox's segments of a three part series, click here for Part I, Part II and Part III. 

Apr 24, 2017

At some point, you will be required to terminate a third-party and there will be multiple legal, compliance and business issues to navigate going forward. If you are stuck doing it in the middle of a Foreign Corrupt Practices Act (FCPA) or Bribery Act investigation, such as Airbus is currently under with the UK Serious Fraud Office (SFO), there may well be some tension to do so and do so quickly. If you have not thought through this issue and created a process to follow before it all hits the fan, you may well be in for a very tough road. 

The key theme in termination is planning. The Office of Comptroller of the Currency, OCC Bulletin 2013-29, said that regarding third-party termination, a bank should develop a “contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.” 

In an article entitled “Breaking Up Is Hard To Do”, Carol Switzer related how to avoid pain by planning for the end of a third-party relationship. She said it all should begin with “an exit strategy, a transition plan or a pre-nup—whatever the title, it’s best to begin by planning for the end which, in the case of business at least, will always eventually come. Whether due to contract completion or material breach, turning over responsibility to another party, or abandonment of the contracted activity altogether, contract termination is an inevitable phase in the third-party relationship lifecycle.” Planning for the end is important because, “The more long term and layered the relationship, the more difficult it will be to disentangle. The deeper the third-party is embedded in and uses the confidential information of the company and its customers, the greater the risks presented by failing to design a smooth transition process.” 

It should originate with clearly specified contract termination rights but that is only the starting point, “To work out a smooth transition, the plan must also include internal change management processes and policies, designated transition team members, contingencies, and adequate resources and time allowances.” Your corporate values must be protected by “clearly designating the disposition of shared intellectual property and infrastructure assets.” Next you need to think through your transition plan by “ensuring rights to hire or continue use of key contractor employees who have been servicing your account, arranging to bringing new contractors or internal managers up to speed, and filing any regulatory or other required notifications.” Finally, bear in mind that your reputation must be protected during this transition process “by controlling and planning for issuance of public statements and social media postings by terminated contractors or their employees, or the best laid transition plans may be for naught.”

You will also need to consider the business risks around the termination of a third-party, particularly on the sales side of your business. This may mean sitting down with a customer or group of customers to explain the reasons behind the termination. Obviously if your business team has not developed a relationship with the end-using customer, this can be a difficult and very problematic conversation. 

Unless you are exiting a business sector or territory, you will need to replace the third-party. This means going through the entire five-step process with any potential sales agent or representative. Such planning needs to be built into your termination strategy. If the reason for termination is a contract violation or worse a FCPA violation, there may well be other notifications which are required, both internally and externally to government regulators. You have also been under some type of contractual nondisclosure language and so consultation with your legal counsel, once again both in-house and outside, may be required. Finally, never forgot the reputation damage by releasing such information, or conversely not disclosing it. Both sets of reasons may hurt your business reputation as well. 

In addition to the above steps, there are some specific considerations you should take. In the area of data, data privacy and data accessibility, if a third-party has access to your network and systems, such access must be revoked. If your terminated third-party has physical data, you must plan for the return of your data to you in a format that is acceptable to you and is secure. If your data is confidential, you may want to require that it be returned in an encrypted format and via an encrypted channel. You should lay out the time frame for the return of any data. 

Alternatively, you can specify that data be destroyed. If this is the route you take with your third-parties, it should be performed in a way which is secure so the data cannot be reconstructed at a later date, through the use of surreptitiously created backup or duplicate data. You should mandate the third-party provide to you a certificate of destruction that confirms the destruction of your data and the methods used for destruction. Information that must be retained should maintain the data protection requirements currently in place, or stronger if the applicable laws change during the time of retention. 

Although rarely considered, the termination of a third-party relationship can be as important a step as any other in the management of the third-party lifecycle. While having the contractual right to terminate is a good starting point, it is only the starting point. You not only need to have a compliance and legal plan in place but a business plan as well. If you do not, the cost in both monetary and potential business reputation can be quite high. 

Three Key Takeaways

  1. Termination of third parties is an oft-neglected part of the third party risk management process.
  2. Make certain you have the contractual right to terminate third parties written into your standard terms and conditions.
  3. Have a strategy in place for termination before everything hits the fan. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to

Apr 21, 2017

In this episode, Jay Rosen returns from a week’s trip to Walt Disney World. Jay and I have a wide-ranging discussion on some of the week’s top compliance related stories. We discuss:

  1. DOJ Criminal Division's Acting Principal Deputy Assistant Attorney General remarks on the FCPA and its enforcement. - See text of speech by clicking here. See Matt Kelly’s blog post by clicking here.
  2. Whistleblowers in the news. See Tom’s article on the Barclay’s CEO and Amtrust in FCPA Blog and on KPMG in Compliance Week. Mike Volkov weighs on whistleblowing as indicia of corporate culture here.
  3. One year reports note that declinations are on the rise under the on the now one-year old FCPA Pilot Program. For Miller & Chevalier report click here (sub. req’d). For the Stanford University FCPA Clearinghouse Report in the Wall Street Journal, click here.
  4. Tribute to Kara Brockmeyer, retiring as head of the SEC’s FCPA Unit. See Tom’s article in Compliance Week.
  5. Jay details his upcoming conference schedule and weekend report on ethics and compliance observations from the Florida version of the Magic Kingdom.
  6. Listeners to this podcast can received a discount to Compliance Week 2017. Go to registrationand enter discount code CW17TOMFOX.
Apr 21, 2017

One area that has bedeviled Chief Compliance Officers (CCOs) and compliance practitioners is how to determine the return on investment (ROI) for your compliance program regarding third parties. While it is still clear that third parties are the greatest risk in Foreign Corrupt Practices Act (FCPA) enforcement actions, senior management often wants to know what is the monetary benefit to the company for this type of risk management. 

When you couple the request for ROI with the recent Department of Justice (DOJ) mandate for the operationalization of your compliance program, as articulated in the Evaluation of Corporate Compliance Programs, it may seem like a doubly daunting task. However the requirement for operationalization of your compliance program actually lends itself to formulating ROI around the risk management of third parties. This is because if you move the third-party compliance into the organization as a business process, with a technological solution, the ROI becomes not only clearer but easier to calculate going forward. 

I recently read a study by Forrester Research Inc., suggested an approach for the anti-corruption compliance practitioner. In this study, Forrester compared the user experience, leading to a finding of a positive ROI for the technology user around third-party risk management. I found the approach and methodology used persuasive and valuable for the compliance professional to consider in evaluating such a process in your organization. 

Some of the key findings readily translate across for the anti-corruption compliance practitioner. The first area was in risk assessments of third parties. If you are able to provide a technological platform, you can enhance both the speed and efficiency of your risk assessments on an ongoing basis. The decrease in time it would take for each risk assessment, both in terms of length and compliance department man-hours will yield an immediate cost saving for your compliance function. 

Consider just two of the steps required in the lifecycle management of third parties, the questionnaire and due diligence. Both steps can be not only labor intensive to complete and analyze but the cycles of time spend sending out a questionnaire, receiving a completed form and then inputting the information into a spreadsheet for manual analysis can be quite time consuming. It usually involves the basic tools of spreadsheets, interviews, Internet searches and additional questionnaires. By tailoring your questionnaire to the specific risk areas and using logical question design you can reduce confusion and therefore decrease the cycle of response time. Additionally, in the final step of managing the relationship there is often not only a dearth of data but usually the data is in such a siloed format that (1) it cannot be utilized between corporate functions and (2) there can be no meaningful comparison across the third parties. Through standardized questions and responses, this data can be compared across the spectrum of third parties. 

In addition to the increased efficiency in the compliance portion of this analysis, by operationalizing your third-party risk management in this manner, you increase business efficiency by bringing in more dollars more quickly for third parties on the sales side. For third parties on the Supply Chain side, the efficiencies turn on your use of their products or services more quickly in business critical elements of your company. Simply put, approving third parties and incorporating them into your business cycle will not only save your money more quickly and efficiently but also make you money more quickly and efficiently.


Using a tool that incorporates Software-as-a-Service (SaaS) platform would also allow a more comprehensive review of data and information for several reasons. Firstly the various types of data is not siloed but stored in a centralized platform. Second, having this type of data allows for not only an ongoing review of each third-party but also allows you to review historical trends. This enables you to move from detection to prevention and possibly even delivery of a prescriptive solution before an issue arises to a full-blown FCPA violation. You would also be able to garner a better understanding of relationships across industry sectors and countries with a bigger picture look.


Obviously you will need to set the parameters for the risks to be assessed but more clearly in the FCPA they deal with third parties who are or who have, as owners, Politically Exposed Persons (PEPs), the inability to account for discretionary funds such as marketing or other expenses was seen in a recent FCPA enforcement action, payments to offshore locations or unusual commission or other payments tied 100% to sales. Not only would your company have more and greater visibility into such issues but the range of third parties you could monitor would increase, perhaps at an exponential rate. As with the cost savings of the initial risk assessment, there would be similar savings for ongoing monitoring in the area of greater efficiency and need for smaller headcount from the compliance function to perform such ongoing monitoring.

The speed and robustness of this database is a key element in operationalizing your compliance program in the area of third parties. The prevent component of any compliance regime is improved as you would have better visibility into potential non-compliant third parties which you may have to discharge. You would also have the ability to work with non-compliant third parties to remedy any issues before they become legal violations and then recommend extra monitoring as appropriate. 

Using the above as a guide the ROI calculation would be something along the lines of the number total number of hours spent on each risk assessment x the total risk assessments performed x the hourly rate of the compliance professional performing the services. So if you spend 20 hours on 50 risk assessments and the hourly rate for your in-house compliance professional is $100, the ROI is $100,000. Now just think of what that number would be around third parties if the SC third parties runs into the thousands. Even with a round number of 1,000 for such third parties, your ROI increases to $2MM. Of course you have to subtract out the cost for any technological solution but with these types of efficiencies, your ROI will still be quite impressive.


There are a wide variety of other factors that could increase your ROI, as detailed in the Forrester report, which include renewal assessments, ongoing monitoring, increase in business efficiencies for both your organization and the third parties, which would all work to uplift your ROI. Most critically you would demonstrate the operationalization of your compliance program into the very fabric of your organization.


Three Key Takeaways

  1. Why is it important to demonstrate ROI on your third party risk management program?
  2. Determining your ROI helps to demonstrate operationalizing your compliance program.
  3. Determining third party management program ROI can help to tear down compliance siloes. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to





Apr 20, 2017

When was the last time you considered the health of your company’s third party management program? A good way to test that well-being is to perform a check-up on your third party program. An article entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, provided a manner for the compliance practitioner to test an “organizations health status concerning your relationship to your third parties.” The article provided seven points that you can consider in a self-assessment:

  1. Do you have a list or database of all your third parties and their information? Does your company have a full list of all third parties including such basic information as name, location, type of services provided, contract files and dates, principals of the third party and primary contact, due diligence files and any other information you might need to manage the third party relationship going forward? When was the last time this list was checked or updated?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk? You need to check and double-check which third party services present the greatest risk to your company by asking some of the following questions: (a) Is the third party’s service critical to your business?; (b) Is the third party’s service performed with little company supervision or oversight?; (c) Does the third party have access to any company funds, resources or assets?; (d) Can the third party fund the company contractually?; and (e) Does the third party obtain any foreign governmental licenses, certifications or other approvals for your company? When was the last time you asked these questions of the Business Sponsor or Relationship Manager.
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment? You should use the information determined through the risk assessment to “tailor the level of diligence to the level of risk.” Assign a risk profile to categories, such as high, medium and low. The higher the risk, the more due diligence will be required to vet the third party. Do you receive updated due diligence reports on a quarterly, semi-annual or annual basis?
  4. Once the risk categories have been determined, create a written due diligence process. Obviously you need to have a written policy and defined procedures to implement your due diligence policy. However, when was the last time it was reviewed or updated? What happens if you the compliance professional is hit by a bus coming to work? Would a substitute know what to do or would there be a written reference for your replacement? You should consider the following: (a) who is responsible for implementation; (b) list of red flags and how such red flags are to be dealt with and cleared; (c) a procedure to pay for any due diligence performed; (d) reference checks on third parties; (e) procedures for in-person interviews for third parties in a high risk category; (f) conflicts of interest checks, and (g) process for documentation and storage of all of the above information.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations? When was the last time you considered your compliance terms and conditions or reviewed all of your third party contracts to ascertain if they include compliance terms and conditions: (a) anti-corruption and anti-bribery certification; (b)requirement that the third party maintain accurate books and records and that your company has audit rights; (c) indemnity rights; (d) anti-corruption and anti-bribery training for the third party’s employees; (e) an anonymous reporting mechanism for ethics complaints; (f) require the third party to obtain pre-approval to subcontract out any of its work for your company; (g) require the third party to report any ownership change back to your company, and lastly (h) clear termination rights.
  6. Relationship Managers. Just as your company would never have an employee who is not supervised, your company should not have a third party which does not have company oversight. Do you rotate Relationship Managers? What training has the compliance function provided to them as the company’s point of contact for third parties?
  7. Red flags review. When was the last time you checked on your third parties for any new red flags which may have arisen after the initial due diligence was performed or completed? At what interval do you update or renew your due diligence? How about a change from the company side regarding sales, sales practices, products or services which might become high-risk?

Many companies understand the maxim “Know Your Customer (KYC)”, nevertheless, in today’s global economy this maxim may well need to be expanded to “Know Your Third Party”. The bottom is that that there is no out, no; when it comes to third party risk management and third party compliance efforts. A good place to start is with a third program party checkup.

Three Key Takeaways

  1. What is the health of your third party risk management program?
  2. When was the last time you reviewed and updated your third party database list?
  3. Expand your KYC thinking to Know Your Third Party.

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to




Apr 19, 2017

Internal controls are a key tool to operationalize your third party risk management program. Initially, a compliance practitioner should perform an analysis of any third party representative to provide insight into the pattern of dealings with such third parties and, therefore, the areas where additional controls should be considered. The basic internal controls, that should be a part of any financial controls system, include some or all of the following: 

  • A control to correlate the approval of payments made to contracts with third party representatives and your company’s internal system for processing invoices.
  • A control to monitor all situations in which funds can be sent outside the US, in whatever form your company might use, which could include accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances or other forms.
  • A control for the approval of sales discounts to distributors.
  • A control for the approval of accounts receivable write-offs.
  • A control for the granting of credit terms to third parties or customers outside the US.
  • A control for agreements for re-purchase of inventory sold to third parties or customers.
  • A control for opening of bank accounts specifically including accounts opened at request of an agent or a customer.
  • A control for the movement / disposal of inventory.
  • A control for the movement / disposal of movable fixed assets.
  • A control for execution and modification of contracts and agreements outside the US. 

There should also be internal control needs based on activities with third party representatives. These could include some or all of the following internal controls: 

  • A control for the structure and enforcement of the Delegation of Authority.
  • A control for the maintenance of the vendor master file.
  • A control around expense reports received from third parties.
  • A control for gifts, entertainment and business courtesy expenditures by third party representatives.
  • A control for charitable donations.
  • A control for all cash / currency, inventory, fixed asset transactions, and contract execution in countries outside the US where the country manager has final authority.
  • A control for any other activity for which there is a defined corporate policy relating to FCPA. 

While that may appear to be an overly exhaustive list, there were four significant controls the compliance practitioner implement initially. They include: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency. 

A DOA should reflect the impact of corruption risk including both transactions and geographic location so that a higher level of approval for matters involving third parties and for fund transfers and invoice payments to countries outside the US would be required inside an organization. Often, a DOA is prepared without much thought given to FCPA risks. Unfortunately once a DOA is prepared it is not used again until it is time to update for personnel changes. Moreover, it is often not available, not kept current, and/or did not define authority in a way even the approvers could understand it. Therefore it is incumbent that the DOA be integrated into a company’s accounts payable (AP) processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. To achieve this you should identify the vendors within the vendor master file so payments are flagged for the appropriate approval BEFORE they are paid.

Furthermore if a DOA is properly prepared and enforced, it can be a powerful preventive tool for FCPA compliance. For example, consider a wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the Compliance function, and one officer. In this situation, the DOA should specify who must give the final approval for engaging third parties. Moreover, the DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US (including those who travel from the US to work outside the US). 

Some believe the vendor master file, can be one of the most powerful PREVENTIVE control tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Next manual controls are needed over the submission, approval, and input of changes to the vendor master file. These controls include verification that all vendors have been approved before their information (and the vendor approval date) is input into the vendor master. Finally, manual controls are also needed when “one time” vendors are requested, when a vendor name and/or vendor payment information changes are submitted. 

Near and dear to my heart as a lawyer, contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. I would caution that for contracts to provide effective internal controls, relevant terms of those contracts (commission rate, whether business expenses can be reimbursed, use of subagents, etc.,) should be extracted and available to those who process and approve vendor invoices. If there are nonconforming service descriptions, commission rates, etc., present in a contract such terms must be approved not only by the original approver but also by the person so delegated in the DOA Unfortunately contracts are not typically integrated into the internal control system. They are left off to the side on their own, usually gathering dust in the legal department file room. 

One FCPA enforcement action was an excellent example of the lack of internal control over the disbursements of funds and movement of currency because you had the country manager delivering bags of cash to a government official to obtain or retain business. All situations where funds can be sent outside the US (AP computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances, etc.,) should be reviewed from a compliance risk standpoint. Further, within a company structure you need to identify the ways in which a country manager (or a sales manager, etc.,) could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.  

All wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose. 

Never forget that internal controls are in reality, simply good financial controls. The internal controls that he detailed for third party representatives in the compliance context will help to detect fraud, which could well lead to the prevention of bribery and corruption. 

Three Key Takeaways

  1. Internal controls are a key component of any operationalized compliance program.
  2. Internal controls are good financial controls.
  3. The top four internal controls for compliance are: (a) Delegation of Authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash / currency. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to




Apr 19, 2017

In this episode I am joined by Ruth Steinholtz of AretéWork, Jonathan Armstrong of Cordery Compliance and Kristy Grant-Hart of Spark Compliance Consulting and author of How To Be a Wildly Effective Compliance Officer for a roundtable discussion of the recently concluded SCCE European Compliance and Ethics Institute. We discuss some of the highlights, the changes this group of compliance practitioners has seen and where compliance may be headed in 2017 and beyond.

Apr 18, 2017

Next I consider at how data analytics can be used to help detect or prevent bribery and corruption where the primary sales force used by a company is third parties. A clear majority of Foreign Corrupt Practices Act (FCPA) violations and related enforcement actions have come from the use of third parties. While sham contracting (i.e. using a third party to conduit the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third party is likely performing legitimate services for your company and is not a sham.  There are several more complex analytics that can be run in combination to identify suspicious third parties, and some of the simplest can be to look for duplicate or erroneous payments.

A key to moving from detection to prevention is the frequency of review. It is common for organizations to periodically review a year or more of accounts payable invoices at one time for errors or overpayment. Changing this from a one-time annual or biannual event to something that is done daily or weekly dramatically improves the value of such internal controls. This more frequent, preventative analysis is integral to a foundation of third party audits. While many company perform periodic look-back audits, ongoing monitoring also works to accomplish the same queries on a daily or weekly basis. This allows organizations to find duplicate payments or overpayments after the invoice has been approved but prior to its disbursement. So instead of detecting a payment error three or six months after it is made, you prevent the money from leaving the company altogether.

Duplicate invoices are a favorite mechanism of fraudsters. Consider the following scenario, Invoice No. 955-TX, was paid for $10,597.95. Thirty days later the same vendor re-submitted the same invoice due to non-payment, but it was recorded by the payor organization without the hyphen between 955 and TX, consequently it was not detected by the system of payable controls. The problem is the second invoice had slightly different writing on the face of it, but it was for the same services and hence was a duplicate invoice. On the company side, both invoices were scanned into the company’s imaging system and queued for payment. Data analysis can locate such overpayments and identify a second payment should not be made because it is a match of one that had been previously approved.

Another analysis, which a compliance practitioner could compare using vendor name and other identifying information, for example address, country, data from a watch list such as Politically Exposed Persons (PEP) or Specially Designated National (SDN), to names and other identifying information on your vendor file. An inquiry could also be used to test in other ways such as if a vendor has the same surname as a vendor on the specially designated national terrorist list, or a politically exposed person.

Now suppose they share the same name as an elected official down in Brazil. How do we make sure that our vendor or broker is a different John Doe than the John Doe that is a politically exposed person in that country? It is only upon closer inspection where you can determine that the middle names are different and the ages are different, one of has an address is Brasilia and the other is in Sao Paulo. Without further inspection including other demographic information about your vendors, consultants or third parties and the comparing them to watch list individuals, such red flags are present but not cleared. That is what data analytics is designed to do, is to help you go from tens of thousands of “maybes” to a very small number of potential issues which need to be researched individually.

One of the important functions of any best practices compliance program is to not only follow the money but try to spot where pots of money could be created to pay bribes. Through comparison of invoices for similar items among similar vendors, data analytics uncover overcharges and fraudulent billings. Continual transaction monitoring and data analysis can prove its value through more frequent review, as individuals tend to perform better when they know they are being monitored.

The techniques used in transaction monitoring for suspicious invoices can be easily translated into data analysis for anti-corruption. Software allows a very large aggregation of suspicious payments not only by day or by month, but also by vendor or even by employee who may have keyed the invoices into your system. As these suspicious invoices begin to cluster by market, business unit or person a pattern forms which can be the basis of additional inquiry. That is the value of analytics. Analytics allows a compliance practitioner to sort and resort, combine and aggregate, so that patterns can be investigated more fully.

This final concept, of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allow you to follow the money. It can be a part of your third party ongoing monitoring as well by allowing you to partner the information on third parties who might come into your company where there was no proper compliance vetting. Such capabilities are clearly where you need to be heading.  

Three Key Takeaways

  1. Always remember to follow the money to see where a pot of money could be created to fund a bribe.
  2. Transaction monitoring techniques around fraud monitoring translate to data analysis for compliance.
  3. Do not forget to check names against known PEP and SDN lists. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to



Apr 18, 2017

In this episode Compliance Week Editor in Chief Bill Coffin discusses the upcoming Compliance Week 2017 Conference May 22-24, 2017 in Washington DC. Coffin highlights the key note speakers and some of the other key topics for the event. He discusses how Compliance Week is an entire experience for attendees, exhibitors, speakers and guests. Best of all, listeners to this podcast can receive a discount to this year's event. Go to registration and enter discount code CW17TOMFOX.

Apr 17, 2017

Auditing of third parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third party relationship after the contract is signed and one which the government will expect you to engage in going forward. 

You should plan out four to six weeks in advance, you should perform the audit with your legal counsel’s lead to preserve privilege, work with the business sponsor to establish key business contacts, discuss audit rights and processes with the third party, you should prepare initial document request lists for financial information queries, take the time to review findings from previous audits and resolutions and also review details of opened and closed internal investigations, if there are any Code of Conduct questionnaires available take care to review and finally be cognizant of any related Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement actions. 

The next step is to determine the entry points of foreign government involvement; (1) direct and (2) indirect. The direct category includes: customs and duties, corporate taxes and penalties, social security or national insurance issues for employees, obtaining in-country visas and work permits, public official gifts and entertainment, training of and attendant travel for employees of government owned entities, procurement of business licenses and permits to perform work and, finally, areas around police escort and security. In the indirect category, some of the key areas to review are: customs agents and freight forwarders, visa processors, commercial sales agents, including distributors and, finally, those who might be consultants or other channel partners. 

Document review and selection is important for this process, you should ask for as much electronic information as possible well in advance of your audit. It is much easier to get database records for internal audits than audits of third parties. Try and obtain records in database or excel format and not simply in .pdf. Request the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer. 

Your lead interviewer needs to be culturally sensitive, patient and must negotiate a good working relationship with the forensic auditors on your audit team, who will be reviewing the documents from their professional perspective. Regarding potential interviewees, focus on those who interact with government entities, foreign government officials or third parties, including those personnel involved with: 

  • Business Leadership
  • Sales/Marketing/Business Development
  • Operations
  • Logistics
  • Corporate Functions: Human Resources, Finance, Health, Safety and Environmental, Real Estate and Legal. 

For the interview topics, there are several lines of inquiry. Remember this is an audit interview, not an investigative interview. You should not play ‘got-cha’ in this format. You should avail yourself of the opportunity to engage in training while you are interviewing people. The topics to interview on included: 

  • General policies and procedures;
  • Books and records pertaining to FCPA risks;
  • Test knowledge of FCPA and UK Bribery Act including facilitating payments and their understanding of your company’s prohibitions;
  • Regulatory challenges they may face;
  • Any payments of taxes, fees or fines;
  • Government interactions they have on your behalf; and
  • Other compliance areas you may be concerned about or that would impact your company, including: trade, anti-boycott, anti-money laundering, anti-trust. 

In the review of the General Ledger (GL) accounts, you should consider commission payments to agents and representatives, any facilitating payments made, all payments around travel, meals and entertainment, payments made around training, gifts, charitable contributions, political donations and sales and promotion expenses. If there were payments made for customs or freight forwarders and other processing agents, permits, licenses, taxes and other regulatory expenses should be reviewed. Additionally any entries pertaining to community contributions and social responsibility payments should be assessed and, finally, a review of any security payments, extortion payments, payments to legal consultants or tax advisors or fines and penalties should be considered. 

Regarding bank accounts and cash disbursement controls, you should review the following: 

  • Review controls around bank accounts and cash disbursements;
  • Identify and review authorized signers, approval levels, and bank reconciliations;
  • Ensure all bank accounts are included in the General Ledger;
  • Identify and review certain bank and cash disbursement transactions;
  • Identify offshore bank accounts. 

In the area of cash funds review the following: 

  • Review controls around petty cash funds;
  • Ascertain processes in place regarding disbursement and reconciliation of cash funds;
  • Identify and review payments to government officials, agents, or any unusual or suspicious activities; and
  • Identify and review certain bank transactions and test for any improper payments.

For gifts, travel and entertainment, you should explore payments made through employee-reimbursed expenses, scrutinize for any suspicious expenses submitted, expenses lacking adequate documentation, incorrect posting; and identify and review accounts associated with gifts, meals, entertainment, travel, or promotion. In the area of payroll, consider the risks around the use of ghost employees, hiring of relatives of government employees, and the use of bonus payments and be sure to request a payroll listing and review for any such persons. 

You should review GL accounts and expenses for related items. In taking a look at payments under local law, you should obtain list of payments to the government required by local laws and identify and review payments to government authorities or employees, customs authorities or agents, income taxes authorities or license requirements. For payments made to third parties, you should review commission and expense payments for compliance with company policy and also trace payments to the third party’s bank account. 

Three Key Takeaways

  1. Be prepared.
  2. It is not an investigative interview but an audit interview.
  3. Listen, listen, listen. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to


Apr 14, 2017

In this episode, Matt Kelly pinch hits for a Walt Disney World-vacationing Jay Rosen. Matt and I have a wide-ranging discussion on some of the week’s top FCPA and compliance related stories. We discuss: 

  1. Shearman & Sterling issues its Report to the Wells Fargo Board on the fraudulent account scandal. For Tom’s three-part series see Part I, Part II and Part III.
  2. United Airlines is at it again. Click here for Matt’s article on Radical Compliance. Click here for Tom’s article in Compliance Week.
  3. Interesting judicial decision on restitution from Judge Posner. See article in the Grand Jury Target blog.
  4. Barclay’s CEO penalized for trying to unmask internal and anonymous whistleblower by using corporate security and US law enforcement. See Tom’s article in Compliance Week.
  5. Matt reports on Oracle’s Modern Finance Experience conference. Click here for Matt’s blog post on Radical Compliance.
Apr 14, 2017

The building blocks of any Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program lay the foundations for a best practices compliance program. For instance in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. 

In an issue of Supply Chain Management Review in an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, provided useful insights into the management of the third party relationship. While the focus of the article was having a strategic approach to contracts management, the author’s “five ways to start professionalizing your approach to outsourcing contracts” were an excellent manner to consider steps in the management of third party relationships. 

The key is to have a strategic approach to how you structure and manage your third party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to “control risk while optimizing the performance” of your third parties. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties. 

Consolidate Third Parties but Retain Redundancy 

It is incumbent that consolidation in your third party relationships to a smaller number to “yield better cost leverage.” From the compliance perspective, it also should make the entire third party lifecycle easier to manage, particularly steps 1-4. However, a company must not “over-consolidate” by going down to a single source supplier. You should build a diversified supplier base, with a through “dual-sourcing”. From the compliance perspective, you may want to have a primary and secondary third party that you work with in a service line or geographic area to retain this redundancy.

 Keep Tabs on Subcontracted Work 

This is one area that requires an appropriate level of management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

 When Disaster Strikes, Make Sure Your Company is Legally Protected

This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) during the pendency of a FCPA investigation. Finally, you need a clause that requires your third party to cooperate in any FCPA investigation. This means cooperation with you and your designated investigation team but it may also mean cooperation with US governmental authorities as well.


You also need the ability to move between third parties if the need arises. This is the redundancy issue raised above. You do not want to be stuck with no approved freight forwarders or other transporters in a certain geographic area. If a compliance related matter occurs, you may well need certain contractual rights to move your work and to require your prime third party to cooperate with the transition to your secondary third party.

 Keep Track of Your Third Parties’ Financial Stability 

This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward Red Flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished. 

You should take advantage of automated financial tracking tools to keep track of material changes in a third parties’ financial stability. You should also use your in-house relationship manager to regularly visit key third party relationships so an on-the-ground assessment can be a part of an ongoing conversation between your company and your third parties. 

Formalize Incentives for Third Party Performance 

One of the key elements for any third party contract under the FCPA or UK Bribery Act is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance with the FCPA or other anti-corruption compliance regimes.

By linking contractual compensation to performance, there should be an increase in third party performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked. This would seem to be low hanging fruit for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs. 

You should rank third parties based upon a variety of factors including performance, length of relationship, benchmarking metrics and KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them. 

Three Key Takeaways

  1. Have a strategic approach to third party risk management.
  2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs.
  3. Keep track of the financial stability of your third parties. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to

Apr 13, 2017

In a speech before the SIFMA Compliance and Legal Society New York Regional Seminar in November 2015, then Assistant Attorney General Leslie Caldwell laid out metrics the Department of Justice would consider in evaluating a corporate compliance program around third parties. Caldwell began with the following question, “Does the institution sensitize third parties like vendors, agents or consultants to the company’s expectation that its partners are also serious about compliance?” This inquiry was brought forward into the Justice Department’s Evaluation of Corporate Compliance Programs. 

Management of a Third Party Relationship

Recognizing that most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for a business justification, questionnaire, due diligence and compliance terms and conditions in a contract, I was gratified to see the DOJ focusing on the final step in the lifecycle of a third party relationship as a key metric for its new Compliance Counsel to evaluate. This is because it is the management of third party relationships that continues to be a source of trouble and heartburn for many companies. As Caldwell noted in her remarks, the management of a third party relationship, “means more than including boilerplate language in a contract. It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.” 

While the 2012 FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. This means that you must have an experienced compliance and audit team, actively engaged in the corporate office and in the business units, to ensure that financial controls and compliance policies are followed and that remedial measures for violations or gaps are tracked, implemented and rechecked, as additional detection and prevention. Caldwell noted it is a more encompassing “sensitization” to anti-corruption compliance that is needed. There are several ways for you to do so. 

Relationship Manager for Third Parties 

The starting point for the management of a third party, is your Relationship Manager for every third party with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include: 

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
  • Assisting the company’s Oversight Committee with any issues with respect to the Third Party. 

Compliance Professional 

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance professional should work closely with the Relationship Manager to provide advice, training and communications to the third party. 

Oversight Committee 

I advocate that a company should have an Oversight Committee review all documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk. 

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment are within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests. 


A key tool in managing the affiliation with a third party post-contract execution is auditing. Audit rights are a key clause in any compliance terms and conditions and must be secured. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a baseline I would suggest that any audit of a third party include, at a minimum, a review of the following: 

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company. 

If you want to engage in a deeper dive you might consider evaluation of some of the following areas: 

  • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report?
  • How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

Tying it all Together 

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. The robustness of your third party management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out herein, you need to fully document all steps you have taken so that any regulator, and most specifically the DOJ Compliance Counsel, can test your metrics. Caldwell’s remarks around the metrics portended the Evaluation and what the DOJ will be reviewing and evaluating going forward so that it is clear will be expected from your company’s compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program. 

Three Key Takeaways

  1. It all starts with a Relationship Manager.
  2. Have company oversight of all third parties.
  3. Audit, monitor and remediate on an ongoing basis.

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to

Apr 12, 2017

In this episode Matt Kelly and I take a deep dive into the recently released, Public Company Accounting Oversight Board (PCAOB) semi-annual white paper. The white paper providing general information about certain characteristics of emerging growth companies (EGCs). Matt and I discuss some of the PCAOB's key findings:

  • There were 1,951 companies that identified themselves as EGCs in at least one SEC filing since 2012 and have filed audited financial statements with the SEC in the 18 months preceding the measurement date (“EGC filers”). The PCAOB staff observe that the number of EGC filers has grown since the enactment of the Jumpstart Our Business Startups (JOBS) Act, but has stabilized recently.
  • There were 742 EGC filers (or 38 percent) that have common equity securities listed on a U.S. national securities exchange (“exchange-listed”). 
  • The five most common industries for EGC filers as of November 16, 2016, are pharmaceutical preparations, blank check companies, real estate investment trusts, prepackaged software, and surgical/medical instruments and apparatus.
  • Many EGC filers that were not exchange-listed had limited operations. Approximately 50 percent of the non-listed EGC filers reported zero revenue in their most recent filing with audited financial statements and 23 percent of non-listed EGCs that filed periodic reports disclosed that they were shell companies.
  • Approximately 51 percent of EGC filers, including 74 percent of those that were not exchange-listed, received an explanatory paragraph in their most recent auditor’s report expressing substantial doubt about the company’s ability to continue as a going concern.
  • Among the 1,951 EGC filers, 1,262 provided a management report on internal control over financial reporting in their most recent annual filing. Of those 1,262 companies, approximately 47 percent reported material weaknesses.
  • Approximately 96 percent of EGC filers were audited by accounting firms that also audited issuers that are not EGC filers, including 39 percent of EGC filers that were audited by firms that provided audit reports for more than 100 issuers and were required to be inspected on an annual basis by the PCAOB.
Apr 12, 2017

What is satisfactory due diligence under the Foreign Corrupt Practices Act (FCPA)? That question seems to be more important after story on Unaoil and the subsequent release of the Panama Papers. However, both of these events largely focused on the “who” part of due diligence and the need to know whom you are doing business with going forward. However there is another important question which does not come up as often in due diligence, which is how

How does a particular third party perform its services with or for your company? If it is on the sales side of things, how can a third party help you make sales? If a third party comes through the Supply Chain, how do their products or services meet the needs of your company? If the third party has a closer business relationship, such as a joint venture (JV), teaming agreement or other similar arrangement, you may well need a much deeper understand of how this third party does business because the relationship may well become so close you will be intertwined with the party. It may mean more than simply does their how product work but how does this third party conduct themselves and their business? 

The questions beyond simply who were made clear in a Wall Street Journal (WSJ) article by Christopher Weaver and John Carreyrou, entitled “Deal With Theranos Haunts Walgreens. It turns out that Walgreens left a gap by “never fully validating the startup’s technology or thoroughly evaluating its capabilities”. The clear message is if you are going to partner with a technology company which is going to change your business model, you best make sure the technology works. Moreover, if a potential JV partner refuses to show you its technology, how it keeps records, its financials relating to the products and services you are contracting for and generally tries to hide from you the very thing you are buying into; you should not walk but run away from the deal. 

This article detailed the lack of steps and miss-steps by Walgreens when entering its partnership with Theranos and how these actions caused Walgreens to consider its $50MM investment in Theranos as something it will never recoup, caused Walgreens reputational damage and potentially subjected it to civil liability. As the reporters noted, “The relationship is now in tatters, making Walgreens an extreme case study of what can go wrong when an established company that craves growth decides to gamble on an exciting and unproven startup.” 

One might think that if you are investing in a technology company that provides medical testing, the investor would want to see the laboratory where the testing is performed. It turns out that Walgreens representatives were never allowed to tour, let alone review the labs where the results of Theranos pinprick blood tests were run. A Walgreens consultant, Paul Rust, who was sent to Theranos to do a quality control data review said, “It was a very strange situation. The results were actually really good, but I was never allowed to go into the lab. I have no idea that the results I saw were run on the Edison devices or not.” He went on to say that he was “led to believe that they were being run on the Edison.” Yet even Rust was surprised no Walgreens representatives had been allowed to view Theranos labs. 

Interestingly, when Theranos did provide the test results to Walgreens representatives, the results came back with ““low” and “high” values rather than numeric values. As a result, Walgreens couldn’t compare results from the Theranos machine to any commercially available tests.” Once again, this was something which Walgreens should be sought additional information on. 

Yet even when Walgreens’ consultants, assisting the company in evaluating Theranos and the proposed transaction, voiced and wrote up their concerns, they were not passed along to Walgreens management. The article reported, “In a report later in 2011, the consultants concluded Walgreens needed more information to assess the partnership. Those findings and reports by other consultants were kept from many Walgreens officials, including some directly involved in the negotiations with Theranos.”

Walgreens made another classic mistake in the due diligence process; they took comfort when a competitor was allegedly considering a similar venture with Theranos. The article said, “Some executives were comforted when Theranos said Safeway Inc. had agreed to host blood-drawing sites at some of its supermarkets. If Safeway trusted Theranos, then Walgreens could, too, the Walgreens officials believed.” How often have your heard that some other company is considering or has approved them through due diligence and a decision was based on the alleged actions of an alleged party. 

Walgreens hamstrung itself from managing the relationship after the contract was signed by agreeing to contract terms that prevented Walgreens from auditing or even viewing “Theranos clinical data or financial records”. Finally, and perhaps most damagingly, there was a complete lack of communications between the two companies about the issues that have bedeviled Theranos. The article concluded,  “Walgreens shelved the expansion plans after the Journal reported in October that Theranos did the vast majority of tests it offered to consumers on traditional lab machines. The Journal also reported that some former employees doubted the accuracy of a small number of tests run on Edison devices. One of the most recent setbacks came in mid-April when the Journal reported that regulators had 3½ weeks earlier proposed banning Ms. Holmes from the lab-testing industry. The drugstore chain’s senior executives found out from the news report.” 

Under the FCPA, most companies understand the need to know with whom they contract for sales or vendor services. They also understand the need to know why they should do business with a proposed third party (IE., a business justification). However the need to perform an investigation into how the third party can actually deliver the contracted services is equally important.

The Walgreens imbroglio around Theranos points out why such clauses are mandatory. If you do not have them, you do not have the ability verify what you may or may not have been told in due diligence. Finally, managing the relationship after the contract is signed is where the rubber hits the road. If you only obtain a due diligence report and insert compliance terms and conditions, you will have done nothing to test whether the third party is performing as it has agreed to under the terms of the contract. 

Three Key Takeaways

  1. The how question can be as critical as the who question.
  2. The more integrated a third party is into your operations the more important this question becomes.
  3. Incorporate a how question into not only your due diligence but also your ongoing monitoring and auditing, after the contract is signed. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to


Apr 11, 2017

The Justice Department Evaluation of Corporate Compliance Programs states in Prong 10, Appropriate Controls – What was the business rationale for the use of the third parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?  

You should incorporate compliance terms and conditions into your contracts with third parties. You must have appropriate compliance terms and conditions in every contract with third parties. I would suggest that you prepare a template, which can be used as a starting point for your negotiations. The advantages of such a template are several; they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption. 

What are the compliance terms and conditions that you should include in your commercial contracts with third parties? In the Panalpina Deferred Prosecution Agreement (DPA), Attachment C, Section 12 is found the following language, “Where necessary and appropriate, Panalpina will include standard provisions in agreements, contracts, and renewals thereof with all agents and business partners that are reasonably calculated to prevent violations of the anticorruption laws, which may, depending upon the circumstances, include: (a) anticorruption representations and undertakings relating to compliance with the anticorruption laws; (b) rights to conduct audits of the books and records of the agent or business partner to ensure compliance with the foregoing; and (c) rights to terminate an agent or business partner as a result of any breach of anti-corruption laws, and regulations or representations and undertakings related to such matters.” In the Johnson & Johnson (J&J) DPA, the same language as used in the Panalpina DPA is found in Attachment C, entitled “Corporate Compliance Program”. However, in Attachment D, entitled “Enhanced Compliance Obligations”, the following language is found: “Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.”

Mary Jones, in an article in this blog entitled “Panalpina’s World Wide Web”, suggested the following language be present in your compliance terms and conditions: 

  • payment mechanisms that comply with this Manual, the FCPA [Foreign Corrupt Practices Act], the UKBA [UK Bribery Act] and other applicable anti-corruption and/or anti-bribery laws during the term of such contract;
  • the counterparty’s obligation to maintain accurate books and records in compliance with the Company’s Policy and Compliance Manual;
  • the counterparty’s obligation to certify on an annual basis that: (i) counterparty has not made, offered, or promised any payment or gift of money or anything of value, directly or indirectly, to any Government Official (or any other person or entity if UK Bribery Act applies) for the purpose of obtaining or retaining business or getting any improper business advantage; and (ii) counterparty has not engaged in any conduct or behavior prohibited by the Code of Conduct, Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law;
  • the Company’s right to audit the counterparty’s books and records, including, without limitation, any documentation relating to the counterparty’s interaction with any governmental entity (or any entity if UK Bribery Act applies) on behalf of the Company, and the counterparty’s obligation to cooperate fully with any such audit; and
  • remedies (including termination rights) for the failure of the counterparty to comply with the terms of the contract, the Code of Conduct, the Anti-Corruption Policy and Compliance Manual and other applicable anti-corruption and/or anti-bribery law during the term of such contract. 

I believe that compliance terms and conditions should be stated directly in the document, whether such document is a simple agency or consulting agreement or a joint venture (JV) with several formation documents. The compliance terms and conditions should include representations that in all undertakings the third party will make no payments of money, or anything of value, nor will such be offered, promised or paid, directly or indirectly, to any foreign officials, political parties, party officials, candidates for public or political party office, to influence the acts of such officials, political parties, party officials, or candidates in their official capacity, to induce them to use their influence with a government to obtain or retain business or gain an improper advantage in connection with any business venture or contract in which the company is a participant. 

In addition to the above affirmative statements regarding conduct, a commercial contract with a third party should have the following compliance terms and conditions in it. 

  • Indemnification: Full indemnification for any FCPA violation, including all costs for the underlying investigation.
  • Cooperation: Require full cooperation with any ethics and compliance investigation, specifically including the review of foreign business partner emails and bank accounts relating to your Company’s use of the foreign business partner.
  • Material Breach of Contract: Any FCPA violation is made a material breach of contract, with no notice and opportunity to cure. Further, such a finding will be the grounds for immediate cessation of all payments.
  • No Sub-Vendors (without approval): The foreign business partner must agree that it will not hire an agent, subcontractor or consultant without the Company's prior written consent (to be based on adequate due diligence).
  • Audit Rights: An additional key element of a contract between a US Company and a foreign business partner should include the retention of audit rights. These audit rights must exceed the simple audit rights associated with the financial relationship between the parties and must allow a full review of all FCPA related compliance procedures such as those for meeting with foreign governmental officials and compliance related training.
  • Acknowledgment: The foreign business partner should specifically acknowledge the applicability of the FCPA to the business relationship as well as any country or regional anti-corruption or anti-bribery laws, which apply to either the foreign business partner or business relationship.
  • On-going Training: Require that the top management of the foreign business partner and all persons performing services on your behalf shall receive FCPA compliance training.
  • Annual Certification: Require an annual certification stating that the foreign business partner has not engaged in any conduct that violates the FCPA or any applicable laws, nor is it aware of any such conduct.
  • Re-qualification: Require the foreign business partner re-qualify as a business partner at a regular interval of no greater than every three years. 

Many do not believe that they will be able to get the third party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simply to get a third party to agree to these, or similar, terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third parties will not fight such a position. There is some flexibility but the DOJ will require the minimum compliance terms and conditions. But the best position I have found is that if a third party agrees with these terms and conditions, they can then use that as a market differentiator. 

Three Key Takeaways

  1. There is no set formula for clearing of red flags or the evaluation of due diligence.
  2. Know when to say enough has been done.
  3. You must Document Document Document your evaluation of any red flags. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go

Apr 11, 2017

In this episode, I am joined by Eric Feldman, SVP at Affiliated Monitors. Eric is a long time US government employee who now helps to provide companies with monitorship services, in a wide range of areas. These include external monitors after a FCPA enforcement action, monitorships with companies who contract with the federal government, state and local authorities. Eric discusses the strategic use of a monitor in a wide variety of areas, from prevention and detection of legal violations to M&A work. For more on Affiliated Monitors, check out their website by clicking here.

Apr 10, 2017

An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. It is mandatory that not only must all red flags be cleared but there also be evidence of the decision-making process to show to a regulator if one comes knocking.

The Justice Department Evaluation of Corporate Compliance Program states under Prong 10 the following, “Real Actions and ConsequencesWere red flags identified from the due diligence of the third parties involved in the misconduct and how were they resolved?” There is no set formula or guideline for clearing red flags or evaluating due diligence. One approach came from two compliance practitioners at GE Oil & Gas, Flora Francis and Andrew Baird made at the 2014 SCCE Utility and Energy Conference on GE’s third party risk management, where they described the process by which GE reviews the risks around each third party with which it does business. 

Some of the factors which GE considers, when evaluating a third party, include the following: 

  • Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
  • In-house Capabilities: Do we already have the organization in place to handle these capabilities?
  • Overlap: Do we already have a third party in the region/country that can handle our needs?
  • Volume of Business: How much business will this third party bring to the company?
  • Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
  • Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
  • Reputation: What is the third party’s reputation in the market? 

GE takes this information and then break downs the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.

But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were: 

  • Country channel where the third party is located in or where it sells into;
  • Experience by the third party with the sales channel;
  • Type of third party involved; agent, reseller, distributor;
  • Commission rate, is it standard v. non-standard;
  • Will any sub-third party relationships be involved;
  • Will the third party sell to government entity or instrumentality;
  • Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
  • Was the third party mandated by customer or the end user;
  • What is the third party’s contract duration;
  • Is the third party involved in more than one project;
  • Does the third party have any historical compliance issues;
  • What is the percent of sales with products or services; and
  • What is GE’s annual revenue with the third party? 

GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and a Go/NoGo decision whether the company should move forward with a proposed third party. 

One approach came from Randy Corley, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. I found his questions to be very relevant when considering how far down the chain a company must go. 

Step 1: How Much is Enough? Here your goal is to have a realistic process so that it can be effectively managed and still be of sufficient value for the business unit decision makers, who have the ultimate responsibility over the company’s third parties. 

Step 2: How Deep Do We Dig? Here I think the question you should consider is how many tiers down you must go in managing your third parties? Clearly you should manage all direct counter-parties in the sales chain and those considered high-risk in the supply chain. Further, in the sales chain, I think you need to know directly if your business representatives are sub-contracting down your business representation, at least through one tier. On the supply chain, if a high-risk truly is a high-risk for bribery and corruption under your internal evaluation system, you should also consider digging down one tier. 

Step 3: What Do You Need To Know? While with your first-tier relationships you may scope your review depending on your internal risk assessment and attendant risk ranking, your data collection down the chain may not need to be as robust. For counter-parties further down the chain than tier 2, a list of actual and beneficial owners, coupled with commitments to follow relevant anti-corruption legislation is needed. Such commitments should be secured through each tier’s contract with its counter-parties. 

Step 4: What Did We Learn? If there is any information from which Red Flags appear, they must be cleared. If additional information is needed or points clarified, now is the time to do it and not wait until later in the process. Here I would rely on Jan Farley’s proscription not to stretch your compliance program too thin. Focus your training, communication and management on your direct counter-parties and communicate to them that your company expects them to manage their relationships with their direct counter-parties, which would include the clearing of any Red Flags that may have appeared. 

Step 5: Then What? After you have made your decision you still need to manage the relationship. This will entail continuing compliance communications with your direct counter-parties on an ongoing basis. Preferably your business unit sponsor will do this but as the compliance practitioner, you should also be mindful of checking in from time-to-time with your third parties. As your compliance program matures, you also reach the point where you will need to consider auditing of your third parties from the compliance perspective. Finally, do not forget the three most important things about your FCPA compliance program: “Document, Document and Document” the entire process. 

In the area of third parties, consider what risks you face in both your sales and supply chain. If there is a key player several tiers down the line who creates or builds a key component or delivers a critical service, you may want to put more management around that relationship from the compliance perspective. For anything below a tier 2; you may be able to manage your risks through having your direct tier 1 counter-party take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counter-party so that if the government comes knocking you can show that not only did you contractually obligate your direct counter-party to do so but that you provided them the tools and training to do so. Finally, you will need to be able to show that your direct counter-party did so. 

Three Key Takeaways

  1. There is no set formula for clearing of red flags or the evaluation of due diligence.
  2. Know when to say enough has been done.
  3. You must Document Document Document your evaluation of any red flags. 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go


1 2 Next »