At some point, you will be required to terminate a third-party and there will be multiple legal, compliance and business issues to navigate going forward. If you are stuck doing it in the middle of a Foreign Corrupt Practices Act (FCPA) or Bribery Act investigation, such as Airbus is currently under with the UK Serious Fraud Office (SFO), there may well be some tension to do so and do so quickly. If you have not thought through this issue and created a process to follow before it all hits the fan, you may well be in for a very tough road.
The key theme in termination is planning. The Office of Comptroller of the Currency, OCC Bulletin 2013-29, said that regarding third-party termination, a bank should develop a “contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.”
In an article entitled “Breaking Up Is Hard To Do”, Carol Switzer related how to avoid pain by planning for the end of a third-party relationship. She said it all should begin with “an exit strategy, a transition plan or a pre-nup—whatever the title, it’s best to begin by planning for the end which, in the case of business at least, will always eventually come. Whether due to contract completion or material breach, turning over responsibility to another party, or abandonment of the contracted activity altogether, contract termination is an inevitable phase in the third-party relationship lifecycle.” Planning for the end is important because, “The more long term and layered the relationship, the more difficult it will be to disentangle. The deeper the third-party is embedded in and uses the confidential information of the company and its customers, the greater the risks presented by failing to design a smooth transition process.”
It should originate with clearly specified contract termination rights but that is only the starting point, “To work out a smooth transition, the plan must also include internal change management processes and policies, designated transition team members, contingencies, and adequate resources and time allowances.” Your corporate values must be protected by “clearly designating the disposition of shared intellectual property and infrastructure assets.” Next you need to think through your transition plan by “ensuring rights to hire or continue use of key contractor employees who have been servicing your account, arranging to bringing new contractors or internal managers up to speed, and filing any regulatory or other required notifications.” Finally, bear in mind that your reputation must be protected during this transition process “by controlling and planning for issuance of public statements and social media postings by terminated contractors or their employees, or the best laid transition plans may be for naught.”
You will also need to consider the business risks around the termination of a third-party, particularly on the sales side of your business. This may mean sitting down with a customer or group of customers to explain the reasons behind the termination. Obviously if your business team has not developed a relationship with the end-using customer, this can be a difficult and very problematic conversation.
Unless you are exiting a business sector or territory, you will need to replace the third-party. This means going through the entire five-step process with any potential sales agent or representative. Such planning needs to be built into your termination strategy. If the reason for termination is a contract violation or worse a FCPA violation, there may well be other notifications which are required, both internally and externally to government regulators. You have also been under some type of contractual nondisclosure language and so consultation with your legal counsel, once again both in-house and outside, may be required. Finally, never forgot the reputation damage by releasing such information, or conversely not disclosing it. Both sets of reasons may hurt your business reputation as well.
In addition to the above steps, there are some specific considerations you should take. In the area of data, data privacy and data accessibility, if a third-party has access to your network and systems, such access must be revoked. If your terminated third-party has physical data, you must plan for the return of your data to you in a format that is acceptable to you and is secure. If your data is confidential, you may want to require that it be returned in an encrypted format and via an encrypted channel. You should lay out the time frame for the return of any data.
Alternatively, you can specify that data be destroyed. If this is the route you take with your third-parties, it should be performed in a way which is secure so the data cannot be reconstructed at a later date, through the use of surreptitiously created backup or duplicate data. You should mandate the third-party provide to you a certificate of destruction that confirms the destruction of your data and the methods used for destruction. Information that must be retained should maintain the data protection requirements currently in place, or stronger if the applicable laws change during the time of retention.
Although rarely considered, the termination of a third-party relationship can be as important a step as any other in the management of the third-party lifecycle. While having the contractual right to terminate is a good starting point, it is only the starting point. You not only need to have a compliance and legal plan in place but a business plan as well. If you do not, the cost in both monetary and potential business reputation can be quite high.
Three Key Takeaways
This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.