Forgot your password?
Please enter your email & we will send your password to you:
My Account:
Copyright © International Chamber of Commerce (ICC). All rights reserved. ( Source of the document: ICC Digital Library )
by Richard Battaglia and Lucinda Low
Richard J. Battaglia Senior Counsel, Steptoe & Johnson and Former Senior Counsel, Regulatory Compliance, at BP America
Lucinda A. Low Partner, Steptoe & Johnson
-
Many enterprises use agents, intermediaries, and other third parties to pursue business opportunities; conquer new markets; negotiate contracts; obtain licenses, permits or other authorizations; and more generally to act on an enterprise’s behalf. If not carefully selected or if inappropriately managed, a third party with which your company has engaged can become the ‘weakest link’ in the chain. This Chapter describes the practical measures your company can take to ensure that, to the extent possible, it engages – or does business with – only reputable and qualified third parties who will act with integrity and in compliance with applicable laws and your company’s policies.
In this Chapter, we address the corruption risks posed by persons and entities that act for, or provide services or goods to, your company and who are not its employees.
Third parties are most everyone who provides your company with services or goods to one degree or another.
These ‘third parties’ include the persons your company hires to act as agents or representatives of the company in its outward dealings, such as its dealings with government agencies, whether in the sales and marketing function or in other areas. They can be brokers, finders, or business development consultants or accountants, attorneys or other professional advisers. They can also include vendors and service providers of all types including suppliers of equipment and materials, distributors, customs agents, ship brokers, port agents, freight forwarders, ‘formalities’ agents who assist with corporate filings and obtaining visas and work permits, architects and engineers and construction contractors, zoning and land use consultants, environmental consultants, and teaming partners or joint-venture partners (for the latter category of third parties, see Chapter 15).[Page137:]
All these third parties (also referred to as ‘business partners’ in this Chapter) can present a risk to your company from an anti-corruption perspective, because of who they may be (government officials or their close relatives or associates; companies owned or controlled by a government official or persons associated with them), or because of who they may interact with and how they will do so. Your company’s liability for the actions of such business partners may depend in part on the nature of your company’s relationship with them, but they all create some degree of vicarious liability risk.
This Chapter is meant to help you identify and minimize those risks, while maintaining courteous and productive relationships with your business partners.
A legal reason
Under agency law, you may be held liable for the actions of your agents during the course of their performance of services for you. Statutes that prohibit transnational corruption expand the scope of vicarious liability beyond your agents, particularly to all providers of services and, in some cases, to vendors and suppliers of goods. The United States Foreign Corrupt Practices Act (1977), for example, treats approval or furtherance of improper payments as an offense: This can include your approval and payment of an invoice for a shipment of goods if you know or are deliberately ignorant of the fact that the shipping party or freight forwarder paid bribes to deliver the goods to you in time and is seeking reimbursement or compensation for the improper payment. The Foreign Corrupt Practices Act prohibits improper payments made ‘indirectly’ by ‘any person’ on your behalf, with or without a contractual relationship. Mitigating this risk requires principals to take steps to prevent and detect improper payments by their business partners.
Accounting rules
For companies subject to the accounting requirements of the Foreign Corrupt Practices Act, the statute also requires that you have internal controls in place to provide “reasonable assurance” that the company’s books and records fairly and accurately reflect the nature of each transaction, including each payment to your business partners. Other national anti-corruption statutes include similar or analogous requirements. The United Kingdom Bribery Act (2010) imposes strict liability for bribery by associated persons or service providers unless a company has “adequate procedures” in place. This creates a strong incentive to take affirmative steps to prevent any act of bribery by your business partners (as well as your employees) in the context of their relationship with your company. Hence, the ICC Guidelines on Agents, Intermediaries and Other Third Parties (2010) encourages companies to put in place anti-corruption compliance procedures to vet, train, control, and monitor their business partners in the context of their relationship with the company.[Page138:]
A psychological reason
Most people understand that they are not allowed to pay bribes. However, many people do not understand that they may be liable if so-called ‘independent contractors’ pay bribes in connection with performing services for, or executing a contract with them. Without appropriate training, some of your colleagues may mistakenly believe that the independent contractor’s methods are none of their concern, and that they have no business telling an independent contractor how to act. This view is often rationalized when the independent contractor is able to produce rapid results when dealing with the local ‘red tape’. The employees’ responsibilities to prevent corruption in the context of their dealings with third parties often are not instinctive and they certainly require communication, training, procedures, and control to be assimilated into a ‘best practices’ or ‘adequate procedures’ anti-corruption compliance programme.
A pragmatic reason
If nothing else, a good reason to focus on your business partners to mitigate your exposure to corruption is that intermediaries appear in many reported foreign bribery cases. Implementing adequate anti-corruption procedures for the appointment of business partners, and maintaining appropriate oversight and control over these business partners, can be the ‘weakest link’ in an otherwise robust corporate compliance programme. The government agencies in charge of enforcing anti-corruption statutes know that third parties are a key risk area for many companies and a key area to control through corporate compliance programmes.
1. Justifying the relationship: Do you need this new party or this new risk?
Among the many relationships listed above, some may be integral to conducting business in a certain location and practically unavoidable. Most companies cannot internalize all operations up and down their supply chain, from purchasing consumables, spare parts and equipment to procuring specialized services such as accounting, tax, and legal advice. Furthermore, in some countries, local law requires that you have a local business partner in order to operate in the country. In others, local law requires the use of specialized, licensed, independently registered service providers to perform certain acts (such as a law firm to appear in court, an architect to design certain types of constructions, registered customs brokers to clear goods, licensed insurance providers). In certain industries, the state may grant a concession or license to operate on the condition that you partner with a local entity, often a state-owned or state-controlled entity, to operate the concession or engage in the business.
Where local law requires you to establish a relationship with a third party, and where it might even impose certain criteria to guide your choice of entity, you will want to carefully and completely understand any such requirement to justify the existence of the third-party relationship and possibly the choice of business partner. Within the limitations set by local law, you would further justify your final selection through the vetting or due diligence process described later in this Chapter.[Page139:]
While you need to deal with some forms of business relationships by law or business necessity, you may be able to reduce your company’s risk before even starting the due diligence process, or by examining whether you need the service from an outside entity in the first place. It is not the purpose of this Training Handbook to dissuade you from using common, legitimate business services from agents, intermediaries, and other third parties, but insofar as they carry anti-corruption risk, you may want to weigh whether such services may not be better performed in-house, where the service providers (your own employees) might be better known and more capable of being closely monitored and controlled.
2. Identifying red flags
How does a third-party risk manifest itself? The circumstances in which improper business behaviour arises are as varied as the business environments in which your company operates. While we list here some classic avenues to explore, you should let yourself be guided throughout the due diligence process by your knowledge of the business practices in the country or industry and by your own common sense. At every stage, put yourself in the shoes of the party under review and ask yourself whether the element you are considering (ownership structure, business practice, and compensation) makes sense, whether it is common and expected or unusual and surprising, and when the latter, whether there is a legitimate explanation for it.
The following are examples of elements or ‘red flags’ that may increase the risk in a relationship:
The vocabulary of corruption is equally diverse, cultural, colloquial, contextual, and above all, unspoken or implied. Some expressions and body language are cross-cultural, and direct questions may elicit some of the information you seek. Nonetheless, your due diligence will be immeasurably more solid if you can involve someone who is sensitive not only to the words written or spoken but also to the cultural context and references they may suggest.
The risk factors, or red flags, cited above, and others you may encounter, will rarely constitute, on their own, violations of law that would warrant dismissal or non-engagement of the proposed third party. Some (such as the country or sector risk) are ‘generic’ and cannot be eliminated. In many situations, you may not have a practical commercial alternative but to work with a business partner even though the due diligence raises a red flag or two.
The purpose of due diligence is to identify the risks, particularly those specific to the parties and the transaction, so that you may evaluate in the most informed manner whether those risks can be appropriately controlled and improper behaviour prevented in the context of a future relationship with your company, and if so, how. If not, you will have the basis to make an informed decision to find another option.
The appearance of red flags in due diligence should lead you to gather more facts about the flagged areas to assess their significance, and, assuming the transaction goes forward, to design and effectively implement tailored compliance safeguards (whether in the form of contract clauses, written statements, trainings, or close monitoring during the relationship), so that you can fairly conclude that the red flag situation is appropriately mitigated and controlled to the point that you do not believe corruption is likely to occur.
3. Vetting the new third party
a) Communicating about the process: Setting expectations, involving all parties
The biggest difficulty you may face in implementing your due diligence programme could be the reticence of your own business colleagues as well as the third parties under review, even if they are conscious of the importance of the process and willing to cooperate.
You will want to streamline and tailor the vetting or due diligence programme, justify its steps by illustrating its purpose and importance, and educate people about timing considerations. You might directly ask your business colleagues some of the questions[Page141:]that the process is designed to answer, to impress upon them the importance of knowing the answer: “When the auditor comes, how will you demonstrate that your company complies with this legal obligation? How did you find this agent? What objective assurances can you give that this new agent will not implicate your company in an act of bribery?” This exercise may also help you to keep sight of the purpose of the due diligence exercise, and design appropriate tools to accomplish it.
You may also have to contend with your colleagues’ reluctance to spend time on new procedures in general: In addition to periodic training (discussed below), you will want to walk employees through their first due diligence exercises, until they are comfortable conducting the process alone, and have made it part of their routine.
Finally, you should anticipate that the practice of due diligence may be considered (genuinely or not) highly disconcerting and even insulting to some outside parties, particularly non-Western parties or those in senior business or government positions. You will want to pre-empt any misunderstanding by highlighting that due diligence is a standard procedure for your company, not a sign of mistrust of, or concern with, the particular third party under review. You will want to ensure that the practice of due diligence and what it entails is socialized as early as possible in the relationship. As an example, some companies publish and regularly communicate to the business world, via their websites, forums or chambers of commerce, their terms and conditions of doing business.
You will want to present and construct the process as a team exercise in which each party has a specific role to play. Involving more than one actor in the process increases your chances of obtaining all the relevant information on a timely basis, minimizes outcomes based on conflicts of interest, and places responsibility for an accurate and reasonably complete result on all the actors concerned.
The sponsoring employee or department within your company, who is generally the one primarily in contact with the third party, is typically best positioned to bring to the due diligence file information about the need for that party, how it was identified, a critical evaluation of the third party’s technical competence and expertise, and the commercial justification for the amount and form of compensation.
Other information may be obtained by research conducted by the department in charge of the due diligence. This department may want to involve a due diligence service provider or a professional investigator to add information regarding the proposed third party’s business reputation or ownership structure, especially if the information is otherwise not readily accessible.
Finally, your company may want to have the third party itself contribute to its due diligence file with completed self-descriptive questionnaires, documentation, statements, and guarantees about itself and its business practices, thus causing the third party to take active responsibility for its future behaviour.[Page142:]
b) Defining the scope of the due diligence
How much information is enough, and how long will it take? These will be the questions most frequently asked as you implement your due diligence procedures. Unfortunately, your answer can almost never be expressed in terms of standard timelines. It will depend on a number of variables, and the most precise answer to the timeframe question may be to present and briefly analyze these variables on a case-by-case basis with the person asking.
The most recurring variables will be the resources at your disposal to conduct due diligence, the category of risk posed by the proposed new relationship, the possibility of compound risk (the first layer of due diligence uncovers a red flag, which when investigated reveals additional red flags, also to be investigated), the degree of difficulty in obtaining the information (existence or not of complete and up-to-date public databases and other sources of information, cooperation you receive from the party under review), and the layers of internal reviews and approvals that you will chose to implement at the end of the process.
As you develop and tailor your procedures for identifying and controlling third-party risk, keep in mind that you are doing this in order to be able to answer questions from company directors, auditors, regulators, enforcement authorities, the press and the larger public, and potentially other stakeholders as well, and that the auditors and enforcement authorities will be looking not so much at how good your policies and procedures are on their face as how well you implement them. Be realistic about the resources at your disposal to control the risk. Build in adequate periods of time for the process. Well implemented and understood policies and procedures allow you to give more definitive answers on what risks exist and how you are in control of processes than ‘paper policies’ that are inconsistently or hurriedly applied. In order to be adequate, compliance procedures must be effectively and consistently implemented with the application of suitable resources.
c) Defining and tailoring the elements of the due diligence
The purpose of implementing third-party policies and procedures is to ensure that your business partners adhere to the same ethical and legal standards that you do in the context of their work with or on behalf of your company. You also want to ensure that you meet the standards laid out in applicable laws controlling your relationship with your business partners.
In some cases, being able to meet these goals will be relatively simple, few red flags will come up, and the due diligence process will require only documentation of the basic facts about the third party, in whatever format you will have chosen. In other cases, however, red flags may arise in the initial rounds of your due diligence that will require more in-depth consideration. When that happens, how you complete the due diligence will be unique to each new party, bearing in mind your goal: To put yourself in a position where you can demonstrate that you gave appropriate consideration to all the[Page143:]identified risks associated with the relationship and took reasonable steps to control and eliminate those risks.
The basic information – Your first round of information gathering will include basic information about the prospective service provider, such as name, legal status, status of any licenses and permits required for the entity to provide the goods or services under consideration, ownership, credit history, judicial and litigation history, qualifications and past experience of providing the goods or services expected, and general reputation. You may want to gather these basic facts for the entity and its owners and senior management from the outset, especially if faced with an owner or manager who is known to the public independently or who is closely associated with the company in the public eye.
In all first rounds, you want to try to determine whether any public official has a connection with or interest in the entity or its income, profits, or dividends (as owner, principal, lender, or close relative or business associate). Finally, in all first rounds, you want to note the circumstances in which the idea of a relationship arose and document the legitimate commercial purpose for hiring the services or purchasing the goods.
By contrast, if you find that the idea was rooted in a government official’s suggestion that paying for the services of entity X or the goods of entity Y could be helpful to your company winning a government tender or obtaining needed permits, this would be considered as a red flag. You would then want to be prepared to justify that you did have a legitimate and independent commercial need for the goods or services provided, that other vendors or service providers had a fair opportunity to work for you, and that entity X or entity Y was indeed the best qualified to provide the services or the goods, that it did indeed provide the services or goods in question in a good, merchantable, and workmanlike manner, that the compensation paid to entity X or entity Y was commercially reasonable, that the ownership and management of entity X or entity Y was independent of the government official rather than a conduit for improperly enriching the official, and that there was a proper explanation for the official’s recommendation.
Heightened due diligence by level of risk – After the first round of review, what would warrant additional due diligence, and potentially, additional compliance safeguards?
The Internet? – The process of collecting information may be done in large part online. Additionally, there are a number of companies who will undertake to carry out anti-corruption or reputational due diligence for you and provide you with a report that you can review. They may also advise you on identifying common red flags, and creating a series of questions specific to each. Naturally, as with all your other service providers, you will have to run that due diligence company through a due diligence process as well. These services are not inexpensive, but they can provide useful information and analysis if you do not have the resources within your company to gather and review the relevant facts yourself. There are some shared services options as well as companies that screen prospective third parties against lists of politically exposed persons and other lists of blocked or restricted parties.
Privacy considerations – Certain types of information requested during the due diligence process, particularly regarding individuals, may implicate privacy or data protection laws of the country where personnel are located. Companies may want to seek legal advice about what is permitted and try to tailor questions to get the necessary information while avoiding data protection or privacy law issues.
4. Deciding on a new business partner: Who makes the decision to hire, and how?
One of the strategic decisions you will have to make is how to bring the vetting process to a close. Who will do so, and on what basis?
One option is to have the results of the due diligence rest with the legal and/or compliance departments and give those departments veto rights. Or, you may choose to give the final decision to a committee that will have no direct relation (or a more diluted relation) to the third party going forward, or to company management, on the basis of the data assembled and recommendations made by both the sponsoring and legal and/or compliance departments.
These various options need not be mutually exclusive: You may, for example, want to leave a hiring decision for low-risk candidates primarily[Page145:]in the control of the sponsoring department with consultative input from the legal or compliance departments, and elevate the levels of approval required and the involvement of the legal and compliance departments as the risks identified with the third party increase.
5. How to pay your new business partner?
Your company, when contracting with a business partner, is free to negotiate the reasonable, arms-length form and amount of compensation to be paid for the services of the new business partner. There may be good and sufficient business justifications for many different types of compensation arrangements, including so-called success fees or similar incentive payments.
You will note, however, that compensation unrelated to hourly fees for documented time worked, such as a success or bonus fee can constitute a red flag. While there may be cases where success fees are appropriate and justifiable from a commercial point of view, we recommend that you give special consideration to the reasonableness and the commercial justification for such success fees or other similar lump sum compensation not tied to fees for hours of work. Keep also careful documentation of the legitimate business case for the engagement of the intermediary and of the nature and extent of the compensation.
1. Controlling the terms of the relationship
a) Sign the contract before services or goods are provided or payments are made
Written engagements should be entered into with the business partner. These will generally require, among others, the business partner to do the following: Acknowledge and agree to comply with applicable anti-corruption laws and your company’s Code of Conduct and policies on anti-corruption and compliance with laws (or maintain their own, consistent Code of Conduct and policies), affirm that these will be followed in the course of the relationship, and affirm that the party has not engaged in improper practices in the past in connection with the subject matter of the contract.
These undertakings act first and foremost as a test of the third party’s approach to anti-corruption. If your prospective business partner is threatened, annoyed, suspicious, or otherwise resists making such commitments, this constitutes a red flag and is best dealt with at an early stage. While such commitments may seem like a check-the-box exercise, they serve to demonstrate attention to the issue, and that the parties have an affirmative understanding regarding the avoidance of illegal practices in their business relationship, in case the issue comes up in an audit or court case against you or the other party or in a commercial dispute between you. In the latter case, they define the standard of conduct, and can justify the remedies you choose to impose for any breach, whether that is withholding of payment, termination of contract, making official reports or disclosures or other remedial actions you may choose.[Page146:]
b) Written anti-corruption contractual provisions
For the same reasons and purposes described for entering into binding written contracts, you will want to introduce detailed anti-corruption clauses in your contracts.
Contractual rights to verify the other party’s compliance with your policies or other measures to ensure compliance will often be helpful. As an example, you could require that other party’s staff assigned to the relationship take annual trainings prepared by the company, or you could require the right to conduct spot audits of their businesses or books and records.
You will also want to lay out clearly what will constitute a violation, what level of knowledge or certainty you must have in order to impose remedies, and what those remedies will be. You may want to oblige the third party to notify you in case there are changes in its ownership and control during the life of the contract that would bring additional risks. You may want to limit where and how payments can be made.
Different business or legal cultures have different approaches to contracts. What terms need to be defined, what elements the agreement has to cover, to what degree unlikely scenarios need to be addressed, may vary from one country or legal system to the other. ‘Common law’ lawyers are generally trained to pre-empt as many disputes as conceivable in the contract, so as to map out the future relationship under the contract with as much predictability as possible. This can draw impatient reactions from your prospective business partner and its legal counsel. If you see this being an issue, you may want to prepare to reassure your business partner and its counsel that your purpose in setting out anti-corruption clauses is merely to recognize what you are sure is a shared commitment to proper business practices, and that this is a standard practice for your company, not a suspicion raised against the prospective partner’s past or present practice.
c) Elements of anti-corruption contract provisions
As set out in the ICC Guidelines on Agents, Intermediaries and Other Third Parties (2010), you may wish to consider contract clauses that include the following matters:
Enterprises facing higher risks in connection with third parties may wish to consider additional safeguards such as:
You may wish to review the ICC Anti-Corruption Clause (2012) which is presented in Chapter 16 of this Training Handbook for additional background on anti-corruption contractual provisions.
2. Training of Business Partners
Should you also train your business partner’s personnel? Again, you may want to adopt a calibrated approach to this. Where you have requested and obtained copies of the business partners’ own compliance policies, training materials, and training records, and it appears the business partner has its own robust compliance programme and is committed to maintaining it, retraining by your company may be unnecessary. However, in all cases, you will want to confirm that the other party’s training programme has been fully and effectively implemented, and that the individuals working on your account have been trained.
Moreover, if you have specific compliance provisions you require the business partner to follow, or if you are uncertain as to the third party’s own programme or appreciation of the governing conduct standards, training may be necessary. Where the business partner is low-risk for other reasons (such as providing its services in a low-risk environment, not having any connection with government entities in the context of its work for your company, or because of the magnitude of the relationship), the nature and content of any anti-corruption training you provide can also be calibrated to this lower risk scenario.
Where this is not the case, however, training may be a valuable added assurance and compliance procedure, as well as an additional opportunity to discover and discuss corruption-related questions with the business partner that would not have arisen in other contexts. When you are at risk of being liable for any improper actions of your business partners, it makes good common sense to take steps to ensure that their personnel have been trained in anti-corruption compliance and general business ethics and compliance topics and that they know and understand your compliance with law and anti-corruption policies and procedures.[Page149:]
The anti-corruption training should include the business partner’s personnel assigned to the contract with your company and the business partner’s management. It could be conducted by your own qualified employees (such as in-house legal counsel or compliance officers) or by outside lawyers or other qualified experts, especially if the latter are used to train your company’s own staff.
3. Monitoring/Auditing
The training of your staff should allow you to rely on them as a first level of control on the actions of your business partners. However, you may want to conduct occasional in-depth reviews of a third-party’s behaviour, asking the third party to produce all of its required licenses and permits, asking to see relevant sections of their books, records and accounts, asking to interview key personnel to review their process for performing a particular service and asking to examine their compliance programme and training records.
As we have discussed in other parts of this Chapter, such requests may strain your relations with the party in question. That is when it will be useful to be able to refer back to contractual agreements or written statements dating back to the beginning of the relationship. It will also be in your interest to limit your requests to reasonable inquiries, and explain the reason for your request.
Whether or not you audit, the third party relationship needs to be monitored for changes or requests that could raise new red flags and risks. Invoices, additional payment requests, changes in ownership or control, new information about the operating environment including changes in the host government, can all produce conditions that need to be addressed from a risk standpoint.
4. Keeping records
What should your records on a third party contain? As with any other part of your business, your books and records should be an accurate, fair and reasonably detailed reflection of your business transactions with any party. In addition, in order to show that you have not looked away from the other party’s business practices but actively took steps intended to understand and control them, you will want to keep the records of your due diligence methodology, searches, and findings on the other party prior to the engagement (including searches that do not yield responsive information as well as searches that do), and records of the certifications, trainings and any monitoring that takes place in the course of the relationship. You will want to keep those at least as long as the relationship is in existence, and perhaps for some period of time thereafter, depending on your company’s general records retention policy and any applicable statutes of limitations.
[Page150:]
About the authors
Richard J. Battaglia was Senior Counsel, Regulatory Compliance, for BP for many years with global responsibility in the anti-corruption, trade sanctions, and export controls areas. He has over 35 years of experience in the international petroleum industry both as in-house legal counsel and with his own consulting business. Mr. Battaglia is a member of the ICC Commission on Corporate Responsibility and Anti-corruption and was instrumental in drafting the ICC Guidelines on Agents, Intermediaries and Other Third Parties (2010). In 2012, he became Senior Counsel in the Chicago office of Steptoe & Johnson LLP.
Lucinda A. Low is a partner in the Washington, DC office of Steptoe & Johnson LLP where she heads the firm’s anti-corruption practice. She advises clients on United States and international anti-corruption laws; counsels on joint ventures, mergers and acquisitions, and other business transactions and foreign operations issues; conducts internal investigations; and represents clients in enforcement matters before the Department of Justice, the Securities and Exchange Commission, and in World Bank and other International Financial Institutions sanctions proceedings. Ms. Low also represents investors in a broad array of investment disputes with commercial partners and host governments, including disputes involving issues of fraud and corruption. She is a member of the Board of Directors of Transparency International-USA.
[Page151:]
APPENDIX– Due Diligence Sample Checklist
For the Sponsoring Department
For the Legal and Compliance Department
For the proposed third party