|In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”
While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.
International Anti-Corruption Day is this Friday, December 9.
At last week’s ACI FCPA Conference, Paul Abbate, Assistant Director in charge of the FBI’s Washington, DC field office, delivered a keynote address describing the mission of the FBI’s International Corruption Squads. Their mission includes the investigation of international corruption in violation of the Foreign Corrupt Practices Act (FCPA); acts of kleptocracy, in which heads of state steal large sums of money from their country; and money laundering, in which financial transactions are undertaken either in the furtherance of criminal activity – such as the payment of bribes – or to conceal the true origins of money obtained illegally. There is an elegance to the FBI’s international corruption squads’ mission, in that corruption, kleptocracy and money laundering intersect frequently, and the tracing of illicit money will often be the key to proving bribery and kleptocracy cases.
Before we get into how bribery, corruption and money laundering are interrelated, it helps to clarify what each of those terms means.
- Bribery is the offering or giving of something of value in order to induce the recipient to abuse his or her position in some way for the benefit of the bribe payer or the person or entity on whose behalf the bribe is being offered or paid.
- Corruption is the abuse of one’s official position for personal gain. Most often, corruption is the act of receiving a bribe.
- Kleptocracy is corruption on the grandest scale possible. It is when a head of state or someone acting on that person’s behalf steals large sums of money from their country’s treasury for their own personal gain.
- Money laundering is undertaking financial transactions with either the proceeds of unlawful activity or in an effort to conceal the origins of ill-gotten money. There are three stages of money laundering: placement, layering and integration. Placement is the introduction of money earned through criminal activity into the financial system. Layering, typically, is a series of transactions undertaken solely for the purpose of obscuring the origins of the illicit money. Integration is the point at which the layering has had the effect of making the illicit money seem as if it was obtained through legitimate means.
Of the four crimes above, the one that is discussed and enforced most often, through FCPA action, is bribery. We have discussed it here, here, and here. However, the FCPA only criminalizes the supply side of bribery, i.e., when companies offer or pay bribes to foreign officials in exchange for an unfair business advantage. What’s interesting is that in recent months the FBI has begun to give voice to the less-understood “demand” side of bribery – corruption and kleptocracy – an aspect that has traditionally been left to the home countries from where corrupt officials operate.
Specifically, the FBI and the Department of Justice’s (DOJ) Asset Forfeiture and Money Laundering Section have been focusing on kleptocracy through the Kleptocracy Asset Recovery Initiative. Most notably, in July of this year (2016), the DOJ initiated the largest ever kleptocracy-related asset forfeiture action, in which allegations of the looting of billions of dollars from Malaysia’s sovereign wealth fund led to the seizing of $1 billion of assets in the U.S., the UK and Switzerland. The seized assets included luxury hotels in New York City and Beverly Hills, penthouse apartments, a private jet, and an ownership interest in the production company that produced the movie “The Wolf of Wall Street.”
The 1MDB kleptocracy civil asset forfeiture action was brought under the civil money-laundering statute in that the assets were involved in or represented the proceeds of money misappropriated from Malaysia’s sovereign wealth fund. While this is the largest civil forfeiture action to date brought under the Kleptocracy Asset Recovery Initiative, the nexus between corruption, kleptocracy and money laundering is nothing new. In fact, the whole concept of “politically exposed persons,” or PEPs, and their designation as high-risk banking customers, came about as a result of multiple scandals in which heads of state looted their government treasuries and then laundered the money through the traditional banking system. Ferdinand Marcos, Baby Doc Duvalier, Raul Salinas, Suharto, Manuel Noriega, Saddam Hussein – the list seems endless. These corrupt leaders, who famously looted the treasuries of their countries, also set the tone for corruption across their governments. In many instances, their corruption doesn’t just set the tone, but is sanctioned by them, and the bulk of the proceeds of the corrupt payments received benefit the corrupt presidents and their families.
Perhaps no case better illustrates the government’s rationale behind combining its FCPA investigative efforts with the DOJ’s ongoing anti-kleptocracy initiative than the VimpelCom case. In February this year, Dutch telecom company VimpelCom settled a DOJ and SEC investigation by agreeing to pay a combined $795 million to U.S. and Dutch authorities in connection with $114 million in bribes paid to a relative of an Uzbek government official in order for the company to enter and remain in the Uzbek telecommunications market. While the government official in this case is unnamed, the money is traced to Uzbek president Islam Karimov’s eldest daughter, Gulnara Karimova. Karimova, who at the time held control over the country’s telecom assets and the issuance of mobile phone system operating licenses, has been under house arrest for the past two years in connection with corruption allegations that she pocketed more than a $1 billion in bribe payments, including shares in the telecom companies she licensed. In addition to securing the guilty plea and deferred prosecution agreement with VimpelCom and its Uzbek subsidiary, the DOJ has filed civil actions against multiple offshore bank accounts that are alleged to belong to the unnamed Uzbek official and hold a total of $850 million. This was the largest civil forfeiture action in the history of the DOJ’s kleptocracy initiative before the 1MDB suit was filed in July.
The recent integrated approach by the FBI to FCPA, kleptocracy and money-laundering enforcement should be viewed as more than a source of shocking stories about fabulous riches obtained by power-hungry autocratic rulers in far-away countries. It should serve as an important reminder to compliance professionals and corporate executives that greed is a byproduct of human nature, enabled by the right conditions of opportunity, lack of ethics and lack of oversight. Compliance, therefore, should be more than a list of “must do” checkboxes – it should be about the moral obligation of the organization, and each individual within it, to operate ethically and to consider any unethical action holistically, from all sides and all possible consequences, in order to prevent, deter and set a tone against corruption and not contribute to the human suffering that corruption and kleptocracy cause.
November 13-19 is Fraud Awareness Week. Once again, we are celebrating by highlighting the perspectives of leaders in the Protiviti Forensic practice and other fraud and anti-corruption professionals. To learn more, visit Protiviti Forensic online.
One of the more interesting threads to come out of panel discussions at Protiviti’s inaugural Foreign Corrupt Practices Act and Anti-Kleptocracy Conference this summer was a discussion of the Securities and Exchange Commission’s (SEC) crackdown on hiring the offspring of foreign officials to gain business advantage. Chuck Duross, Head of the Anti-Corruption Practice at Morrison & Foerster, Matt Tanzer, Chief Ethics and Compliance Officer at Johnson Controls, and Raja Chatterjee, Chief Risk Officer at Tishman Speyer, discussed the topic during our FCPA Compliance Success Stories panel moderated by Protiviti Director Pam Verick. Below, I’d like to offer you a recap of the perspectives they provided, with which I, and many anti-corruption advisory practitioners very much agree.
Anyone with hiring authority has likely been approached by a friend, a customer, or an important business contact, seeking to leverage the relationship on behalf of a family member seeking a job or internship. In fact, employee referrals are often encouraged and even institutionalized since such recruiting channels are a much lower-cost alternative to the use of outside recruiters. Even when the identification of candidates through referrals is not programmatic, the practice is common. Thus, the old saying: “It’s not what you know, but who you know.”
The rules are different, however, when the person doing the asking is a foreign government official, and the employment offer could be construed as “something of value” that has been offered in exchange for an unfair business advantage. Such quid pro quo arrangements fall under rules of the Foreign Corrupt Practices Act (FCPA). The practice has come to be known as the “princeling” problem — because many of the beneficiaries, especially in China, are the offspring of senior Chinese government officials, often referred to as “princelings” — and the SEC has been particularly focused on the practice.
The FCPA prohibits companies from improperly influencing foreign officials with anything of value, including cash payments, gifts, or in this case, jobs or internships.
In one high-profile case, a telecom company agreed to pay almost $8 million to settle an FCPA enforcement action for hiring relatives of Chinese government officials. In another, a major financial holding company paid almost twice that for providing student internships to family members of foreign government officials affiliated with a Middle Eastern sovereign wealth fund. The latter case raised a lot of eyebrows, because two of the internships in question were unpaid. The SEC contended that the value was in the internship itself, which was a coveted and highly competitive position.
It’s easy to see how a company could get into trouble. Executives tend to be sales-focused when meeting with clients, so there’s a natural tendency to accommodate an important business contact when they mention that a family member needs help finding a job. The resulting internal efforts undertaken on behalf of the candidate most often occur by email. Resumes are communicated by email and then are forwarded along to someone in a recruiting role along with some context as to who the candidate is. It wouldn’t be unusual if that email overstated the importance of the relationship with the business contact asking for the favor in an effort to ensure that that the candidate gets the desired attention. Those emails, which may even include the original email from the foreign official who transmitted the candidate’s resume in the first place, can make it very difficult to deny a quid pro quo. The trouble is multiplied if the business contact making the request is a foreign official who wields influence over the company’s business and especially if the candidate is not someone who meets the company’s hiring criteria for the position. This is when the FCPA gets involved.
From a compliance perspective, the key to avoiding trouble is to have a structure in place to prevent such conflicts from developing. One of the best ways to do that is through segregation of duties — separating sales from hiring decisions. Taking executives out of the hiring loop allows them to be gracious in the moment, by agreeing, perhaps, to accept a resume, but with the understanding that they have no sway in the decision-making process. Empowering the Human Resource department to function independently helps to ensure that all hiring decisions are made based on objective qualifications, independent of any business dealings.
In addition, documented policies and procedures, and a clear paper trail, can ultimately serve as a backstop in the event of, say, a whistleblower compliant. If the company has a record, it can demonstrate to investigators that the position was open, the applicant was qualified, and the hiring followed normal vetting procedures.
By and large, human resources and recruiting personnel want what is best for the organization, and they understand the importance of compliance. Aligning an organization’s hiring practices with the anti-corruption program by communicating and applying proper hiring procedures that separate the recipients of backchannel candidates from the hiring decisions may look like unnecessary hoops to jump through but can mean the difference between being the latest example of “the princeling problem” or not.
As mentioned in my post last week, one of the ways the Department of Justice (DOJ) determines whether or not a company has performed the required anti-corruption due diligence when acquiring an entity is looking at whether the new entity was promptly incorporated into the acquiring company’s internal controls, including its compliance program.
There are three main areas to focus on in order to successfully accomplish this integration, whether it be into your existing anti-corruption program or one that has been newly established. These are:
- Identifying the universe of foreign official touchpoints
- Fully identifying the intermediaries among third parties, and
- Examining hiring practices as they relate to foreign officials
Mapping Foreign Official Touchpoints
Most senior executives struggle to understand the term “foreign officials.” The designation includes not only government officials but employees of state-owned companies and public international organizations like the World Bank or the United Nations. Further, when companies look at foreign officials, the focus of scrutiny tends to be on customers, while failing to consider the various ways in which companies routinely interact with government agencies at the federal, state and local level and the ways those interactions can be problematic. It is therefore critically important to perform an exhaustive “inventory” of all of the ways that the organization may come into contact with foreign officials, not just among the company’s customer base, but through the various ways in which the company may interact with such persons in connection with meeting regulatory, legal, administrative and licensing obligations as well as any other way there may be contact, official or unofficial. Mapping these relationships, examining them and then prioritizing them in terms of the potential risk is a critically important step to successfully integrating the acquired entity into the acquiring organization and its compliance program.
Fully Identifying Intermediaries
In the overwhelming majority of FCPA prosecutions, the bribe payers are business intermediaries acting on behalf of the defendant company. It is not common practice to delve deeply into business intermediaries during pre-acquisition due diligence, and yet most FCPA risk resides within those relationships. Part of the process of identifying intermediaries is doing something similar to the mapping of foreign official touchpoints discussed above. Understanding the activities of each intermediary and determining whether and to what extent they may be interacting with foreign officials on the company’s behalf will make mitigating the potential corruption risk of the newly acquired entity a far less challenging exercise.
Examining Hiring Practices
Government touchpoints extend to the hiring of employees, interns and consultants. In several recent cases, the SEC has charged companies with FCPA violations in connection with hiring employees or interns who would not have otherwise been hired were it not for the fact that their family members were government officials in a position to award business to the defendant companies. Most companies do not include hiring practices in their anti-corruption program risk assessments, nor do they examine how a candidate was sourced and whether a prospective hire poses any added FCPA risk. While simply hiring a family member of a foreign government official does not violate the FCPA, it is the hiring decision that could eventually come under intense scrutiny. The key is ensuring that the candidate has met or exceeded all of the criteria for the position and there is no indication of a quid pro quo. Since such a hire represents heightened risk, some organizations require additional controls, such as increased levels of approval prior to extending an offer to a family member or associate of a foreign official.
In closing, acquisitive companies should seek to examine the potential FCPA risk of a prospective acquisition within the constraints of the information that is made available to them pre-close and then perform a timely, thorough risk assessment focusing on the three areas above: touchpoints with foreign officials and the acquired entity’s intermediaries – especially those who are interacting with foreign officials on the company’s behalf – and the alignment of recruiting and hiring activities with the company’s anti-corruption compliance program. It is not uncommon for a company to get more than it bargains for when buying an entity – such as ongoing fraud and bribery schemes. Being able to demonstrate the lengths the company has gone to root them out will make all the difference in the government’s determination as to whether to hold it accountable for someone else’s sins.
At our inaugural Foreign Corrupt Practices Act (FCPA) and Kleptocracy Conference a few months ago we touched very briefly on one important issue — that of successor liability, or the potential FCPA trouble companies can acquire through mergers and acquisitions (M&A). The issue is top of mind both for global organizations and U.S. companies considering international expansion through acquisition, and as such I want to shed some light on it here.
When a company merges with or acquires another company, the successor company risks assuming the predecessor company’s liabilities, including for any FCPA violations that occurred prior to the merger having been finalized.
In November 2012, the Criminal Division of the U.S. Department of Justice (DOJ) and the Enforcement Division of the U.S. Securities and Exchange Commission (SEC) jointly released A Resource Guide to the U.S. Foreign Corrupt Practices Act (“the Guide”). Since the Guide’s publication, companies and their counsel have been utilizing the Guide and the Hallmarks of an Effective Compliance Program delineated in it. One of the hallmarks is entitled “Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration” and states in part:
“Inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target.”
What exactly constitutes due diligence in this context? In the traditional sense, M&A due diligence is an analysis of the finances and legal implications of the acquisition. The term, however, has expanded, and now often includes background investigations of the acquisition target, as well as its key executives/control persons and critical business intermediaries, including sales agents and distributors, to the extent they are an important part of the business model.
Another important, and sometimes overlooked, aspect of acquisition due diligence is the performance of an anti-corruption risk assessment. In a perfect world, all acquisition targets have robust anti-corruption programs. In actuality, many small-to-midsize companies operating overseas do not have any type of anti-corruption program. This makes the performance of a high-level anti-corruption risk assessment that much more important. Gaining an understanding of the company’s ownership group, executive team, customer base, distribution channels, products and services, sales and marketing activities, and overall nexus to foreign officials will better position the acquiring entity in evaluating the true purchase price, inclusive of any compliance remediation work that may be necessary to properly integrate the acquired company post-acquisition. Not only does an anti-corruption risk assessment on the front end lower the acquiring company’s risk of a future bribery violation, it could also provide it additional leverage in negotiating a more favorable purchase price that reflects the FCPA exposure.
How much diligence is required?
The FCPA Guide recognizes that even the most robust acquisition due diligence is based upon limited information, and so allows for a grace period (although no time period is defined) to integrate the acquired company into the acquirer’s ethics and compliance program and overall control environment. Indeed, the post-integration actions a company takes factor heavily into whether it will be held liable for the actions of the acquired company. According to the Guide:
“DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program.”
The clear implication of this statement is that simply performing robust due diligence on the front end of an acquisition is not enough. There needs to be an urgency with which the newly acquired entity is brought into alignment with all of the hallmarks and associated controls of the acquirer’s anti-corruption program. Failing to do so can lead to the same types of fines, penalties and market capitalization impact that could result if improper acts of the acquired company were committed by the acquiring company itself.
I want to emphasize something that the FCPA Guide is mute on. This is the fairly common scenario in which a U.S.-based company makes an acquisition that causes it to become global overnight. Bringing the newly acquired entity into alignment with an existing anti-corruption program is a bigger challenge in this case, either because the acquiring company does not have a program to begin with, or because the one it has is not risk appropriate given the newly expanded business. This exact scenario isn’t contemplated in the FCPA Guide but it should be considered by companies faced with that situation.
Whether the acquirer has a robust anti-corruption program into which to integrate a newly acquired entity or the program needs to be built and implemented while integrating, what’s most important is being able to demonstrate a strong command of the potential corruption risks associated with the acquired company’s operations and showing that the acquiring company has taken meaningful steps to identify those risks and implement controls to mitigate them.
I’m going to address specific steps for successful integration into a company’s existing anti-corruption program in a subsequent blog post – stay tuned.
I’ve written before about how the Department of Justice (DoJ) is stepping up efforts to root out and prosecute corporate fraud, particularly bribery and corruption, under the Foreign Corrupt Practices Act (FCPA). One of the biggest complaints I’ve heard from clients and their counsel is that there are varying degrees of credit and reduced fines and disgorgements granted for companies that self-report and that some have found it difficult to calculate the potential benefits of self-reporting.
The DoJ recognizes this perceived disparity and in April launched a pilot program to encourage corporate compliance through an incentive program offering up to 50 percent off of fines and minimum sentencing guidelines for companies that self-report FCPA violations, cooperate with investigators and take measures to prevent future fraud.
In May, Protiviti held its first FCPA and Anti-Kleptocracy Conference, bringing corporate executives and compliance officers together with government corruption investigators in a neutral environment to share ideas and build constructive alliances. It was a lively exchange. I came away with a lot to think about, and I’ll be sharing some of it here on The Protiviti View, beginning with this post on compliance considerations.
Last year, the Department of Justice signaled an increased focus on corporate crime and international corruption with the creation, in March, of three dedicated FCPA squads, and a subsequent memo from Deputy Attorney General Sally Quillian Yates to DoJ attorneys on the importance of holding individuals accountable in corporate prosecutions.
At the same time, to encourage corporate cooperation and transparency, the DoJ began touting incentives, such as reduced penalties, for executives and corporations that demonstrate good faith in the investigation and a proactive stance toward prevention going forward. The recently announced pilot program is a good example of that. With so much to gain from cooperation and so much to lose, compliance has never been more important.
One of the speakers at the FCPA conference was Laura Perkins, an assistant chief in the DoJ’s FCPA unit, where she supervises and prosecutes FCPA cases against individuals and companies. According to Perkins, one of the first things the DoJ looks at, upon responding to an incident, is the quality of a company’s compliance program and controls. They initiate discussions with the company and quickly begin to form opinions about how transparent and cooperative the organization is going to be in the investigation.
The DoJ will ask about compliance programs prior to the incident, efforts to find root causes, discipline of responsible parties and actions taken post-incident to prevent future corruption.
Perkins mentioned that one of the more significant changes within the DoJ is its retention of a compliance counsel – someone who attends compliance meetings at target companies to get an inside picture, as well as helps some of the trial attorneys who don’t have as much exposure to compliance and controls and what they should look like.
When it comes to discipline, the DoJ isn’t as concerned with outright dismissal as it is with ensuring that the punishment fits the crime. With minor infractions, training is often sufficient. The important thing here, from a compliance perspective, is being able to document and demonstrate the controls and practices in place to ensure FCPA compliance, the mechanisms in place to detect violations, and the rigor and sincerity of corrective efforts to prevent future violations.
From my perspective here at Protiviti, I would add that the best compliance programs are those based on real-world examples. There is much that can be learned from the mistakes of others and from the open exchange of ideas – which was one of the primary motivations for our FCPA conference.
Finally, I would note that a strong anti-corruption culture discourages corrupt parties from targeting your organization in the first place. Here’s what such a culture looks like, according to the DoJ:
- Sufficient compliance-dedicated resources;
- Competent compliance personnel who are sufficiently compensated and promoted;
- Compliance function independence and reporting structure;
- Compliance program crafted from an effective risk assessment; and
- Compliance program audited regularly to assess its effectiveness.
In future posts, I’ll examine the DoJ’s pilot program in greater detail, discuss ways to avoid FCPA successor liability through acquisitions and contracts with third parties, and address some other topics discussed during our FCPA and Anti-Kleptocracy Conference.
The Panama Papers leak has offered a window into the ugly underside of private banking, trust and estate planning and tax-avoidance strategies. While the revelations about how thieves, kleptocrats, drug lords and the ultra-rich hide their secret wealth make for a most interesting reading, some may struggle to see how the misfortunes of a Panama-based law firm and its well-heeled clients can bear any relevance to corporate compliance. In actuality, much can be learned from the Panama Papers case and applied to corporate compliance programs. Below, I’m going to give you a brief preview of some of the risks that the case has served to reaffirm, and the associated compliance practices that can mitigate the exposure to those risks.
Some would argue that the Panama Papers leak is an “ethical hack” – perhaps the newest oxymoron to become a part of the compliance vernacular. While this may be true, the case demonstrates the increased sophistication of hackers – both in cyber hacks meant to expose crimes and in those meant to commit them. Recent examples evidencing the increased sophistication and power of cyber crime as a weapon include the 2015 hack into several business newswire services holding the not-yet-released earnings of publicly traded companies in the U.S., whereby criminals executed stock trades worth $100 million in advance of the earnings releases; the hacks of millions of U.S. Government top secret clearance applications containing exhaustive personal information on millions of federal employees, presidential appointees and government contractors; and the explosion in business email compromise cases, in which malware is used to penetrate the firewalls of companies, gain access to wire transfer credentials and wire millions directly from the companies’ bank accounts.
The Panama Papers leak highlighted once again how important it is to know your business partners – from knowing who owns the law firm or service provider you are entrusting your most sensitive legal, litigation, tax strategy or wealth management issues to, to understanding whether your sales agent has an undisclosed conflict of interest in the government-owned companies to which he or she is selling your products or services.
Indeed, many of the initial conversations embattled companies have with the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) about potential FCPA violations center on the companies’ knowledge and understanding of their customers and business partners, including the perceived risks that they pose to the company, the classification of these perceived risks, and the enhanced standard of care that the company’s high-risk customers and intermediaries are held to. Companies are expected to be able to answer questions about their third-party partners and customers without hesitation. Those that are unable to readily identify their high-risk customers and business partners in meetings with the DOJ and the SEC will likely be required to develop a plan for addressing these issues and then report back on their progress.
A Resource Guide to the U.S. Foreign Corrupt Practices Act (“the Guide”), jointly released by the Criminal Division of the DOJ and the Enforcement Division of the SEC in November 2012, provides useful information about third-party due diligence, beginning on page 57, in the section titled “Hallmarks of an Effective Compliance Program.”
In essence, the Guide states that while due diligence may and should vary depending upon the degree of risk and other factors, “some guiding principles always apply.” These guiding principles are summarized below:
Qualifications and Associations
Companies should be inquiring about the third-party’s business reputation and relationships, if any, with foreign officials. How long has the third party been in business, and does it have prior experience providing the goods or services it is offering? Equally important considerations include whether other companies were considered for the job, whether there was a competitive bidding process, and whether the company was “recommended” by a foreign official.
Companies must be able to provide a rationale for hiring the third party, and ensure the third-party contract and payments are commensurate with industry and country standards. Ensure the contract terms specifically describe the goods or services to be provided. The timing of the third party’s introduction to the company must also be justified, or it may call into question the motives and legitimacy of the business rationale. Often, after long pursuit of a business opportunity and perhaps a bureaucratic delay (real or orchestrated), a government official may suggest retaining a consultant to help usher the process along through the bureaucratic processes. The timing of the bureaucratic snarl and the introduction of the consultant could be a way for the foreign official to exact an improper payment through his or her undisclosed ownership and cooperation with the consultant the official is urging you to retain.
The Guide suggests that ongoing monitoring may include “updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party.” The DOJ and SEC are also interested in whether the company has informed third parties of the compliance program and the company’s commitment to ethical and lawful business practices, and whether it has sought assurances that they, too, are committed to ethical and lawful business practices.
In addition to these three guiding principles, I want to add “Eight Essentials” of a third-party anti-corruption program:
- Scope – Determine which of your vendors or service providers should be included in the scope of your third-party anti-corruption program and the criteria on which you base those selections.
- Sponsorship – Designate a business sponsor – an internal person responsible for specific third parties included in the scope of your program – who can be held accountable should the relationship prove problematic.
- Justification – Have a business rationale for each third party, particularly those that pose heightened corruption risk.
- Collection – Collect enough information about the third party, its ownership, history and key personnel to enable you to make risk-based decisions about the party’s suitability to conduct business with your company.
- Certification – Share your anti-corruption policy with your third-party partners and obtain their agreement to re-certify to it annually.
- Scoring – Use information you’ve collected through various means (questionnaires, watchlists, proprietary databases, etc.) to apply objective risk scoring criteria to each of your third parties and perform investigative due diligence, payment reviews and ongoing monitoring according to the risk score of the party.
- Contracts – Ensure that each third party is under contract and that the contracts include language addressing the party’s obligations under your anti-corruption program.
- Communication – Through your designated business sponsor, keep third parties informed about the company’s anti-corruption program, training and other issues relevant to them.
I don’t know how far clients of Panama-based Mossack Fonseca followed the recommendations above to ensure the law firm’s business practices and cyber security were commensurate with the value of the entrusted information – clearly, many of them were more interested in the firm’s ability to set up shell companies than ensure the security of the information they were entrusting to the firm. As intriguing as the case is, providing a window into the lives of the ultra-rich and powerful, its real effect should be to cause companies and individuals, high net worth or not, to take careful stock of the third parties to whom they entrust their highly sensitive information, perform appropriate background investigations of them and scrutinize the ability of the third party to safeguard its clients’ data by using the information security and encryption standards that the clients themselves follow. To this end, companies should be examining not only the third party provider’s expertise, reputation, integrity, historical conduct and qualifications but the specific steps that this provider has taken to ensure that sensitive data is secure, encrypted and not susceptible to either physical theft or exfiltration resulting from a data breach.