by Matteson Ellis
A recent survey conducted by Deloitte found that companies’ FCPA due diligence on business partners remains low. A considerable number of respondents said they typically only conduct anti-corruption due diligence and risk assessments on up to a quarter of their business partners. Five percent of respondents conduct no third party due diligence at all.
Third party due diligence can create a real challenge for global companies. It is not uncommon for some companies to work with, and have to vet, thousands of third parties. Tyco had to build its due diligence program to cover more than 32,000 resellers, distributors and other partners. Twelve percent (12%) of the companies surveyed by Deloitte said they work with more than 10,000 business partners.
The more third parties that a company uses, the higher the company’s exposure to FCPA liability. More third parties also means more time and expense necessary to implement a comprehensive due diligence program. In the Deloitte survey, respondents cited cost as the most important factor in their failure to undertake adequate due diligence measures.
A common challenge for companies getting up to speed on their due diligence programs relates to addressing their current business relationships. Even if a company has implemented procedures to vet new partners going forward, it still must vet the “backlog” of current partners (a process also known as “remedial due diligence”).
Consider this typical situation. A global company with thousands of business partners conducts a risk review of its current business relationships and, based on the results, classifies them into tiers according to corruption risk levels. Pursuant to industry benchmarks, it selects the top 10% as the highest risk and prioritizes due diligence efforts on these companies first. But this group still yields several thousand third parties. How does the company quickly conduct due diligence on these business partners in a way that is both efficient and meaningful? If the company spends just a few hundred dollars to review each third party (which is on the low end of normal costs), it would still need to budget almost one million dollars just for basic due diligence.
5 Ways Companies Can Handle Backlogs
Here are some ways that a company can handle this situation:
1. Use the opportunity to build internal capacity. Some companies see this situation as an opportunity to build the internal capabilities they will eventually need to run a fully-functioning anti-corruption compliance program. For larger companies, comprehensive programs generally require numerous full-time staff with knowledge of how to navigate the complicated and inevitable compliance issues that arise. Training qualified staff now will pave the way toward a streamlined compliance team in the future.
2. Outsource and negotiate a good rate. A company will need to spend money to get its due diligence program up to speed no matter what. If the company is large enough, it can outsource the work and use its leverage to negotiate a preferential rate. There are now an overwhelming number of due diligence providers in the compliance space. Competition can be fierce. Global companies can use this landscape to their advantage.
3. Prioritize due diligence on the highest of the highest risk. The company can roll out its due diligence in steps, first focusing on the highest of the highest risk. Which third parties assist the company in countries where corruption risk is most prevalent, countries like Argentina, Angola and China? Which ones generate the most business? Which ones have known pending business? Which ones are paid on a commission basis? Which ones receive the most money from the company? After reviewing these entities, the company can then methodically work its way through the next levels of risk from there.
4. Prioritize due diligence where no contracts exist. Companies can focus first on the business partners with whom they do not yet have a written contract in place. FCPA attorney Michael Volkov says: “Companies are usually surprised to discover how many third parties have no contracts at all.” He advises companies to first vet the third parties in this group that are receiving the most money from the company and then proceed in an orderly way from there. Contract formation and due diligence phases are thereby wrapped together.
5. Build due diligence into contract renewals. James Tillen, coordinator of Miller & Chevalier’s FCPA and Anti-Corruption Practice Group, says that companies can also look at the natural life cycles of the contracts currently in place to find opportunities to roll out due diligence. He says, “Eventually all companies will need to be reviewed. But contract renewals can provide a helpful starting point that works to minimize disruption of core business practices.” He also suggests that companies prioritize “evergreen” contracts (those in place for an indefinite period of time) since those contracts will not be subject to a renewal process. Companies should also convert evergreen to term contracts as a basic risk mitigation step.
Of course, the most sure-fire way of reducing third party risk and lowering the due diligence bill is to eliminate the use of third parties from your business altogether. For most companies, though, this is easier said than done.
Matteson Ellis is founder and principal of Matteson Ellis Law PLLC, a law firm focusing on U.S. Foreign Corrupt Practices Act (FCPA) compliance and enforcement. He has extensive experience in a broad range of international anti-corruption areas. Before forming Matteson Ellis Law, he worked on FCPA and anti-corruption matters in the Washington, D.C., offices of Miller & Chevalier Chartered, Coudert Brothers LLP and The World Bank.