An introduction to third-party risk management
Third-party risk management—also known as “TPRM”—is the process by which organizations collect, synthesize, evaluate, prioritize, mitigate, and monitor the risk posed by an external party to the operations of the organization overall. TPRM is a continuous process that begins when the primary organization first contemplates contracting with an external party to provide goods or services and culminates when the business relationship ends.
The TPRM process serves a number of practical business purposes. First, TPRM allows organizations to capture the complete panoply of risks that emanate from its relationships with its suppliers, vendors, distributors, resellers, service providers, intermediaries, and other agents on which it relies. Second, TPRM enables the organization to proactively address more heightened risks that may be unique to a certain party and/or foreign jurisdiction. Such risks can arise in a financial, operational, reputational, legal, or regulatory context. Third, TPRM is a staple of key enforcement authority guidance concerning the functioning of an effective corporate compliance program. In an increasingly interdependent economic climate, the proliferation of sanctions and trade regulations, growing supply chain visibility requirements, and the emergence of environmental, social and governance (“ESG”) concerns make effective TPRM a core operational necessity for compliance-conscious organizations.
Due diligence: the foundation of TPRM
Due diligence—the collection, synthesis and evaluation of information pertaining to a prospective third party partner—is the cornerstone of effective TPRM. In the due diligence phase, organizations gather basic information concerning the counterparty with whom it intends to conduct business. This information includes, but is not limited to, information concerning the corporate structure and legal status of the third party in question; complete ultimate beneficial ownership (“UBO”) information; details concerning the third party’s current financial status; information concerning the recent legal and regulatory history of the third party; and particulars concerning the operation of the third party’s compliance program. Although the collection of this information will vary considerably depending on the nature of the business relationship in question—the due diligence required of a domestic paper supplier, for instance, would not be as involved as the due diligence required for a potential joint venture partner in the Middle East—the core aim of due diligence is the same; namely, to identify any major risks that would inure to the organization should it choose to engage the third party in question.
Notably, U.S. government guidance requires that such diligence be “risk-based” or appropriately tailored to account for the particulars of a given transaction with a specific third party in a particular region. In this vein, U.S. Department of Justice Guidance Concerning the Evaluation of Corporate Compliance Programs (“Compliance Guidance”) emphasize that organizations should conduct heightened due diligence of parties widely recognized as potential sources of illegal activity—including, most prominently, an organization’s “agents, consultants, and distributors” that are commonly used to conceal misconduct, including most notoriously, the “payment of bribes to foreign officials [involved] in international business transactions.” As statistics from Stanford University’s Foreign Corrupt Practices Act (“FCPA”) Clearinghouse reveal, a clear majority of FCPA violations originate from an organization’s involvement with intermediaries that facilitate the bribery of foreign government officials.
Under the FCPA’s “anti-bribery” provisions, it is illegal to offer to pay, pay, promise to pay, or authorize the payment of money or anything of value to a foreign official to influence any act or decision of the foreign official in his or her official capacity or to secure any other improper commercial advantage. While textually, the FCPA applies only to certain “domestic concerns” and “issuers” of securities traded on U.S. stock exchanges, in practice, the FCPA’s sweeping anti-bribery prohibitions have been used to prosecute even the most remote conduct by subsidiaries of U.S.-based or publicly traded companies found to have engaged in quid pro quo conduct utilizing interstate commerce. In addition, the FCPA contains robust “accounting” provisions that obligate issuers to maintain “books and records” that accurately and fairly reflect an issuer’s transactions and dispositions of assets, as well as a system of “internal controls” sufficient to assure management’s control, authority, and responsibility over the issuer’s assets. Collectively, the “accounting” provisions of the FCPA have been employed with increasing frequency by the DOJ and SEC to reach conduct that does not violate the letter of the “anti-bribery” provisions, but nonetheless implicate misconduct on the part of an issuer in concealing the underlying financial activity by falsifying books and records. In short, due diligence is essential to ensuring that organizations with international reach minimize the potential for exposure to FCPA liability.
The DOJ’s Compliance Guidance also provides compliance professionals with a helpful, general framework for approaching their due diligence obligations. Among other things, the Compliance Guidance emphasizes that organizations should understand the complete business rationale underlying the need to engage the third party in question, and the objective risks posed to the organization by engaging that third party—particularly as it relates to anti-bribery and corruption concerns. In addition, organizations are cautioned to make diligent use of specific contractual terms setting forth the exact nature of the work to be performed, and the precise compensation to be paid. Finally, the Compliance Guidance emphasizes the need to engage in “ongoing monitoring” of an organization’s third party relationships through updated due diligence, periodic audits, occasional training, and annual compliance attestations. Here, it seems trite, but necessary to emphasize that initial due diligence only is insufficient to meet regulator expectations and could be viewed as an aggravating factor in the context of an enforcement action examining the efficacy of the organization’s TPRM program overall. The bottom line is that organizations are legally obliged to conduct ongoing, periodic, updated due diligence of all third party partners with whom they contract from the inception of the business relationship through contract termination.
At a minimum, the initial due diligence required of an organization mandates the use of a restricted and denied party screening database. Both the United States and its international counterparts increasingly rely on list-based designations of specific entities and individuals with whom organizations are either restricted from doing business or banned from conducting any transactions altogether. Violations of sanctions regulations—particularly those administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”)—can carry a host of repercussions for would-be violators, including exposure to civil—and potentially even criminal—liability. Even organizations that operate wholly outside of the United States could be exposed to secondary sanctions risk for transacting business with a designated person when similar conduct by a U.S. Person would itself be illegal. Additionally, organizations must be cognizant of OFAC’s unique “Fifty Percent Rule,” pursuant to which any entity owned fifty percent or more in the aggregate by a blocked person (or multiple persons) is itself considered blocked for purposes of sanctions regulations. This is especially significant when dealing with entities and individuals contained on OFAC’s List of Specially Designated Nationals and Blocked Persons (“SDNs”). Careful screening of a potential third party partner—and where applicable, the immediate and ultimate beneficial owners of that partner—is thus an imperative for organizations as part of the due diligence process.
Prioritizing and remediating third party risks
Of course, not all third party risks are created equally. Organizations with international operations should accordingly devote more resources to monitoring their relationships with third parties posing the greatest risk to the organization overall. For instance, an organization with substantial international operations in countries like Iraq or Sudan should generally devote more compliance resources to monitoring the activities of their third party partners than organizations with operations in Canada. Here, a variety of external resources exist that can assist compliance officers in approximating the risk posed by third parties in particular countries and regions—especially as they pertain to bribery and corruption. These resources include, but are not limited to, Transparency International’s annual Corruption Perceptions Index (“CPI”) and TRACE International’s Bribery Risk Matrix. Money laundering and terrorist financing risks can be benchmarked against meticulous data maintained by the international Financial Action Task Force (“FATF”). Finally, reputational risk can be assessed utilizing a variety of resources—from simple Internet searches to proprietary, subscription-only databases with adverse media functionality.
Irrespective of what resources compliance professionals rely on, however, it is important to construct a complete composite of the various risk factors that render a third party subject to heightened scrutiny. This is particularly important for remediation efforts, which differ substantially depending on the nature of the risk being addressed. While it is not always possible—or even desirable—to identify every risk posed by a third party partner, compliance professionals should strive to create a profile of the third party that highlights major risk factors and delineates specific company efforts to be taken to address those risks. Often, reliance on standard contractual language—including covenants, representations, and warranties pertaining to compliance with specific laws and regulations—is a first line of defense in a company’s remediation strategy. Reliance on contractual language alone, however, can lull an organization into a false sense of security, or worse, outright complacency. As such, organizations should insist on actually utilizing the contractual language in question to periodically audit the books and records of their highest-risk third parties, provide targeted training to third party personnel in specific areas of legal and regulatory risk, and require annual compliance certifications.
Organizations that uncover evidence of potential malfeasance by a third party partner should avail themselves of the opportunity to make a timely, voluntary self-disclosure of all non-privileged facts and information concerning the purported infraction to the appropriate regulator or enforcement authority. As recent updates to the DOJ’s Corporate Criminal Enforcement Policies (“Enforcement Policies”) emphasize, organizations that voluntarily disclose the details surrounding potential misconduct—particularly where the misconduct can be traced to a single individual or group of individuals—can maximize their chances of qualifying for full cooperation credit. To do so, however, the new Enforcement Policies require that organizations promptly disclose all material facts and circumstances along with tangible evidence indicative of the potential wrongdoing. To the extent an organization delays disclosing such details, it considerably jeopardizes its ability to leverage leniency in the context of any enforcement action. The benefits to organizations that avail themselves of the voluntary self disclosure process are manifold. Among other things, the new Enforcement Policies stress that, absent aggravating factors, the DOJ will not pursue a guilty plea where a corporation has “voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated the criminal conduct” at issue. Furthermore, the DOJ will forgo requiring that an independent compliance monitor be appointed to oversee corporate remediation efforts, if “at the time of resolution, [an organization] demonstrates that it has implemented and tested an effective compliance program.” Because organizations themselves ultimately bear the cost of the compliance monitor’s work, the pecuniary benefits that inure to a cooperating organization alone are enough to merit compliance with the DOJ’s voluntary self-disclosure program.
The bottom line for compliance professionals
Effective TPRM is a core component of a contemporary, effective compliance program. Given the propensity of organizations to conceal their criminal misconduct through interactions with intermediaries, close scrutiny of these relationships commensurate with the objective risk posed by individual third parties is a must for the compliance-conscious organization. Moreover, as concerns beyond bribery and corruption—especially as they relate to human trafficking and forced labor—emerge as key regulatory considerations, TPRM is essential to ensuring that the organization is not exposed to even greater risks from potentially unscrupulous sources. To the extent an organization lacks a formal TPRM program, it must take steps to implement one now.