Managing third-party corruption risk: two fundamental questions every business must ask itself

The single biggest corruption risk businesses face stems from their third-party service providers: more than 90 percent of reported FCPA cases have involved third-party intermediaries. 

As a result, guidance from regulators places substantial weight on due diligence focused on the engagement of third parties. Third-party risk management, however, often misses the mark by focusing on the form, rather than the substance, of the third-party engagement, and relying too heavily on reputational information.

There are two fundamental questions which should underpin effective third-party management: who are the business' third parties and what are they being paid for? If a business cannot answer these questions, it will struggle to convince regulators that its anti-bribery and corruption compliance system is effective because its most acute risk is not being managed. On the other hand, a business that seriously engages with its third-party risk will build value on a more sustainable platform than its peers.
    1. Who are the business' third parties?

      Unless a business correctly identifies its third parties for the purposes of relevant anti-bribery and corruption legislation, it will be impossible for it to put in place adequate or effective procedures to manage the risk of those third parties paying bribes on its behalf. 

      Responsibility for payments made by a broad range of third parties is at the heart of modern anti-corruption legislation: the essence of the UK Bribery Act 2010 is its strict liability corporate offence for bribery by any third party providing services for or on behalf of the corporate. Similarly, the FCPA covers payments to foreign public officials made via any third party if there is sufficient knowledge or wilful blindness in relation to the ultimate destination of the payment.

      Often, however, the breadth of the concept of third parties is not reflected in businesses' third-party risk management systems, which tend to focus merely on traditionally "high-risk" third parties such as agents and introducers. The problem with such systems is that they are open to being gamed by mis-classification.

      Firms need to make sure they understand how someone intent on circumventing the rules might act to manage third-party risk: for example, to funnel a bribe to an end customer or official, how would someone navigate the business' compliance system to generate the cash without detection? 

      If the business' third-party anti-bribery and corruption controls are focused on introducers and consultants, someone might arrange to overpay a local lawyer who could make payments on the business' behalf, rather than using the more common scheme of employing a consultancy agreement for vague services. 

      Equally, if someone knows that compliance will query an agent's commission, they could make the agent a distributor and provide them with a deep discount justified by the difficulty of, for example, making sales in the region. 

      While the classification of a third party is informative in assessing the anti-bribery and corruption risk it presents, it is far from determinative. Consideration must be given to the context and substance of the third-party engagement to assess its anti-bribery and corruption risk. 

      Dealing with a distributor or customer in one situation may, looking at the transaction, sector and jurisdiction as a whole, present a higher anti-bribery and corruption risk than dealing with an introducer in another situation. 

      The business might consider, for example, whether:
        • the third party is a customer or distributor performing ancillary services which in other circumstances are performed internally or by agents (i.e., is more than a mere customer or distributor?);
        • the business is in effect putting the third party in funds (whether by fees, commissions, discounts, rebates, etc.) which could potentially be used to pay a bribe;
        • the third party is in a position to obtain or retain business or a business advantage; or
      • other red flags exist (e.g., requests for payment to an offshore bank account/shell company; a request from the customer or official to use the third party; or a close relationship between the third party and customer/official).
      Assessing the reality of the relationship with a third party and weighing up the risks of that relationship are ultimately judgements requiring an active, inquiring, and necessarily human, mind.

  1. What is the business paying for?

    The simple question is: does the business know what it is paying for? If it is buying a car for $20,000, but as part of the sale it is asked to pay an additional $2,000 to a third party, the business would naturally question the purpose, size and destination of this payment.

    The same basic thought process is important in dealing with third parties. Contractual clauses and public record searches purporting to constitute "due diligence" achieve little if the substance of the transaction remains unexamined. Where third-party management often falls down is in the knowledge gap between the business and compliance. Compliance, with the business' help, needs to understand the commercial arrangements well enough to test them properly and to ask the difficult questions, such as:
      • Is the service a necessary and commercially justifiable one?
      • Is the value of the services commensurate with amounts paid/discount given?
      • Does the third party have the right credentials or experience for providing the services in question?
    • Is there a logical connection between the payment and the services provided, either in quantum or method of remuneration?
    It is crucial, too, that the risk of someone within the business being able to explain away issues to junior compliance personnel is countered by a proper agreement/payment approvals process subject to senior level sign-off within the business and compliance.

    Ultimately, the analysis of the commerciality of third-party arrangements is again a matter of human judgement: while technology can help to identify unusual commission levels or payments, it cannot ask difficult questions to test the commerciality of payments to third parties. Regulators will attribute little value to a compliance programme which relies on a computer "saying no" in circumstances where the substance of a transaction raises clear red flags despite otherwise passing the relevant criteria.

    Of course, not even skilled compliance professionals will always get it right. There seems to be a worrying trend, however, for individuals or service providers purporting to certify a third party as "FCPA- or Bribery Act-compliant". 

    No amount of documentation or due diligence will "guarantee" that third parties will not pay bribes. Similarly, many consultants provide "due diligence reports" on a third party's reputation.

    Reputation is one input to due diligence analysis but most corrupt agents have no public profile. Regulators are not looking for perfection but they demand that businesses take credible and demonstrable steps actively to manage the risk of their third parties paying bribes. Credibility means knowing what you are paying for.
Can the business answer these fundamental questions?

The extent to which a business is successfully managing its third-party risk can be tested as follows:
    • Can the business, without significant delay, provide a list of its third-party service providers? If not, it is not managing its third-party risk effectively.
  • Can the business, in some detail, say what services those providers render and justify the cost? If not, the business has no credible response to a regulator in the event of a corruption issue.
Reviewing third parties can appear a daunting task for multinational businesses, and the perceived scale of the task can often lead to inaction. The most efficient and proportionate approach to third-party review involves a phased approach: performing an initial risk assessment or triage to focus compliance efforts on a sample of the highest-risk third parties (e.g., by considering exposure to politically exposed persons, jurisdiction, business sector, commission or discount levels). The scope of broader due diligence can then be determined on the basis of this initial sample. 

Managing third-party anti-bribery and corruption risk is one of the most challenging and time-consuming aspects of compliance but failing to grapple with it threatens a business' sustainable value in the long term.
Jason Hungerford is a partner and Andrew Reeves is an associate at Norton Rose Fulbright London. The views expressed are their own.

Download File