Global anti-bribery compliance requires a special focus on third parties. Regardless of source, whether it be the new Resource Guide to the U.S. Foreign Corrupt Practices Act, the Guidance for Commerical Organisations associated with the UK Bribery Act, parts 1 and 2 of the guidance issued by the UK’s Financial Services Authority (FSA), or a multitude of other sources, current guidance requires that internal controls and compliance programs focus on third parties in the context of anti-bribery compliance.
A consistent component of internal controls and a compliance program of any entity doing business in foreign settings is the need to conduct diligence on third parties. The degree of due diligence can vary depending upon the risks associated with where a third party conducts business on behalf of an entity. A thorough understanding of the business case for using third parties should be required as well as the role of the third parties. Vague and unsupported explanations should not be accepted.
Higher or extra levels of approval should be required for high-risk, third-party relationships. Greater due diligence and more careful monitoring should also be required of high-risk, third-party relationships. The latter should be particularly required where third parties are used to generate business. A “one size fits all” approach to third-party due diligence should be avoided. Whenever necessary, an entity should bolster insufficient in-house knowledge or resources with outside expertise.
An entity should not rely heavily on the informal “market view” of the integrity of third parties as due diligence. Nor should an entity rely on the fact that third-party relationships are longstanding when no due diligence has ever been carried out. An entity should also not assume that third-party relationships acquired from other entities have been subject to adequate due diligence. A very basic identity check should never suffice as due diligence on higher risk third parties.
Reasonable steps should be taken to verify the information provided by third parties during the due diligence process. Forms for third parties should ask relevant questions and clearly state which fields are mandatory. Due diligence on third parties should also be documented. Accurate central records should be maintained of approved third parties, of the due diligence conducted on the relationship, and of the evidence of periodic reviews.