An entity must take steps to limit the prospect of being found vicariously liable for actions of an individual or entity acting on its behalf. Ensuring that an individual or entity acting on its behalf complies with its policies and procedures is one of the greatest challenges for any entity. In particular, an entity should “consider the bribery and corruption risks posed by third parties used to win business.”1 In addition to subjecting third-party relationships to “thorough due diligence,” the third-party relationships should be subject to “management oversight.”2
Behavior expected of employees and anyone acting on behalf of an entity should be clear as well the consequences of failing to meet those expectations. An entity should set out “behaviour expected of those acting on its behalf.”3 In “contracts with third parties,” included should be “anti-bribery and corruption-specific clauses and appropriate protections.”4 Similarly, there should be “unambiguous consequences for breaches of the [entity]’s anti-corruption policy.”5 The consequences should be “commensurate with the violation” and “applied reliably and promptly.”6
An entity should assess the extent to which its agents comply with its anti-corruption policies and procedures.7 An entity’s compliance function should have “oversight of all third-party relationships and monitors [third-party relationships] to identify risk indicators.”8 A “risk-based approach” should “adopted to identify higher risk relationships in order to apply enhanced due diligence.”9 Compliance officials should be involved with “interviewing consultants and the provision of anti-bribery and corruption training to consultants.”10
Critically, adequate due diligence and ongoing monitoring should be conducted for individuals and entities acting on behalf of an entity. “More robust due diligence on and monitoring of higher-risk third-party relationships” should be required.11 “A ‘one size fits all’ approach to third-party due diligence” should be avoided.12 Indeed, there should be “higher, or extra, levels of due diligence and approval for high-risk third-party relationships.”13 “Enhanced due diligence procedures [should] include a review of the third-party’s own anti-bribery and corruption controls.”14 Moreover, “[t]hird-party relationships [should be] reviewed regularly and in sufficient detail to confirm that they are still necessary and appropriate to continue.”15
1Financial Conduct Authority, Financial Crime: A Guide for Firms (“FCA Guidance”), pt. 2, at 36 (Apr. 2015).
2Id., pt. 2, at 71.
3Id., pt. 1, at 60.
4Id., pt. 2, at 71.
5Id. (emphasis in original).
6U.S. Dept. of Justice & U.S. Sec. & Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act (“FCPA Guide”), at 59 (Nov. 2012 as updated 2016).
7FCA Guidance, supra note 1, pt. 1, at 60.
11Id., pt. 2, at 36.
13Id., pt. 2, at 37.
14Id., pt. 2, at 71.