How confident are you in your company’s third-party risk and compliance program? Are there holes in the structure of your compliance framework? As global supply chains grow in complexity, the risks third parties pose to your business can be significant, particularly on the regulatory compliance front.
There’s no question, however, that third-party vendors, suppliers, and partners are integral to business and often provide a competitive edge. Third parties perform critical operational functions day in and day out. Having a robust compliance framework in place lets you leverage key third parties while protecting your business from unnecessary risk. So what does the third-party compliance regulatory landscape look like and where might your organization be exposed?
The Regulatory Backdrop
Regulations related to third parties are multi-layered and require an international perspective. There are a number of major pieces of legislation that come into play, in addition to local laws:
- FCPA: The Foreign Corrupt Practices Act (FCPA) addresses accounting transparency and the bribery of foreign officials by US companies (including their intermediaries). This continues to be an area of high priority for the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ), reflected in the ever-increasing number of enforcement actions.
- UK Bribery Act: The UK introduced the Bribery Act to enhance UK law, bringing in strict liability offenses for failing to prevent bribery. The Act applies to persons working for or on behalf of a company, including foreign subsidiaries.
- General Data Protection Regulation (GDPR): This far-reaching EU legislation makes businesses, and their partners, responsible for protecting user data. Non-compliance can result in fines of €20 million (approximately $22 million) or four percent of annual global turnover.
- Modern Slavery Act: Designed to combat modern slavery in the UK, the Act ensures slavery and human trafficking are not taking place in your business or supply chain. Businesses with a turnover above a stated threshold are required to publish an annual statement disclosing steps taken to prevent modern slavery.
The most common gaps in third party compliance
Despite long-standing legislation, many companies continue to face the same compliance shortcomings, especially in the area of bribery and corruption. Other gaps appear as risks and regulations change. Many programs have evolved as a result of reactive decision making, rather than incorporating a comprehensive approach. Here are examples of common areas of concern.
Can you confidently identify bribery and corruption risks?
Third parties are the single greatest area of bribery risk for corporate companies. This is a truth understood well by regulators, and a known Achilles’ heel. Nearly 90 percent of FCPA enforcement actions since 1977 have included third-party intermediaries. And according to Transparency International: “Bribery through agents, distributors, and brokers represented 41 percent of 427 enforcement actions concluded since the coming into force of the OECD Anti-Bribery Convention in 1999.” It’s no wonder then that compliance officers have third-party risk management compliance at the top of their agenda.
Do you know what you are acquiring?
Successor liability under the FCPA means that an acquiring company can be held liable for bribery and corruption issues at a target company. The regulation applies both pre- and post-acquisition. In April 2019, the DOJ released revisions to its FCPA Corporate Enforcement Policy, including a new application in the context of mergers and acquisitions, that provide greater clarity on this issue.
Reducing successor liability risk requires a strong compliance program that is well designed, well implemented, and works in the real world, not just on paper. Matching up your program to DOJ guidance is crucial to expose any gaps.
Do you have the right screening levels?
The classification of third parties can be a difficult process, especially when you are dealing with thousands of entities in multiple jurisdictions. The application of consistent screening levels is an area where business are often exposed when it comes to third- party compliance. Common scenarios include due diligence only on high risk intermediaries, country-specific omissions, or a baseline-only check on all third parties. Establishing a reliable baseline standard for all third parties, without exception, that satisfies regulatory requirements along side a risk-based approach will close the holes in your program.
What is your screening lifecycle?
At what point does your third-party compliance program require you to screen? At the point of onboarding only? Once a year thereafter? Perhaps only every five years? Third-party risks change constantly, as recent volatility in sanctions regimes makes all too clear. But the logistics of regular third-party compliance screening mean that, for many businesses, onboarding checks are the only checks given any priority, exposing your business to significant risk.
Your business is exposed to third-party risk from suppliers, vendors, agents, and partners every day. Screening all third parties is the most thorough and defensible solution to reduce that risk, as it identifies red flags before they become an issue.