Companies spend a lot of time and energy worrying about third-party corruption risks from resellers or agents, but what about corruption risks upstream? Those can be just as dangerous.

The typical channel for the distribution of goods or even services to an end-user consists of a vendor (such as a manufacturer), a distributor, and a reseller (such as a retailer or systems integrator). This distribution channel model is often called two-tier, since there is a distributor and a reseller between the vendor and the end-user. In two-tier distribution, distributors serve an economic role in providing logistics expertise, inventory management, and management of credit offered to the resellers down the channel.

Much has been written—and rightly so—about the corruption risks posed by parties who are down the distribution channel, such as a reseller or agent, and the steps needed to mitigate them. Sole focus on that particular risk, however, can divert attention from the risks up the channel—that is, the risks of being caught up in corrupt schemes where vendors seek to use the channel to effect a bribe.

The Foreign Corrupt Practices Act enforcement history contains numerous cases of regulators charging vendors for inattention to the actions of a downstream partner. In light of this fact, perhaps not surprisingly, the recent FCPA guidance from the U.S. Department of Justice and the Securities and Exchange Commission focuses on this downstream risk. Discussing compliance in the channel, the guidance uses only examples of downstream actors as posing risks and sets forth various preventative steps to mitigate such risks.

It's not that surprising that some executives might think they don't have to worry about upstream corruption risks. The regulatory guidance leaves the impression, by implication, that these steps might need to be implemented only downstream, not upstream. Nor does the guidance warn or give insight about the risks coming from the upstream party in the transaction, that is, the vendor. The U.K. Bribery Act guidance similarly focuses downstream in discussing partner due diligence.

It is the downstream intermediary, however, whether distributor or reseller, that remains just as much at risk from the upstream vendor and must also have the proper due diligence and controls in place. In the distribution channel, especially for bigger ticket items, it is frequently the vendor and its marketing and sales arm, not the distributor or reseller who will scout out and finalize a deal with a government customer. The vendor knows the potential of its products better than anyone and possesses the financial heft—more so than the distributor or reseller—who operate on historically thin margins—to deploy teams to visit government offices and cultivate relationships.

Lurking Corruptions Risks

The distributor and reseller are typically brought in once the elements of the deal, with its attendant risks of bribery, are finalized with the government customer. At that point, the vendor presents the deal to them on a take-it or leave-it basis, indicating the government customer and the final price along with instructions to the distributor and the reseller on what percentage of the sale proceeds to allocate to themselves (in channel parlance termed the “markup”) before remitting the balance upstream to the vendor. All this, however, can leave the distributor or reseller exposed to unknown FCPA risk, as they may lack visibility into how the deal came about.

It's not enough to rely, for anti-corruption compliance purposes, on the vendor's status as a well-established multinational, perhaps publicly traded on a major stock exchange. Technology companies, for example, may have established robust anti-corruption compliance programs, designed and run by well-qualified compliance professionals.  Establishing a global program, however, and ensuring its adherence globally are two different things.

It's not enough to rely, for anti-corruption compliance purposes, on the vendor's status as a well-established multinational, perhaps publicly traded on a major stock exchange.

Plenty of well-respected technology companies, for example, have been the subject of corruption investigations, and some have even settled charges with the Justice Department or Securities and Exchange Commission. Just last month, for example, Hewlett Packard announced that it had paid a $108 million fine to settle allegations of bribery by its Russia, Poland, and Mexico operations and entered into a deferred-prosecution agreement.

As to the Mexico bribes, the statement of facts appended to the H-P deferred-prosecution agreement set forth the scheme of an H-P Mexican subsidiary to win a contract with the Mexican state-owned oil company, PEMEX, by funneling payments to a consultant with ties to PEMEX. In order to circumvent H-P policy and controls on the use of consultants, the H-P subsidiary brought into the mix an approved H-P channel partner.

In 2012, Oracle settled allegations of FCPA books and records violations with a $2 million payment to the SEC. The Oracle case is instructive in that it involved allegations of the use of a distributor to effect questionable payments from a marketing development fund.  According to the complaint, Oracle had directed the distributor to create the fund by setting aside proceeds from a government sale of Oracle product and then directed the distributor to pay third-party invoices that may have been falsified.

Red Flags of Upstream Corruption

In short, don't rely on “blue-chip” multinational financial status as being synonymous with having a gold standard anti-bribery compliance program. How then do you, the distributor or reseller, protect yourself from this upstream risk? Above all, you must be alert to the following channel-related red flags:

The vendor asks you to implement a deal by acting as an intermediary, yet you do not add any apparent value. For example:

                    —You haven't made any introductions to the customer or done any marketing;

                    —You don't have to pay until the customer pays you (in other words, you are not bearing any

                    credit risk); and

                    —You won't store or hold in your inventory; the vendor will ship it directly to the customer.

          In these circumstances, you have to be concerned that you are just being used as some buffer for

          the vendor to try to insulate itself from any liability for the government deal it has put together. That is,

          you are being used to give the vendor some “plausible deniability,” if bribery is uncovered.

The vendor asks you to pay third parties that you haven't contracted with yourself and offers to reimburse you, either directly with a check or through credits including credits from marketing development funds. Even though your funds are not at risk and you are simply doing an established, multi-national vendor a favor by paying some local bills, the safest course is generally to pay only bills for goods or services for which you have contracted yourself.

The vendor asks you, a distributor, to buy their product, not directly from them, but from another distributor or another source (even though you customarily buy the product directly from the vendor itself). There might not be any economic rationale for this step and it might well be a way for the vendor to justify (and thus hide) unwarranted extra margin on the deal.

The vendor asks you for anti-corruption certifications and audit rights but declines to provide the same to you or to give even a basic attestation of compliance. A multinational vendor, especially a publicly traded one, should not have any problem in giving the same attestations of anti-corruption compliance, and even audit rights, that it asks from its intermediaries in global business.

There is no reason that distributors and resellers need to have a confrontational or adversarial relationship with their vendors on anti-corruption. In the final analysis, they share common interests in ensuring anti-bribery compliance. Compliance professionals should establish open lines of communication with their peers upstream and downstream, so as to facilitate real-time inquires about questionable transactions before they get finalized.

In sum, the downstream channel partner, distributors, and resellers should have their own robust FCPA compliance programs; they need to be squeaky clean, as much, if not more, than their upstream vendor partners. Such anti-corruption programs will be incomplete, however, if they don't also include steps to guard against involvement in vendor corruption schemes not of their own making. Moreover, consistent with bedrock FCPA principles, the distributors and resellers cannot have a “head-in-the-sand” mentality that turns a blind-eye to suspect proposals from vendors.

Most important, distributors and resellers need to instill the discipline to walk away from deals offered by vendors—no matter how blue-chip the vendors' credentials—that are questionable. At the end of the day, this is the fail-safe compliance program.