Not All Third-Party Risks Are Created Equally

Most companies group third-party risks from agents, resellers, and distributors all under the same umbrella. Yet not all third-party risks are created equally.

Such business partners often have different legal exposures and corruption risk profiles, effecting the level of due diligence that a company must conduct on each.

Taking a risk-based approach to third-party due diligence helps senior management allocate resources more effectively. “A full due-diligence profile is not always necessary,” says David Simon, a partner at law firm Foley & Lardner. “You have to look at what the relationship is pretty carefully to judge the level of compliance measures that are required.”

Distributors often pose greater risks, for example, than resellers or agents and tend to require a higher level of scrutiny when it comes to compliance with the Foreign Corrupt Practices Act, because companies have less control over them. Whereas resellers and agents sell products and services on a company's behalf, distributors are independent parties who buy, and assume title of a company's products to resell into other markets, potentially including high-risk foreign markets.

Companies have far less leverage to demand audit rights and training on anti-corruption measures with distributors, since they often supply several manufacturers' products at once, including competitors' products.  “You can't approach those distributors and realistically expect them to give you audit rights,” says Simon. As a result, companies often have a difficult time mitigating the corruption risks posed by distributors, especially those in high-risk foreign markets.

Despite these compliance challenges, the Department of Justice and the Securities and Exchange Commission have offered no shortage of cases in which companies have been found liable where their distributors have violated the FCPA. “If [distributors] are off paying bribes, and you know about it and don't do anything to stop it, you're almost certainly going to be held responsible for their actions,” says Simon.

In one example, software giant Oracle in August agreed to pay a $2 million penalty to the SEC for charges of violating the FCPA by failing to devise and maintain a system of effective internal controls that would have prevented its India subsidiary from secretly setting aside money off the company's books that enabled Oracle India's distributors to make unauthorized payments to phony vendors in India.

According to the complaint, Oracle India sold software licenses and services from 2005 to 2007 to India's government through local distributors, and then directed the distributors to “park” the excess funds—approximately $2.2 million—from the sales outside Oracle India's books and records. Such practices, the SEC complaint stated, “created the potential that [the payments] could be used for bribery or embezzlement.”

In another case, medical-equipment manufacturer Smith & Nephew in February entered into a deferred prosecution agreement and agreed to pay a total of $22 million in fines and penalties to the Justice Department and the SEC in connection with bribes paid by Smith & Nephew's affiliates, subsidiaries, employees, and agents to publicly employed healthcare providers in Greece from 1998 to 2008 to persuade them to purchase medical devices manufactured by the company.

Tom Fox, an independent FCPA compliance consultant and lawyer, says one warning the Smith & Nephew case provides is that companies must carefully consider the commission payments they pay to distributors. In the eyes of enforcement authorities, any commission paid to a foreign business representative is the amount that could be used to pay bribes. “It's one thing to get 5 to 10 percent of a sale and another to get 30 percent,” he says.

“If [distributors] are off paying bribes, and you know about it and don't do anything to stop it, you're almost certainly going to be held responsible for their actions.”

—David Simon,

Partner,

Foley & Lardner

In this particular case, Smith & Nephew sold its products at full list price to a Greek distributor then paid the amount of the distributor discount—between 25 and 40 percent of the sales made by the distributor—to an off-shore shell company controlled by the distributor.

“As a company, you have to be able to justify the higher rate that you pay to the distributor,” says Fox. Exactly what the Justice Department considers an appropriate rate is not quite clear, due to a lack of case law, “but that is something that companies need to pay very close attention to,” he says.

Risk Assessment

Many companies maintain vendor master lists and third-party databases that span hundreds—if not tens of thousands—of distributors and other third parties, making it unreasonable to run background checks on every one of them. The practical way to minimize FCPA risk associated with a global distributor network without devoting an unreasonable amount of time and money toward compliance efforts is to conduct a risk analysis to determine which third parties pose the highest risks, says Simon.

On the low-risk end, for example, are distributors that have little affiliation with the company. Many distributors are more like customers than agents, who merely purchase a product and resell it to others. “If they're really just a reseller or a customer, and all they're doing is buying your product and selling it along with other products, I think you can get away with a lot less, and I think it's appropriate to do a lot less,” says Simon.

FCPA PROBE RESOLUTION

Below is an excerpt from the Justice Department's release regarding Smith & Nephew:

According to the criminal information filed today in U.S. District Court in the District of Columbia in connection with the agreement, Smith & Nephew, through certain executives, employees and affiliates, agreed to sell products at full list price to a Greek distributor based in Athens, and then pay the amount of the distributor discount to an off-shore shell company controlled by the distributor. These off-the-books funds were then used by the distributor to pay cash incentives and other things of value to publicly-employed Greek health care providers to induce the purchase of Smith & Nephew products. In total, from 1998 to 2008, Smith & Nephew, its affiliates and employees authorized the payment of approximately $9.4 million to the distributor's shell companies, some or all of which was passed on to physicians to corruptly induce them to purchase medical devices manufactured by Smith & Nephew.

The agreement recognizes Smith & Nephew's cooperation with the department's investigation, thorough self-investigation of the underlying conduct, and the remedial efforts and compliance improvements undertaken by the company. As part of the agreement, Smith & Nephew will pay a $16.8 million penalty and is required to implement rigorous internal controls, cooperate fully with the department and retain a compliance monitor for 18 months.

In a related matter, Smith & Nephew reached a settlement today with the U.S. Securities and Exchange Commission, under which Smith & Nephew agreed to pay $5.4 million in disgorgement of profits, including pre-judgment interest.

This case is being prosecuted by Trial Attorney Kathleen M Hamann of the Criminal Division's Fraud Section with assistance from the FBI Washington Field Office's dedicated FCPA squad.

The Justice Department acknowledges and expresses its appreciation for the assistance provided by the authorities of the 8th Ordinary Interrogation Department of the Athens Court of First Instance and the Athens Economic Crime Squad in Greece, as well as the significant coordination with and assistance by the Securities and Exchange Commission's Division of Enforcement.

Source: Justice Department.

On the high-risk end, however, are distributors that are very closely tied to the company, who effectively represent the company in the market. “The more that they look like you in that market, the more likely it is that you're going to be responsible if they pay a bribe,” says Simon.

Once a company distinguishes what distributors pose a low risk of FCPA liability versus those that pose a high risk, “the question then becomes, what steps do you need to take, absent a red flag, to ensure that they're not engaging in conduct that would be prohibited by the FCPA?” says Simon.

At a base level, companies may want to include right-to-audit and termination clauses in contracts with third parties and FCPA training and certification, says Simon. Other typical third-party due diligence practices include running risk screenings of sanctions watch-list databases, checking public records such as court filings, and conducting Internet searches. In high-risk country operations, additional due diligence procedures may involve in-country searches that include site visits and reference checks.

How much due diligence is enough depends on each company's own risk profile. Comverse Technologies, for example, has a “very stern anti-corruption policy, and we make all our third-party go-to-market channels—whether it be agents, resellers, or distributors—acknowledge that they're aware of it and what's expected of them,” says David Frishkorn, chief compliance officer at the $1.6 billion technology company.

Traditionally, when it comes to conducting third-party due diligence for FCPA compliance, cost has been a big concern, notes Frishkorn. Today, that's not so much the case anymore.

Not only is there more competition among service providers who offer due diligence services, Frishkorn says, but also in this digital age companies literally have at their fingertips more information on their third parties than ever before—both of which significantly drive down the time and cost of conducting due diligence.

Despite some minor legal nuances that may exist regarding who owns the title of a product and who legally represents the customer, “at the end of the day, it's always my product or service that's going to end up in the hands of the consumer,” says Frishkorn, “I bear some direct legal risks or, certainly, reputational risk.”