The Extended Network: Managing Third Parties' Bribery Risks

Introduction

Approximately 90% of U.S. Foreign Corrupt Practices Act (FCPA) enforcement cases from its inception in 1978 have involved third-party intermediaries engaging in bribery schemes. 

The reduced level of control or oversight inherent in third-party relationships alongside differences in culture, business ethics or attitudes towards regulatory compliance each play a critical role in generating risk. This is exacerbated when employees seek to exploit third-party relationships to ostensibly shift the risks of bribery.  

Yet, operating in the global market requires organisations to leverage a network of third parties for a variety of reasons. And despite numerous enforcement actions and published guidance, the issues persist, with over 80% of FCPA cases in the past five years alone still linked to third-party conduct. Recent FCPA enforcement cases related to Raytheon, McKinsey, BIT Mining, and Moog Inc., each underscore the ongoing need for continued attention to third-party risk.

This article explores why third parties remain critical to business, the bribery risks they present and provides insights from our own investigative and compliance monitoring work as to the common challenges organisations face in managing third-party corruption risk. 

The Critical Role of Third-Party Partnerships

Partnering with third parties is key to global business, but not all third parties carry the same level of risk. Mitigating the risks will depend on why the third-party is necessary to the business and the activity they engage in on behalf of the organisation. Below are four common scenarios for which global organisations continue to turn to third parties and common risks attendant to those scenarios.

1. Market expansion in high-growth geographies: Asia, the Middle East, and Africa continue to be regions experiencing rapid growth. However, entry into certain markets within these geographies can require local insights and partnerships to build trust amongst the local customer base, secure appropriate licenses to operate, or enable a temporary in-country presence. This is often achieved by partnering with a local third-party, who can represent the business and navigate the unique cultural and market dynamics of the area. These relationships present some of the most significant corruption risks as the third parties involved are often working as agents or representatives of the organisation in meetings with potential clients, critical community stakeholders, government agencies, or regulators to help advance the local strategy. 
    
2. Market participation requirements: Nationalism, 'local first' policies, and national security concerns have long created barriers for companies entering certain markets, and this trend is likely to continue. Many businesses, especially in technology, pharmaceuticals, and energy, rely on local entities or state-owned enterprises (typically via joint ventures) to operate. While these partnerships aim to retain economic value locally and control foreign influence over critical resources, they also pose corruption risks. Challenges include government influence in joint ventures, which can hinder compliance efforts, risks like contract steering to government-linked entities, unjustified salaries for officials, and misuse of joint venture funds. 
    
3. Shifting commercial risks: Economic pressure from inflation and volatility, particularly in emerging markets, can lead companies to outsource sales functions to manage currency and collection risks. However, transferring inventory and sales responsibilities to third parties does not eliminate corruption risks. Challenges in these arrangements include reduced oversight of third parties hired by resellers or distributors to secure contracts, potential bid rigging and anti-competitive behaviour to win tenders, and the misuse of discounts or rebates as a means to bribe.
    
4. Supply chain resilience and diversification: Supply chain resilience and diversification have become critical as recent disruptions, such as the Suez Canal blockage, the Ukraine-Russia conflict, and extreme weather events in the U.S., exposed vulnerabilities. Businesses are addressing these challenges by adopting multi-sourcing strategies, nearshoring, and expanding logistics networks to ensure continuity. However, corruption remains a significant risk, with issues like passive bribery in supplier selection and bribes paid to expedite product movement or bypass safety audits. Sanctions, human rights, and money laundering risks also feature in unique ways depending on the nature of the products and geographies the suppliers are supporting.
    
5. Common internal control challenges with third parties: Engaging third parties is an essential aspect of conducting business on a global scale. However, as previously mentioned, the corruption risk associated with third parties varies based on the specific business purpose and the activities they perform for the organisation. Therefore, a universal approach to managing corruption risk is not feasible. Nevertheless, our experience has revealed certain common challenges that are widely applicable.

Validation of Third-Party Due Diligence

Addressing third-party risk requires thorough due diligence at the outset, including self-assessments, financial checks, media searches, and ownership verification. In the case of Raytheon, the DOJ stated the company had a third-party due diligence process in place; however, Raytheon employees coached third parties as to what information needed to be provided in order to pass the screening, leading to the third parties submitting falsified documents. 

As more organisations shift responsibility for due diligence procedures to their front-line business, the greater risk of control circumvention. Legal and compliance teams play a critical role in providing risk-based guidance and independent verification during the due diligence process. By incorporating corporate intelligence into the process, compliance teams can independently ‘check’ any initial diligence conducted by the business. Corporate intelligence experts access diverse data sources, including legal filings and sanctions lists, and leverage industry networks to ensure informed decision-making, particularly in challenging and/or opaque jurisdictions.

Benchmarking Fee Structures

When engaging third parties, it is crucial to establish fair and transparent fee structures to mitigate instances of bribery and corruption and ensure the business is receiving fair market value. 

In the case against Moog Inc (Moog), an agent involved in improper payments was contracted under a commission-based fee structure. Commission or success fees are deemed high risk as they can either motivate third parties to act unethically or masque elements of the fees that are being re-directed to pay bribes. If such arrangements are unavoidable, implementing additional controls such as benchmarking of commission rates, clearly defining performance metrics, and exercising audit rights in order to monitor third-party’s activities are means to mitigating corruption risk.

Even standard fee structures require close monitoring, as methods such as rebates, discounts, and account credits can be misused for unauthorised financial gains. Rebates and discounts can allow a third-party to accumulate extra funds, which unless transferred to the customer or client, may be used for improper payments. Account credits given to a third-party can obscure financial transactions by offsetting future payments, hiding inappropriate services, and complicating audit trails to mask improper payments. Ensuring robust internal controls around such items and regular third-party transaction reviews can help prevent the misuse of such practices.

Payment Controls

Financial controls throughout the procure-to-pay process should provide a level of defence for inappropriate payments to third parties. 

Moog was also subjected to FCPA enforcement action with the SEC stating the company’s Indian subsidiary violated books and records, and internal accounting control provisions.¹ Moog’s subsidiary made improper payments to Indian public officials through third-party agents and distributors, falsely recording these as legitimate business expenses. Further, it was identified falsified and inflated distributor invoices were used to fund the bribes. 

In our experience, sound financial accounting controls can also play a pivotal role in preventing the execution of a problematic payment. The challenge is ensuring that the controls are tuned to corruption risk and that those responsible for executing the control are properly trained. Examples of effective accounting controls to prevent problematic payments include:

• Invoice verification (three-way check): Ensuring invoices received agree to a purchase order, and proof of service/delivery is obtained and reconciled to the purchase order and invoice, as well as being consistent with the requirements set out under a contract or scope of work.
• Segregation of duties: The individuals recording transactions are different from those raising or authorising purchase orders, and processing or approving the payments.
• Approval processes: Establishing delegation of authority by value and risk of a contract – i.e. where public sector deals are involved, having multiple members of senior management provide oversight and approval on payments.  

Third-Party Monitoring

Exercising audit rights can be a critical tool for identifying potential red flags, such as irregular financial transactions, lack of transparency around interactions with end customers, or the involvement of additional parties. Audits also provide an opportunity to reinforce expectations and improve compliance frameworks by assessing the effectiveness of existing controls and identifying areas for enhancement. Further, regulators view audit programmes as effective tools for third-party risk management as highlighted by the DOJ’s positive reflections on SAP’s third-party audit programme as a timely remedial action in their FCPA violation enforcement decision.² 

A particular benefit of conducting audits is understanding potential fourth-party sub-contractors who present compliance risk. Collusion to ‘rotate’ winners in tendering processes or subcontract and share the financial benefits are common challenges in public sector procurement. For example, Microsoft Hungary was fined over USD 8.7m for FCPA violations in relation to its in-country reseller partaking in bid rigging and bribery in connection with the sale of Microsoft licenses to government agencies.³

Quick Wins for Companies in Addressing Third-Party Risk

In the current economy, companies are often stretched in terms of resources and working with a restricted budget. Although the repercussions for not managing third parties effectively can be vast, in practice preventative measures are not always the priority for a business with competing priorities. 

So, what actions can a company take that have a low barrier to entry, but which make a big impact in terms of proactively managing third-party risks? 

1. Clauses in Contracts: Incorporate anti-bribery and anti-corruption clauses in contracts with third parties. These clauses should require compliance with relevant laws and regulations, adherence to the company’s code of conduct, and obligations to report any unethical behaviour or breaches.
2. Disclosure of Subcontractors: Require third parties to disclose any subcontractors they plan to use, both during the tendering process and after contracts are awarded. This transparency helps in assessing the entire supply chain's compliance risk.
3. Audit Rights: Ensure contracts include audit rights, granting access to documents, systems, data, and relevant personnel. This enables the company to conduct thorough audits and ensure compliance with terms.
4. Enquire About Compliance: As part of due diligence, review the third-party’s compliance program to assess its adequacy relative to the risk it poses. This step can help identify potential red flags early.
5. Continuous Monitoring: Consider and plan how a third-party audit program might work for the organisation, if not already in place. Utilize internal audits to verify the full scope of third-party activities and detect any process circumventions.
6. Training and Awareness: Educate employees about the due diligence process, risk recognition, and proper procedures for managing third-party relationships. Use findings from internal audits to guide training efforts.
7. Whistleblowing Mechanisms: Establish accessible whistleblowing channels for all parties involved and raise awareness about reporting procedures. This encourages early reporting of any unethical practices.

Conclusion

In conclusion, managing third-party bribery risks is an imperative aspect of maintaining ethical and compliant business operations in today's interconnected global market. Despite the challenges and complexities inherent in third-party relationships, organisations cannot afford to overlook the significant risks these partnerships pose. The persistence of third-party involvement in FCPA enforcement cases underscores the necessity for robust due diligence, transparent fee structures, effective financial controls, and continuous monitoring. By implementing a risk-based approach tailored to the specific context and activities of each third-party engagement, businesses can proactively mitigate potential corruption risks. Moreover, incorporating anti-bribery clauses, enforcing audit rights, and fostering a culture of compliance through training and whistleblowing mechanisms are practical steps that can make a substantial impact with minimal resource investment.

We have extensive experience supporting clients to undertake effective due diligence, make risk assessments, stress test internal controls, and forensically audit third-party relationships. For more information about how we can support your organisation, please contact Lorynn Demetriades and Alecia Futerman.
 

^{1 https://www.sec.gov/files/litigation/admin/2024/34-101307.pdf
2 https://www.justice.gov/opa/pr/sap-pay-over-220m-resolve-foreign-bribery-investigations 
3 https://www.justice.gov/opa/pr/hungary-subsidiary-microsoft-corporation-agrees-pay-87-million-criminal-penalties-resolve} 

Sign up to receive all the latest insights from Ankura. Subscribe now

^{© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}