Approximately 90% of Foreign Corrupt Practices Act (FCPA) enforcement matters between 1978 and 2023 identified a third-party intermediary, such as a sales agent, consultant or distributor, as part of the bribery scheme.¹

Under the FCPA, willful blindness or awareness of a high probability that improper payments are being made by a third party may be interpreted as knowledge of a corrupt payment and provide the basis for liability for companies and individuals.

The behavior of third parties is also highly relevant under the laws of other countries. For example, under UK law, companies are liable for bribery offenses committed by their "associated persons." These are people who in any capacity provide services on a company‘s behalf. Liability is strict, and a company‘s only defense is to show that it had in place adequate procedures to prevent the commission of the bribery offense. The role of compliance in third-party risk management is therefore critically important to the overall effectiveness of a company‘s anti-corruption compliance program.

Respondents indicate that companies employ a variety of contractual anti-corruption protections and strategies. The most commonly used anti-corruption compliance provisions in third-party agreements are anti-corruption compliance representations and warranties (64%) and related audit (61%) and termination (66%) rights. More than half of respondents (56%) also contractually require third parties to cooperate with compliance inquiries. But only a small minority of companies (14%) included provisions to shift the cost of failed compliance audits to the third party.

Compliance teams report feeling pressure to approve heightened risk third parties

11% of respondents reported they have been pressured to approve the engagement of a third party presenting an unacceptable corruption risk, with 9% reporting that it happened more than once or with more than one third party.

View full image: Has your organization’s Compliance and Ethics function ever been pressured to approve the engagement of a third party you believe presented an unacceptable corruption risk profile?(PDF)

View full image: Does your organization… (PDF)

Compliance policies and procedures related to third-party risk management are gaining traction

Most respondents (87%) have written policies regarding employee engagement/interaction with third parties.

Almost three-quarters of respondents (74%) have a code of conduct for third parties, and two-thirds (66%) of those respondents require third parties to attest to their compliance with the code of conduct or similar policy.

More than half of respondents (53%) do not require third parties to complete anti-corruption training.

The majority of respondents (85%) perform risk-based compliance diligence on third parties.

While 91% of respondents include some form of anti-corruption provision in their agreements with third parties, 39% of respondents do not use audit clauses in written agreements with third parties with a heightened risk profile, and 20% do not conduct compliance audits on third parties.

View full image: When does your organization perform risk-based compliance diligence on third parties? (PDF)

Most companies are performing risk-based diligence on third parties both at the beginning of the relationship and periodically thereafter

On average, most respondents (85%) report that their organizations perform risk-based compliance diligence on third parties.

Of these, more than half (55%) said that they perform risk-based diligence on third parties before contracting with them and also periodically thereafter, whereas the remaining 30% stated that risk-based diligence only takes place before contracting with third parties.

While 85% or more of companies across most industries reported performing risk-based compliance due diligence on third parties, the consumer & retail industry was an outlier, with only 45% of respondents reporting doing so.

View full image: Does your organization perform risk-based compliance diligence on third parties? (PDF)

At most companies, Compliance and Ethics teams perform compliance diligence

Enforcement authorities pay attention to the methods companies use in performing compliance due diligence, as well as the personnel who are responsible for performing it. Authorities generally expect to see involvement from the second line of defense in performing diligence, as business units may not have the expertise to assess third parties or the independence to reject them on compliance grounds. Authorities also consider whether information received from third parties and business teams on questionnaires is corroborated using independent sources, such as public records searches.

Most respondents (57%) reported that their Compliance and Ethics teams perform third-party compliance diligence. While 42% of companies involve the relevant business unit in conducting compliance due diligence, 14% said that they only use the relevant business unit for compliance diligence. A further 15% of respondents did not know who performs compliance diligence at their company.

Just under one-quarter of respondents (24%) outsource third-party compliance diligence to an external vendor.

Responses show that a majority of companies consider multiple sources of information as part of compliance diligence. Leading methods for screening potential vendors include using questionnaires completed either by the third parties (62%) or in-house (40%), as well as public records/media searches (63%).

View full image: Who performs risk based third-party compliance due diligence for your organization? (PDF)

Most companies have ethics and compliance teams involved in reviewing and approving potential third parties

While nearly two-thirds of respondents (65%) reported that their Compliance and Ethics function has a defined role in reviewing and approving potential third parties, more than one in five (28%) respondents stated that their Compliance and Ethics function does not have one.

Among companies that define a role for Compliance and Ethics teams in approving third parties, 47% do so based on the third party‘s risk profile, while 18% indicated that this function reviews all potential third parties irrespective of risk.

While the vast majority (75%) of respondents reported that their Compliance and Ethics function is authorized to prevent the engagement of a third party, a minority (15%) said this function lacks that authority.

View full image: What methods does your organization use to perform risk-based compliance diligence on third parties? (PDF)

A minority of companies require anti-corruption training for third parties

Anti-corruption training is generally viewed as an important tool to ensure third parties understand their obligations under applicable laws and relevant contract clauses, and to reinforce the consequences of non-compliance. These findings indicate room for growth for companies to enhance their approach to third-party risk management.

Less than one-third of respondents (30%) require third parties to complete anti-corruption training, while more than half of respondents (53%) do not require such training.

Among the 30% of respondents that require third-party anti-corruption training, 75% require third parties to complete their own organization‘s anti-corruption training.

View full image: Risk-based compliance diligence on third parties (PDF)

Less than one-quarter of companies perform regular compliance audits on third parties

Third-party compliance audits are an emerging area of focus for compliance leaders and enforcement authorities. They can have particular importance in jurisdictions such as the UK, where a company can face criminal liability for failing to prevent bribery by third parties performing services for or on its behalf. When performed proactively, compliance audits can help companies increase awareness of compliance requirements and deficiencies among third parties and help prevent serious incidents of non-compliance before they arise. When performed reactively in response to a triggering event, these audits can help company counsel gather evidence and evaluate potential resolution strategies, including litigation and disclosure. In both cases, the compliance audit is an important tool in giving teeth to a company‘s contractual anti-corruption compliance requirements.

While more than half of respondents (62%) audit third parties to assess compliance with anti-corruption requirements, only 22% of respondents audit third parties regularly, whether annually (11%) or less frequently (11%). 40% of respondents report auditing third parties only based on triggering events.

View full image: Does your organization require third parties to complete anti-corruption training? (PDF)

View full image: Which type of anti-corruption training does your organization require third parties to complete? (PDF)

Companies predominantly use anti-corruption provisions in third-party agreements, but opportunities exist to tighten agreements

A company's ability to gather information and hold third parties accountable with respect to potential anti-corruption concerns can often hinge on the contractual protections that a company‘s legal team initially incorporated into its agreements with third parties. While in general most companies (91%) reported using some anti-corruption clauses in third-party agreements, certain contractual provisions that typically support and encourage enforcement of those clauses are not being used by companies.

39% did not include compliance audit clauses, and 86% did not include provisions to shift the cost of failed compliance audits to the third party.

32% did not include provisions to allow termination of a third party in the event of non-compliance.

View full image: How frequently does your organization conduct audits on third parties to assess compliance with anti-corruption requirements?(PDF)

_{1 Third-Party Intermediaries Disclosed in FCPA-Related Enforcement Actions, Foreign Corrupt Practices Act Clearinghouse, Stanford Law School, https://fcpa.stanford.edu/statistics-analytics.html?tab=4 (last visited June 9, 2023)}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2023 White & Case LLP}