Identfying Your Third Parties and Gathering Relevant and Sufficient Information
Fikret SebilcioğluDo you know how many third parties you have? Do you think you have all necessary information to assess bribery risks that may come from your third parties?
This article is the third one regarding the third party bribery risk. In the first two parts of the series I have discussed the importance of third party bribery risk and the elements of creating an enabling environment in which third party bribery risk is properly managed.
Under the Foreign Corrupt Practices Act (FCPA), an organization or individual may be held liable for making a payment to a third party while knowing that all or a portion of the payment will go directly or indirectly to a foreign official.
In this article I am going to focus on how a systematic process for identifying, engaging and managing third parties can be established and sustained in a company. In accordance with the third party anti-bribery framework of Transparency International, a good practice in third party anti-bribery management contains seven components:
- Identification of your third parties
- Risk assessment
- Registration and pre-qualification
- Due diligence
- Contract
- Relationship management
- Monitoring procedures
Identification of all third parties and risk assessment phases are areas where the strategy of the third party risk management is designed. Since “one-size-fits-all’ approach cannot be used, these phases should be carefully designed to establish a proper system. The remaining phases could be seen as more “operational” in the implementation of the strategy.
Identification of Your Third Parties
The company should have a thorough understanding of its third parties’ population in order to manage the bribery risks. To identify and register all third parties and to obtain, analyse and store relevant information about them is the first step in to counter bribery in third parties. This effort may be very small or may be a comprehensive work depending on the size and the type of business it concerns.
Definition of the third parties should be clear across the company to avoid any misunderstanding and to determine the third party universe completely. Each company should prepare a full inventory of third parties with whom it engaged. The third party population can include:
• Suppliers
• Service providers (supply chain management, logistics, warehousing etc.)
• Distributors/resellers
• Joint venture partners
• Advisors (lobbyists, tax, legal, operational,
financial)
• Contractors/subcontractors
• Marketing and sales agents
• Customs agents
It is crucial to understand the operations of your third parties to describe and categorise them. The extent to which your third parties rely on their associates to conduct their business may result in categorising these associates as your third parties as well. In case your third parties are highly dependent on subcontractors, lower tiers in the supply chain or Politically Exposed Persons (PEPs), you may gather sufficient information regarding all parties in this chain to assess your risks.
To perform an effective risk assessment and proportionate due diligence for the third parties in the next steps, the company should understand what information will be required and then gather a sufficient amount of that information. The completeness and accuracy of the information will impact the effectiveness and efficiency of risk assessment and due diligence.
Many of large settled cases under the FCPA or similar regulations involved third parties that do not operate to the standards of the company and can be used by corrupt employees as channels for bribery.
The information gathering procedure should be conducted for all existing third parties. For the new third parties the company should design and implement policies and procedures.
The type of information that the company should collect will depend on the initial high-level risk assessment. Categories of third parties posing higher risks include associates representing the company before government agencies or other third parties, performing services on behalf of the company and having contacts with government officials.
Last but not least, a review of the requirements of compliance with privacy and data laws should be considered while collecting data about individuals and corporations. Unauthorized or careless collecting and processing of data can cause great harm to persons and to companies.
In the next article I am going to discuss the most critical part of third party ethics and compliance issue that is the risk assessment.