On April 30, 2019, the U.S. Department of Justice (“DOJ”), Criminal Division, released updated guidance to DOJ prosecutors on how to assess corporate compliance programs when conducting an investigation, in making charging decisions, and in negotiating resolutions.
The pronouncement, Evaluation of Corporate Compliance Programs updates earlier guidance that DOJ’s Fraud Section issued in February 2017. This guidance emphasizes DOJ’s laser focus on compliance programs, requiring companies under investigation to carefully evaluate, test, and likely upgrade their programs well before the investigation is over.
The updated Evaluation document has been restructured around the three “fundamental questions” from the Justice Manual that DOJ prosecutors should assess:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
Under these three categories, the updated Evaluation groups 12 topics and sample questions that DOJ considers relevant in evaluating a corporate compliance program. One of the 12 topics is Third Party Management.
Under the DOJ guidance for third-party management, organizations are “expected to apply risk-based due diligence to third-party relationships.” While the guidance notes that the degree of due diligence may vary based on the size and nature of the company or the transaction, it goes on to say that “prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”
In other words, DOJ prosecutors expect that a well-designed and compliant third-party management program will:
- cover (all) third parties (so you need to create a reliable inventory of your third parties),
- be risk based (so you need clear, documented risk factors and a risk based approach to your diligence and oversight), and
- be substantive (you actually need to ‘understand the qualifications and associations of your third-party partners’; a check-the-box compliance exercise won’t work).
The guidance goes on to further outline expectations around third-party due diligence practices, which are grouped into four categories.
1. Risk-Based and Integrated Processes
- How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company?
- How has this process been integrated into the relevant procurement and vendor management process?
2. Appropriate Controls
- How does the company ensure there is an appropriate business rationale for the use of third parties?
- If the third parties were involved in the underlying misconduct, what was the business rationale for using those third parties?
- What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed and that compensation is commensurate with the services rendered?
3. Management of Relationships
- How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks?
- How does the company monitor its third parties?
- Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past?
- How does the company train its third-party relationship managers about compliance risks and how to manage them?
- How does the company incentivize compliance and ethical behaviors by third parties?
4. Real Actions and Consequences
- Does the company track red flags that are identified from due diligence of third parties and how those red flags are addressed?
- Does the company keep track of third parties that do not pass the company’s due diligence or that are terminated, and does the company take steps to ensure that those third parties are not hired or re-hired at a later date?
- If third parties were involved in the misconduct at issue in the investigation, were red flags identified from the due diligence or after hiring the third party, and how were they resolved?
- Has a similar third-party been suspended, terminated or audited as a result of compliance issues?
So here’s what this all means. If something goes bad with one of your third parties, and the prosecutors come knocking, you better have a well-designed and substantive third-party management program in place. Simply checking the boxes won’t cut it. Prosecutors are looking at how you manage risk and compliance across the entire lifecycle of your third-party relationship that includes procurement, due diligence, contracting and ongoing third-party relationship management. They also expect your staff to be trained on how to do these things properly.
The bottom line here is don’t skimp on third-party management. You might feel like you are saving now, but you’ll only pay big later.