MCC: Starting with the basics. How do you define a “third-party intermediary”?
McCann: Most companies struggle with the simple definition of a third-party intermediary (“TPI”) as they evaluate their intermediary relationship populations and the associated risks. One of the best definitions I've come across is from the Organization of Economic Cooperation and Development (“OECD”), which defines an intermediary in sweeping terms, such as “a conduit for goods or services offered by a supplier to a consumer,” noting that a TPI can be a person or an entity. For those of us in the consulting and legal professions, the full definition can help contextualize a company’s global business relationships, and a full study reveals that it encompasses the entire diversity of potential business relationships, including sales agents, distributors, customs agents and many others who operate on behalf of a U.S.-based company in a foreign jurisdiction.
MCC: Why are TPIs used so pervasively in international markets? Please discuss some of the risks and compliance challenges within these relationships.
McCann: The use of TPIs is critical in helping companies gain foreign market penetration, but it also inherently increases compliance risk. Most U.S. companies realize that globalization is one of the best opportunities for growth; however, entering into international markets requires an understanding of the local rules of the road in each respective territory or region that the company wishes to enter. While this is an excellent avenue for growth, it also involves assessing cultural nuances and different ways of doing business. This is often a challenge for companies.
Local intermediaries understand these cultural issues and can help companies navigate them. The challenge, however, lies in training these counterparts to operate with an awareness of their obligations under U.S. regulatory guidelines. If the intermediary does not embrace these requirements, the parent company could be exposed to financial and reputational risks associated with these relationships.
Now there are financial upsides and downsides here. On the upside, I mentioned that TPIs facilitate expansion of global business operations, but the downside is that such engagements can be a costly proposition. First are the inherent costs associated with expanding the company’s compliance functions, often a daunting task that requires enhanced due diligence, employee training and then, of course, monitoring on a global scale. But the biggest potential downside comes out of enforcement actions from both the DoJ and the SEC, which have imposed stiff fines and penalties on companies that have failed to design and implement effective global ABC compliance programs.
Finally, you can’t ignore the significant implications of reputational risk. A quick look at the largest enforcement actions in recent years reflects the imposition of significant fines and penalties on companies with household names. These events become global news, so it should suffice to say that these companies would much rather be covered in the Wall Street Journal for the quality of their products and services rather than any negative connection with bribery-related activity.
MCC: Obviously TPIs present significant risks and compliance challenges to companies doing business on a global scale. Please provide an overview of how companies can manage and monitor TPI risks. Where do third-party reviews fit into the process?
McCann: In my opinion, effective risk management starts with risk mitigation, and, in fact, many companies have started to embrace TPI risk mitigation by performing due diligence prior to establishing a relationship with a TPI. But due diligence alone is no longer sufficient. Ongoing TPI monitoring is clearly becoming a natural compliance requirement. This is especially relevant as it relates to ABC compliance. A critical component that is necessary to achieve this requirement is clear contractual terms that allow companies the right to audit their TPI’s books and records. While we’ve seen a significant uptick in regulatory guidance in this area, one important takeaway is that there is no one-size-fits-all solution. Each company has to design a program that suits its industry and business needs. In fact, many companies are proactively monitoring third-party relationships not only to uncover potential compliance-related issues, but also to identify areas for operational improvement. As far as methodology is concerned, my preferred approach is risk based in nature. This involves understanding your population of TPIs and their associated risk characteristics, which typically include government interaction, type of service, geographic location and yearly spend. By evaluating these characteristics, you can identify populations of higher-risk TPIs to be considered for further investigation.
Third-party reviews are a natural extension of this methodology and amount to an on-the-ground evaluation of these high-risk relationships. We start by assessing the underlying contract, understanding any mandated reporting requirements and then meeting in person with the distributor or agent to determine if their compliance programs are aligned with the company’s requirements. We’ll also test transactions to identify potential red flags associated with bribery and corruption. This process typically culminates with a written report documenting our procedures and the associated observations. It is not uncommon to identify that contractual provisions or compliance reporting obligations are not being met by the third party. On the upside, however, these observations ultimately will help management consider ways to improve the compliance program on a go-forward basis. Depending on the nature of the observations, it may be prudent to involve the company’s legal counsel in the planned remediation efforts.
MCC: Turning directly to the FCPA, what trends are you observing in relation to TPIs?
McCann: The Foreign Corrupt Practices Act ("FCPA" or "Act") has been on the books since 1977, yet U.S. regulators have only been aggressively enforcing it for approximately the past 10 years. Due to the success of these enforcement actions, I don't see enforcement trending down any time soon. While TPIs themselves are not driving the enforcement trend, we do see a consistent theme of TPI involvement in bribery-related activities with foreign officials. This is further supported by a recent study conducted by the OECD where we learn that over 75 percent of bribery-related incidents involve payments made through intermediaries. This is a great statistic that demonstrates the inherent risks associated with intermediary relationships.
In 2014, we saw significant FCPA enforcement actions involving third parties. The Alstom matter certainly jumps off the page for resulting in the second-highest fine ever imposed by the DoJ: approximately $773 million. The allegation was that Alstom paid approximately $75 million in consulting fees to third parties in an effort to secure billions of dollars of projects in the Bahamas, Indonesia, Saudi Arabia and Taiwan. It's a good example of a company using TPIs to drive business in lands that are historically tough to enter. Additionally, it’s a good example of how intermediary relationships can create regulatory exposure for your organization.
MCC: You have noted that 75 percent of corruption cases involve improper payments made through TPIs. Why do these relationships implicate FCPA risk to such an impressive degree, and what factors should companies consider in their efforts to manage exposure?
McCann: In serving as distributors, sales agents, joint ventures, subsidiaries, accountants, lawyers, contractors and freight forwarders, to name a few, TPIs become part of a company’s fabric. The simple fact is that on a daily basis TPIs are operating on behalf of the company – autonomously and in countries far away from the eyes of U.S. compliance teams. That’s where the risk arises, and it only increases in proportion to the number of interactions with government officials. Essentially, in expanding operations overseas, U.S. companies continue to face all the usual contractual and business risks while adding in the complexity of anti-bribery compliance.
To take one example in practical terms: when we help companies assess TPI risk, we look first to the contract and ask some key questions. Are the terms and conditions clear on both sides, and, importantly, do we have the audit rights necessary to allow us to evaluate what TPIs have been doing on behalf of our clients and assess potential risks the company may not be aware of? The contract sets the tone for the entire relationship and provides necessary leverage for the company to evaluate performance and compliance.
Another practical complexity involves what we call “risk-based due diligence,” which I touched on earlier as being part of the TPI selection process. This may include everything from open-source background checks via Internet searches to assessing negative media or litigation around a particular company or individual to highly sophisticated financial evaluations during an M&A transaction. The diligence can take many directions, most frequently along the lines of gathering intelligence on the entity or individual to understand their activities and historical work experience. For instance, a common red flag within FCPA compliance might involve individual TPIs that came out of government agencies and became private consultants. By understanding that context, you can better mitigate the associated risks. Again, effective risk management starts with risk mitigation.
And going deeper, a fundamental challenge within FCPA compliance lies in defining the term “foreign official,” which may be even more difficult to pin down than the definition of TPI. As defined in the Act, the term government official is all-encompassing and applies to any officer or employee of a foreign government and to those acting on the foreign government’s behalf. As a helpful resource, your readers can access guidance from the DoJ and SEC at www.justice.gov/criminal/fraud/fcpa/guidance/guide.pdf (see page 19).
One challenge that arises from the definition of a government official is that it is broad in the first place, and exponentially broader and more nuanced depending on the country or industry in which you are dealing. In a communist country like China, for instance, the term “government official” becomes very expansive because it includes people who work for any state-owned entity, including hospitals and many others that could be considered non-government owned in other countries. You really have to understand the geopolitical issues at hand and ask yourself, who are we hiring to act on our behalf?
Common business activities that present challenges for companies include government tenders or typical business activities like entertainment, which in the U.S. are often seen as benign but take on a very different flavor when they involve a foreign government official. So, for example, if you're dealing through an intermediary with a Chinese official on a government tender with a hospital, the simple act of taking that official to dinner to discuss the tender may be perceived as a bribe under the FCPA or local bribery and corruption laws. Companies need to be sensitive to this in managing TPI activities.
MCC: To wrap up, I’d like to return to the discussion of third-party distributor reviews and get your final thoughts on what companies really face in monitoring TPIs.
McCann: In broad terms I’ll add that for a number of reasons, performing a third-party distributor review is not an easy task. These reviews often involve a new level of interaction for companies with their intermediaries. These interactions can often be uncomfortable for the company, and there is typically an added business pressure focused on not disrupting TPI relationships with compliance-driven audits. TPIs drive business, and no one wants to stymie that.
Nevertheless, compliance is a necessity, and non-compliance is a huge liability. Enforcement is on the rise, and it remains a fact that a majority of enforcement actions involve the use of TPIs; therefore, it is critical for organizations with a U.S. nexus to manage regulatory requirements by taking steps to ensure that they understand and are monitoring the activities and associated risks within third-party relationships.
Third-party reviews are a powerful tool for companies that want to enjoy the business benefits of engaging with TPIs while keeping a close eye on their business activities and compliance efforts.
KPMG’s proven methodologies associated with third-party reviews provide solutions while relieving the burden for companies having to “figure it out for themselves.” We truly can help organizations cut through the complexity associated with third-party risk.
Published May 1, 2015.