Third parties work at various levels of almost all organisations and, at times, even act on behalf of organisations. Therefore, it is essential to acknowledge the significant risk of engaging with third parties without an effective third party compliance programme in place.
While a principal and a third party may be considered separate legal entities, the liability of misconduct can be shared – especially if regulators have reason to suspect that the principal knew of potential misconduct and allowed it to happen, or did not have enough measures in place to identify the possibility of third-party misconduct.
Previously, companies often turned a blind eye towards misconduct, but this all changed with the notable case of InVision in 2008. The manufacturer of airport screening devices sold its products through resellers in certain Asian markets that were typically high in corruption risks, and the ultimate purchasers of the airport screening devices were government-run airports. After one of InVision’s resellers was found to have bribed the officials of a government-run airport, InVision was found liable for the acts. The company and various employees were subject to fines, sanctions and, in some cases, jail time.
The case demonstrated that organisations need to challenge the idea that what a third party does can’t hurt them. With more regulations being put into place, and with stricter enforcement of the law, what a third party does can, and historically has, hurt organisations that do not have enough measures in place.
Recent cases of third party misconduct
- United States automobile manufacturer General Motors is cooperating with authorities on its failure to make public an ignition-switch defect related to at least 104 deaths. A settlement has not yet been reached, but it is expected that it will eclipse the US$1.2 billion paid by Toyota in 2014 over its nondisclosure of unintended acceleration in some of its vehicles.
- Oil and gas company BP was fined US$18.7 billion – the largest environmental fine in the United States – after being found to be ‘grossly negligent’ in the 2010 Deepwater Horizon disaster that resulted an oil spill that affected a huge portion of the Gulf of Mexico. The judge in the case assigned lesser blame to contractor Halliburton and operator Transocean, highlighting how the failings of third parties can be transferred to the principal.
- Nestlé’s third parties have been found to have engaged in slavery and child labour. In 2015, the Swiss food and beverage company admitted that a part of its supply chain in Thailand used workers trapped in illegal and brutal working conditions. The company also allegedly purchased cocoa from the Ivory Coast, despite knowing that it was an area known for child slavery. Investigations are currently ongoing.
- In a move possibly made to win favour with regulators, Scottish cabling solutions developer Brand-Rex self-reported violations of the United Kingdom Bribery Act for failing to prevent a third party from committing bribery. This event has led to questions as to when a company should self-report and when to consider alternative options to cooperate with regulators.
As compliance has often been considered as a roadblock rather than a function that allows for the smoother operations of an organisation, a third party compliance programme might be a hard sell. But, as cases from the past year show, a compliance programme for third parties can prove to be beneficial.
An effective third party compliance programme can add value to the business and manage third-party risks efficiently. At the same time, it can also produce a return on investment or potential financial savings.
Some value and cost benefits of implementing a third party compliance programme include:
- having stronger channel partners
- receiving additional margins due to the channel being a stronger sales mechanism
- a stronger channel programme with greater integrity, allowing the channel to attract partners from other vendors
- savings on the cost that is currently being spent, both internally and externally, on investigating channel conflict (typically in the form of questionable rebates, marketing development funds and sales commissions)
- reducing the need for investigations and therefore saving on the cost of the associated legal and accounting fees
- lessening the risk of falsely-reported sale information through resellers who are ‘stuffing the channel’
- savings on additional audit fees for addressing revenue changes.
Another benefit of a compliance programme for third parties is the efficient and thorough risk management it can provide. Past behaviour and legal records of an organisation provide a good guide of which risks to look out for.
Third-party risks could include:
- historical compliance issues
- legal and regulatory obligations
- company policies and codes of conduct (or lack thereof)
- records of reneging on contractual obligations
- compliance to industry practice, peer benchmarking and best-practice obligations
- practice of ethically-concerning conduct such as animal testing, slavery and child labour
- corruption and Foreign Corrupt Practices Act risks (for those doing business with government customers)
- accounting and Sarbanes-Oxley Act risks
- channel stuffing
- misuse of product roadmaps
- leaks of confidential information
- IP issues, such as copying products
- sales price setting and licensing issues
- customer kickbacks
- price fixing and collusion
- grey-market and parallel-importation issues
- poor product sales
Compliance programmes also require periodical reviews, which can be beneficial to the overall legal obligations of a company. Regulations could have been changed or withdrawn following a political change, or there could be renewed regulator focus on certain areas of the law (such as the focus by the Department of Justice on individual accountability in the Yates Memo).
It is also important to consider employing compliance specialty firms as they can provide better assessments, especially if a third party or a part of the organisation’s business or operations is in an unfamiliar country. This is also the case for high-risk areas where corruption and unethical practices such as child labour or slavery is rampant. Outsourcing to firms that have extensive experience in the region and the necessary procedures to make efficient analyses and advice can lead to better risk-management decisions and save a lot of time.