The gist of the Foreign Corrupt Practices Act is simple: U.S. public companies cannot bribe government officials to win business. For the most part, executives understand the point of the 34-year-old law and have designed compliance programs to minimize the risk of their company or business partners violating the FCPA.
Yet, straightforward as such compliance may sound, “when you start drilling into implementing it, it’s actually very complex,” says Bruno Grandguillotte, chief compliance officer of IT distributor Ingram Micro. Matters get complicated when companies have third parties do business on their behalf. Those parties may be tempted to use additional funds to win over accounts, push through permits, or speed up services in places where bribery may be considered a normal course of business.
Adding to companies’ bribery risk is a law that went into effect last July, the U.K. Bribery Act. The law affects all companies that do business in the United Kingdom, and is expected to have a broader reach. Meanwhile, the U.S. Justice Department continues to file a relatively high number of enforcement actions.
In recent years, regulators have warned companies through such actions to keep a careful watch on their third parties. This point was made in November 2010 when Panalpina, a Swiss logistics firm, pleaded guilty to criminal charges and settled Securities and Exchange Commission charges that it had violated FCPA provisions. Accused of facilitating bribes on behalf of its corporate clients in several countries, including Nigeria and Russia, the company agreed to pay $82 million to the U.S. government.
Vetting Vendors
Companies’ FCPA compliance programs have generally focused on agents and freight forwarders, the types of business partners that tend to get in trouble with the law. Increasingly, however, companies are scrutinizing suppliers as well.
Due diligence of suppliers is becoming tougher; traditionally they have had to undergo only minimal credit checks, but now they are being chosen and reviewed much more carefully. And suppliers increasingly have to sign contracts that give their customers the right to audit them, and may also include an indemnification clause.
Distributors like Ingram Micro have received a flurry of questionnaires from large IT manufacturers whose products they offer to resellers. The forms can be as long as 60 pages.
“Some of the questions are the same, but because every vendor works independently, each questionnaire is slightly different,” notes Tim Curran, CEO of the Global Technology Distribution Council. Curran’s trade association is working with manufacturers to develop a consistent electronic format and shared platform to make the process easier.
Questionnaires are just the starting point for better vetting. But the extra work comes with a high cost. Large distributors with hundreds of thousands of resellers, for example, would have to spend between $3,000 and $6,000 per third party for proper due diligence, says Rebekah Poston, a partner at law firm Squire Sanders. “Financially speaking, it is prohibitive and impossible to perform the kind of due diligence the government wants you to perform,” she says.
Still, executives are finding that extra vetting feels safer and could outweigh the reputational and investigation costs that would arise if a supplier is ever accused of violating anticorruption laws.
Prompted by the passage of the U.K. Bribery Act, Kimberly-Clark, the consumer packaged goods giant, bolstered its FCPA-related compliance program last fall. “We have enhanced the contract language around third parties representing us, specifically in connection with corruption,” says Thomas Mielke, Kimberly-Clark’s chief compliance officer. Now, the company’s business partners are not just required to note that they are aware of FCPA compliance and will follow antibribery laws; some must also agree to be subject to audits and to keep complete records of their payments.
Ranking the Riskiest
In addition to contract revisions, some companies are picking out their riskiest suppliers for more-intense reviews. These business partners are chosen based on several factors, including the countries they operate in, their history with anticorruption laws, and whether their board members are affiliated with any government officials.
But companies can’t thoroughly evaluate every single supplier for FCPA risk — nor should they. By ranking their suppliers based on risk factors, companies won’t waste time on those with the lowest likelihood of causing serious problems. “You may have 10,000 suppliers, but they are not all creating risk for you,” says Brian Loughman, a leader in Ernst & Young’s Fraud Investigations and Dispute Services Practice.
In other words, a company probably doesn’t need to be overly concerned about a small shop that provides catering services to its European branch office. But a situation in which an agent is helping the company set up a physical presence in India should be looked at with special care.
To evaluate the compliance of more-questionable vendors, companies may hire yet another third party, such as Forensic Risk Alliance. The firm will, for instance, compare a vendor’s pricing with that of peer companies, since inflated charges could be a red flag that the vendor could be hiding improper payments.
Another reason to do extra vetting: regulators may look favorably at past due-diligence work. Liability can be greatly reduced “if you’re running a clean shop and can demonstrate you run a clean shop,” says Steve McGraw, chief executive of software firm Compliance 360.
When the worst happens and an FCPA investigation begins, regulators will be scrutinizing the firm’s compliance program. Under the law, authorities can nab companies and employees not only on bribery charges but also on failure to keep proper books and records. At that point, providing documented proof of proper due diligence may be all a company can do to distance itself from a corrupt business partner.
“Companies don’t get into trouble for doing their processes poorly,” comments Thomas Fox, a consultant who advises companies on their FCPA compliance programs. “They get into trouble when they don’t have any processes, or when they have a process but they don’t follow it.”
Sarah Johnson is senior editor for risk & compliance at CFO.