Companies that depend on domestic and international supply chains need to know the recommended foreign guidelines in order to avoid transactions with third parties that may compromise their reputation, image and finances resulting from investigations or legal actions for money laundering, corruption and other related financial crimes.
It is important to remember that the United States can exercise extraterritorial actions through the sanctions programs via the Office of Foreign Assets Control (better known as OFAC) which falls under the U.S. Department of the Treasury. Likewise, the Federal Bureau of Investigation (FBI), through its International Anti-Corruption Unit, investigates cases in Latin America based on its mandate under the Foreign Corruption Practices Act (FCPA).
For example, through the FCPA, the FBI can investigate Latin American companies and individuals who corrupt public officials in other countries and who in some way use the financial system of the United States.
Around May last year, the United States Department of Justice Criminal Division published new guidance for corporate compliance programs that establishes recommendations for companies. The Guide provides specific factors that prosecutors should consider when evaluating the effectiveness of compliance programs for determining how to prosecute or resolve corporate criminal enforcement actions.
The Department of Justice Criminal Division is a federal agency that develops, applies, and oversees the application of all federal criminal laws in the United States. Therefore, it is important to know that when a criminal investigation is opened against a company, the prosecutors of the Criminal Division ask three fundamental questions regarding the company’s compliance program:
- Is it well designed?
- Is it being implemented effectively?
- Does it work in practice?
A well-designed compliance program must implement the risk-based approach in its relationships with third parties. Although the due diligence level may vary depending on the size and nature of the business or its transactions, US prosecutors will assess the extent to which the company understands and knows the potential risks from third-parties – including agents, consultants, and distributors – that may partake in illegal activities, such as paying bribes to foreign officials in international business transactions.
In addition, according to the 2019 United States Department of Justice Guide, prosecutors must also assess whether companies know the reputation and relationships of their external partners. For this, prosecutors will thoroughly evaluate whether the company has technology and solutions for continuous monitoring of relationships with third parties. Data driven decisions and technology are key in discovering and understanding the associated risk.
These are the critical points that companies that depend on international supply chains and that have some point of contact with the United States must monitor, based on the 2019 Guide of the Department of Justice.
- Integrated and risk-based processes. The two key questions that a prosecutor will ask the director or compliance manager to learn about their risk management processes are: how the company’s third-party management process has corresponded to the nature and level of business risk identified by the company, and how that process has been integrated into relevant purchasing and supplier management processes.
- Appropriate controls. In the event that a company is undergoing a judicial investigation, prosecutors will pay attention to controls over other business partners. The questions they will ask are: How does the company ensure that there is adequate business justification for the use of third parties? Were there third parties involved in the underlying misconduct? What was the business reason for using those third parties? What mechanisms are in place? Do the terms of the contract specifically describe the services to be provided?
- Relationship management. The questions that prosecutors will ask are: How has the company considered and analyzed third party incentive structures against compliance risks? How does the company monitor its third parties? Does the company have audit rights to analyze the accounting books and third-party accounts? For those companies that exercised those rights in the past, how did they train their third-party relationship managers on compliance risks and how to manage them? Ultimately, how does the company encourage compliance and ethical behavior of third parties?
- Actual consequences. Upon detection of illegalities, companies should answer the following questions to a prosecutor: The company tracks alerts that are identified by third-party due diligence? How are those alerts handled? The company tracks third parties that failed the due diligence process? Finally, does the company takes measures to ensure that these third parties that failed the due diligence are not hired or re-hired at a later date?
- Control test. It is very important that companies have control tests not only for their personnel but also that they have evidence that control tests are applied, as well as actions to collect and analyze compliance data from their third-party partners.
- Third party risk assessment. Prosecutors pay special attention to knowing if the due diligence program is correctly designed to detect different types of illegal conducts. The Department of Justice identifies that the most probable risk that companies have is the hiring of third parties that carry out any high-risk activity.
- Allocation of resources. The authorities place special emphasis on knowing if companies appropriately allocate their resources to address their highest risks. The question prosecutors will ask the company is whether it spends a disproportionate amount of time to monitor low-risk areas rather than high-risk areas, such as questionable payments to external consultants.
- Risk communication. The last point the authority suggests is that attention be paid to how the company communicates its due diligence policies and procedures to all relevant employees and third parties. It is extremely important that vendors and third parties know the policies and procedures that the company has established to avoid illegal actions.
Latin American companies must be aware of these eight points that guide the actions of the US inspection agencies to prevent damages by third parties that are part of their production chain. Likewise, they must have access to the lists of companies and people who have failed to comply with the regulations and appear on the OFAC and/or FBI watch lists or any other international watch list to avoid being involved in corruption cases that can lead to reputational damage or hefty fines.