CEP Magazine – July 2022
By Melina Llodrá and Mariana Idrogo
Melina Llodrá ([email protected]) is Founder and Partner for LLODRA attorneys-at-law in Buenos Aires, Argentina. Mariana Idrogo ([email protected]) is Founder and Senior Managing Director for G5 INTEGRITAS in Buenos Aires, Argentina.
An organization can have multiple third parties, all of which need to be put through a due diligence process in order to identify, mitigate, and avoid all potential risks and concerns. Having said that, this due diligence process is not an easy task and very often triggers difficulties.
What are the common challenges?
Lack of time, lack of supportive documents, and even lack of cooperation from relevant parties are some of the challenges that you might experience when undertaking a third-party due diligence process. Even during the last two years there has been an increase in these challenges due to the COVID-19 pandemic.
In addition to these difficulties, Latin America (LATAM) has its own set of challenges. In LATAM, not all countries are the same in terms of compliance regulation and culture. It is essential to understand the local flavor, such as the local culture, language, and framework. For instance, there are many circumstances where everyday practices do not match with local requirements.
One of the biggest challenges in LATAM is the difficulty accessing public information and having to hurdle inaccuracy and out-of-date information. This is due to the lack of a virtual database and problems with connectivity. So, where are we heading? To answer this question in a simple way—there has been great progress, but there is still a lot to be implemented.
What is effective due diligence?
Law 27.401 establishes the following two principles: corporate criminal liability and successor liability. The former refers to bribery-related offenses of third parties acting in the organization’s name, interest, or benefit even when this individual had no powers to do so. The latter reinforces the need of due diligence in case of transformation, merger, split, or any other corporate modification.
It also highlights the importance of the procedures to prove the integrity and track record of third parties or business partners, including vendors, distributors, service suppliers, agents, and intermediaries. At the time of hiring their services and during the business relationship, third-party due diligence is a key element of the compliance program.
Which approach to undertake to identify relevant third parties?
Defining relevant third parties is very challenging. These might be contractors, service suppliers, distributors, legal representatives, intermediaries, and many others. Which is the best approach to identify a relevant third party? Third-party due diligence is not one-size-fits-all; it requires a holistic approach to understand the risks the third party presents. There is the need to look into the third party as a whole, evaluate the industry it works in, whether the geographic area has higher corruption risks, the business plan, its contact with public officials, its capacity to exert influence on others to the benefit of the organization, and many other factors.
How do you assess a third party?
There are four basic steps to consider when carrying out a third-party due diligence:
1. Get to know the third party: What is its reputation? How is it regarded in its local jurisdiction and business environment? Will it interact with public officials? What are its main links and connections? Are there any conflicts of interest with officials within the company? What is its financial soundness? Does it have a compliance program?
2. Understand the relationship: What is the need behind this third party? What will its role be? What are the service conditions? What are the pay terms?
3. Communicate and train on compliance policies: Is the third party aware of the policies and conduct standards it is expected to comply with? Are these made available to third parties? Can we go through them in detail, discussing examples and cases, and addressing dilemmatic situations that may arise in the course of our activities?
4. Add controls: What mechanisms can we put in place to have control over the third party’s actions as long as it may be acting on behalf of, in the benefit of, or for the interest of the organization?
Furthermore, it is key to determine if a third party is high risk. Resources are always limited, and we have to deal with time constraints, so in order to be efficient and effective, we need to understand which of our third parties are high risk to apply the most effort and resources to those cases.
When assessing risks, some high-risk indicators to consider are the inclusion of the third party in the local or international watch lists, reputational issues, investigations into alleged anti-bribery and corruption infringement, little or no experience in the sector, resistance to providing information, officials or family members in the corporate capital, connections with relevant officials or politicians, and compensation requirements such as political or charity contributions.
How do you protect the organization’s interests?
The risks involved with a third party do not dissipate once the due diligence is approved. It is vital to preserve the organization’s interests, especially in the long run, but how do you do it? There are a few simple steps to ensure the protection of the organization:
· Periodic due diligence in long-term contracts.
· Periodic monitoring of the third party.
· Education and training on the compliance program, the code of conduct, and ethics and anti-corruption policies.
· Anti-bribery and corruption contractual mechanisms, such as a commitment to comply with compliance policies and applicable legislation, a precise definition of acting “on behalf of,” clear protocols for liaison with public officials, proof of having read and accepted compliance policies in writing, contract rescission and sanctions in case of infringement, a requirement to cooperate with internal and external investigations.
Failing to adequately assess a third party could lead to exposure to risks, but how do you deal with a rotten apple? There are two possible scenarios: a preventive approach and a reactive approach. A preventive approach involves policies and contractual clauses to mitigate risks, as well as periodic risk assessment and ongoing supervision. On the other hand, a reactive approach will involve interviews and/or conducting an investigation and could lead to the suspension of a contract in the event of infringement.
To conclude, third-party due diligence is essential for your organization in order to prevent and hopefully avoid the inherent risks that come along with working with external subjects.
Identifying relevant third parties through a holistic approach and assessing them in order to learn about them and their industry, as well as determining the reason why your organization needs the third party in question, are the first steps of your third-party due diligence process.
Another vital element is ensuring that the third parties involved with your organization are aware and onboard with the compliance program, the code of conduct, and ethics and anti-corruption policies of the organization. That is why communication and training take such an important role.
Finally, it is crucial to assure continued use of best practices throughout the relationship with the third party. This can be achieved by a combination of an ongoing tailored risk approach (in general, higher-risk third parties require a more periodic supervision and more in-depth checks), anti-bribery and corruption contractual clauses, and ongoing supervision. Furthermore, be ready for the unexpected: Have an emergency process prepared and ready to put in place if needed.
Takeaways
· Third-party due diligence is a must to identify, mitigate, and possibly avoid all potential risks and concerns.
· When identifying relevant third parties, a holistic approach is the most convenient one.
· Do not underestimate the impact of local flavor; involving local counsel is recommended.
· Communicate and train relevant third parties on compliance policies (including, but not limited to, the code of conduct and anti-corruption policies); this is key to protecting the organization’s interests.