Introduction
What happens if the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) believe that an industry sector is rife with bribery and corruption? Many companies within the retail, oil and gas, and pharmaceutical sectors know the answer. They have all recently experienced an “industry sweep”.
While the catalysts for an industry sweep vary and predicting whether or when a sweep will occur is part art, part science, part guesswork, companies cannot ignore the threat of regulatory activity that could target all or part of its industry sector. To complicate matters further, government cooperation between overseas regulators may soon trigger “sweeps” on a global scale.
In several recent investigations, foreign regulators partnered with U.S. authorities and played an instrumental role in subsequent investigations. As an example, Britain’s Serious Fraud Office, which is responsible for enforcing the U.K. Bribery Act, recently announced that it is cooperating with Chinese authorities to investigate alleged corruption involving GlaxoSmithKline.
Notwithstanding the inherent difficulty in predicting a regulator’s agenda and where they might focus their investigative powers, how can a company prepare for an industry sweep?
How Industry Sweeps Evolve
To target an entire industry – or even a handful of companies in the same sector that are suspected of being involved in corrupt activity – regulators must believe that the results of the sweep will justify their efforts. Often, regulators decide to begin a sweep having established a foothold in the sector via an investigation of one of the industry’s largest participants.
The investigation of Walmart’s expansion in Mexico is a recent example. Regulators gathered evidence regarding Walmart’s alleged payment of bribes and used that evidence to justify an industry sweep of retailers with a similar pattern of aggressive growth in Mexico. In essence, the Walmart investigation established a nexus, or connection for regulators to other competitors in the retail industry.
Companies within an industry can be connected through a number of sources, including employees, recipients of bribes, or third parties, who have relationships with multiple companies within the same industry.
While the basis for an industry sweep varies, so, too, will the results. An industry sweep may quickly yield multiple examples of corrupt activity, which in turn can justify an even broader probe involving additional companies within the sector. Conversely, the initial phase of the sweep may not justify continuing the investigation, and regulators will turn their attention to new cases and industries.
Third Parties: The Common Factor
As we have shown, determining if and when regulators will conduct an industry sweep is fraught with complexity. Further, even if a sweep occurs it may only target a short list of companies based on never-to be-disclosed criteria known only to regulators. Often, however, regulators tip their hand and provide advance notice of a sweep by issuing questionnaires to companies asking about their business practices in particular countries. Regulators base their questions on investigations in which they suspect corrupt business practices are not isolated.
Yet, an ecosystem of third parties exists within each industry sector. In fact, in an example of what many agree represents the first evidence of an industry sweep, the U.S. government investigated a third-party freight forwarding company, Panalpina, and bribes it paid on behalf of its clients within the oil and gas sector.1
In another example of an industry sweep, this time involving the healthcare sector, Stryker Corporation paid $13.2 million to settle charges leveled by the SEC2. The charges stemmed from the alleged payment of bribes to healthcare professionals and government officials in Argentina, Greece, Mexico, Poland, and Romania. Prior to targeting Stryker, the sweep took aim at five additional healthcare companies and resulted in more than $200 million in fines and penalties.
Depending on the industry sector, the third-party ecosystem can include accountants, acquisition targets, distributors, sales and marketing agents, export agents, joint-venture partners, lawyers, resellers, and vendors.
Regulators openly admit that they routinely target third parties during their investigations. In fact, the connection to a single third party often presents regulators with sufficient evidence to initiate an investigation and scrutinize multiple companies within the same industry sector that they suspect are engaged in wrongdoing.
As the Panalpina investigation shows, a single third party can lead regulators to a trail of evidence that ensnares numerous companies within the same sector. From a regulator’s perspective, initially focusing on one or more third parties for evidence of corrupt activity has the potential to provide sufficient intelligence to fuel an industry sweep and generate significant fines.
Preparing for Regulatory Scrutiny
Understanding that industry sweeps happen is only the first step. Preparing to respond to the possibility of an industry-wide crackdown requires that companies have an Anti-Bribery and Anti-Corruption (ABAC) program in place that includes a risk-based third-party due diligence process.
A risk-based analysis of third parties forces companies to review their third-party compliance program and determine the level of due diligence that is appropriate for each third party. This process includes deploying a tiered approach to due diligence based on a rating generated through a consistently applied risk model. With a risk-based analysis in hand, companies can subsequently assign the appropriate level of third-party due diligence required to vet each relationship.
In addition to implementing a risk-based third-party due diligence program, compliance functions can learn a great deal from benchmarking with companies within their sector. Staying abreast of investigations taking place within an industry sector also provides a deeper understanding of the tools and tactics regulators use to uncover and investigate allegations of bribery and corruption in general and within specific industries.
Armed with a risk-based approach, a multinational can justify the “how” and “why” regarding the organization’s compliance-related decisions. Compiling relevant documentation relating to the company’s due diligence efforts, hopefully in a centralized platform, provides an audit trail detailing how the company screened and analyzed each third party. This approach in turn delivers an unparalleled level of transparency regarding the processes the company followed while conducting third-party due diligence.
The audit trail should include all of the documents relied upon during each phase of the compliance process, including the existence of “red flags”, how they came to light, and how they were resolved. An audit trail should capture actions relating to each third party, including the reason the company accepted or rejected the actions; the resolution of any red flags uncovered during the period the company engaged the third party; and the efforts taken to ensure ongoing compliance, such as the administration of recurring due diligence questionnaires and ongoing monitoring efforts.
In the event that a company is charged with an infraction, having an effective compliance program may result in a non-prosecution or deferred prosecution agreement. It is worthwhile to note that the DOJ and SEC view risk-based due diligence as “particularly important with third parties and will also be considered by DOJ and SEC in assessing the effectiveness of a company’s compliance program.”3
Conclusion
Companies cannot easily predict when an industry sweep will take place unless they have received a questionnaire from regulators reasonably indicating an industry-wide investigation is pending. However, they can ensure that each of their third parties undergoes a risk-based vetting process that includes creating an audit trail detailing the steps followed to vet the third party and the documentation gathered and analyzed while doing so.
Vetting third parties is well worth the effort as it can dramatically lower a company’s exposure to ABAC-related fines and the resulting disruption of an invasive government investigation. Consider that in 2013 companies paid the DOJ/SEC an average penalty of $74 million to settle allegations of wrongdoing. This amount, which does not include fees associated with the company’s investigation of the alleged illegal activity, is far in excess of the cost of creating and maintaining a robust third-party due diligence program.
Since regulators – both in the United States and overseas – target third parties in concert with a fully functioning, enterprise-wide ABAC program, a risk-based third-party due diligence program can help a company prepare and withstand regulatory scrutiny in the event that it becomes caught up in a sweep.