PLI: Recent developments in the law and best practices have caused many companies to consider extending certain elements of their compliance programs to suppliers and other third parties. Can you comment on this trend?

REBECCA WALKER: Indeed, the increased use of outsourcing by corporations, the globalization¹ of the world's economic systems and the concomitant diminution in national borders brought on by increased trade and, in particular, the rapid pace at which national and global communications occur have all served to increase the perceived need to extend compliance requirements beyond an organization's employees.

PLI: Recent developments in the law and best practices have caused many companies to consider extending certain elements of their compliance programs to suppliers and other third parties. Can you comment on this trend?

REBECCA WALKER: Indeed, the increased use of outsourcing by corporations, the globalization¹ of the world's economic systems and the concomitant diminution in national borders brought on by increased trade and, in particular, the rapid pace at which national and global communications occur have all served to increase the perceived need to extend compliance requirements beyond an organization's employees.

While both beneficial and admirable to the extent that this trend helps to extend compliance programs - and the prevention of legal and ethical violations - to a broader audience, the application of a company's compliance policies to third parties can also create legal and reputational risks for organizations.

The extent to which any organization should seek to become its brother's (and supplier's, and subcontractor's, and distributor's, and joint venture's) keeper is a complex question that requires careful consideration of the applicable legal and regulatory framework, as well as a balancing of the benefits potentially derived from controlling third-party risks through application of compliance policies with the potential liability created by the third-party compliance policies themselves (which we will call the risk of "associative liability").

The Legal And Regulatory Framework: A corporation's risk of legal liability for the conduct of others is a product of case law, legislation and regulatory guidance. Under the common law, the liability of a corporation for the conduct of others is generally defined by the law of agency.² The legal principles governing agency law and corporate liability have been shaped, at least in part, in an effort to prevent harms caused by corporations.³ They have been formed, in other words, with an eye to decreasing the risks of corporate misconduct. Generally speaking, the greater the control exercised by a corporation over a person, the greater the likelihood of responsibility for misconduct.⁴ Under the doctrine of respondeat superior, a corporation may be held liable for the illegal acts of its directors, officers, employees, and agents if the agent's actions were within the scope of her duties and intended, at least in part, to benefit the corporation.⁵

A corporation is more likely to be held liable for the acts of a traditional "employee" than for the acts of others who may be working on behalf of or with the corporation. The reach of corporate liability for the conduct of others is not static, however. On the contrary, as demonstrated in recent years by the cases involving the liability of hospitals for the conduct of non-employee physicians, the extent to which a corporation may be found liable for the conduct of others is ever-evolving.⁶

Legislation has – in some instances – expanded the breadth of corporate liability. A good example of this occurs in the area of corruption and, more specifically, the criminal provisions of the Foreign Corrupt Practices Act of 1977 (the "FCPA"). The investigation of the Watergate scandal in the 1970s led to the discovery of a long history of bribery of foreign public officials by U.S. corporations.⁷ The scandal and investigations that ensued led to the passage of the FCPA,⁸ which prohibits bribery of foreign public officials and requires companies to maintain books and records that accurately reflect transactions and dispositions of assets and to maintain systems of internal accounting controls.⁹

In addition to these prohibitions and record-keeping requirements, the FCPA also contains provisions potentially creating corporate criminal liability for the actions of third parties.¹⁰  The FCPA makes it unlawful for a company to make a payment to a third party while knowing that all or a portion of the payment will go directly or indirectly to a foreign official for the purpose of influencing the official in his decision-making capacity.¹¹ Under the statute, a company is deemed to have the requisite knowledge if the company "is aware" that misconduct exists or is "substantially certain" to occur or "has a firm belief that such circumstance exists or that such result is substantially certain to occur."¹² In other words, companies will be liable for the conduct of third parties if they have some knowledge that the companies' funds – paid to the third party, not a foreign official – will likely be used to bribe the government official.¹³ 

To help decrease the risk that payments to a third party will give rise to liability under the FCPA, many companies have implemented extensive compliance policies and procedures to govern consultants who assist in their relationships with foreign public officials. Such measures include requiring the consultants to agree through contract not to violate bribery laws; applying the company's anti-bribery policy to the third party by way of contract; performing often extensive due diligence to ensure that the consultant has not engaged in bribery in the past and does not possess certain risk factors; monitoring the third party's conduct under the contract; and auditing the consultant's books and records to attempt to detect illegal conduct.

The government's enforcement actions in this area underscore the importance of extending FCPA compliance policies to appropriate third parties. For example, in March 2005, when Titan Corporation entered into a plea agreement with respect to alleged FCPA violations, the company promised to adopt an FCPA compliance program that includes due diligence procedures for current and prospective foreign agents or consultants; standard contractual language imposing FCPA compliance on all agents, representatives and consultants working on behalf of Titan; and annual audits of agent and representative relationships.

The Sentencing Guidelines for Organizations (the "Guidelines") also provide a powerful incentive for corporations to extend compliance policies beyond the walls of the corporation. The Guidelines, which created the first broad-based incentive for companies and other organizations to implement compliance programs, also set forth a definition of an "effective compliance and ethics program" that is utilized by many government agents and corporations. The Guidelines' definition provides that, in order to have an effective compliance program, organizations must establish standards and procedures to prevent and detect criminal conduct; have appropriate board and management-level oversight of the program; use due diligence when hiring; monitor, audit, and periodically evaluate the program; have a system for reporting suspected misconduct and seeking guidance; discipline and incentivize compliant behavior; appropriately respond to misconduct; and base the compliance program on a periodic risk assessment.¹⁴

The Guidelines' definition of an effective compliance program addresses application to agents and other third parties in three places. First, in the area of training and communication, the Guidelines provide that organizations shall periodically communicate their standards and procedures to employees, directors and agents,¹⁵ as appropriate, by conducting effective training programs and otherwise disseminating information appropriate to their roles and responsibilities.¹⁶ Second, in the area of auditing and monitoring, the Guidelines provide that an organization must take reasonable steps to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization's employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.¹⁷ Lastly, in the Guidelines' commentary regarding the impact of the size of an organization on the implementation of its compliance and ethics program, the Guidelines provide that large organizations should encourage small organizations (especially those that have, or seek to have, a business relationship with the large organization) to implement effective compliance and ethics programs.¹⁸ In addition to these specific references, the Guidelines' directive that compliance programs be based on an assessment of the organization's risks¹⁹ contemplates the implementation of compliance policies applicable to third parties to the extent that the risk assessment indicates that such policies would be appropriate.

The Sarbanes-Oxley Act of 2002 also contains a provision governing the extension of a component of compliance programs – reporting procedures – to third parties.²⁰ Section 301 of Sarbanes-Oxley requires the national securities exchanges and associations to prohibit the listing of securities of any company where the audit committee of the company has not established procedures for the receipt, retention and treatment of complaints received by the company regarding accounting, internal accounting controls or auditing matters, as well as the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters.²¹ The SEC regulations implementing this provision of Sarbanes-Oxley make clear that the scope of the reporting requirements contained in section 301 extends to any relevant complaints received by the company, "regardless of [the] source."²² In other words, companies must create procedures for non-employees to contact the company to report accounting-related misconduct.

In addition to the various legal and regulatory requirements emanating from U.S. government bodies, numerous non-governmental organizations such as the United Nations, the International Labour Organization (ILO), and the Organization for Economic Cooperation and Development ("OECD") have promulgated guidance in recent years on the development of compliance policies applicable to suppliers and other third parties. For example, the OECD's Guidelines for Multinational Enterprises, which set forth voluntary principles and standards for multinational organizations, recommend that organizations encourage business partners, including suppliers and contractors, to apply principles of corporate conduct compatible with the Guidelines.²³ Similarly, the United Nations Global Compact, a voluntary code for multinational organizations, requires signatories to promise not only to respect human rights, but also not to be complicit in human rights abuses by others.²⁴

Combined, these legal, regulatory and inter-governmental provisions create powerful – though limited in scope – incentives for companies to consider extending certain elements of their compliance programs to consultants, subcontractors, suppliers or other such third parties. In addition to these external incentives, the internal logic of corporate compliance supports consideration of third-party compliance mandates. As noted above, third parties can create some amount of legal risk to organizations based on particular statutes (such as the FCPA) and through traditional agency theory. In addition, in other areas, such as child and forced labor, third parties can create significant reputational risk for organizations, which could adversely affect the performance of their stock.²⁵ Given the potential legal and reputational liability for the conduct of third parties, it is logical for corporations to attempt to control for third-party legal risks in the same manner that corporations control for other types of legal risks – through application of corporate compliance policies and procedures to suppliers, contractors or other third parties.

Download Footnotes.