Third-Party Due Diligence: Expanding Compliance Programmes to Suppliers and Clients
This is an Insight article, written by a selected partner as part of Latin Lawyer's co-published content. Read more on Insight
The use of third parties in a company’s efforts to expand its business, whether internationally, domestically or locally, is not only inevitable but necessary. From manufacturing to supply chain through to distribution and product services and support – and including many other key functions of a business previously handled internally (e.g., human resources, information technology, finance and audit) – there is a fast-growing outsourced business model that relies on third parties. Often, using third parties is cheaper, faster and more effective, rendering it a competitive necessity. Third parties can take the form of a company’s agent, intermediary, supplier, consultant or joint venture partner and can provide the company with invaluable and critical services, ranging from product design or delivery to legal or tax advice to sales opportunities. For example, a third party could provide crucial transportation of goods without which a company could not bring its product to market.
The modern approach of disaggregating business functions necessarily means that doing business through a number of third parties is the norm and not the exception, resulting in a growing volume and diversity of third parties that brings inherent corruption risks. Companies must be cognisant of such risks and prepared to mitigate them to maximise the third parties’ utility.
Pursuant to the strictures of the Foreign Corrupt Practices Act (FCPA), companies are prohibited from either directly or indirectly bribing non-US government officials to obtain business. Indirect bribes expressly include payments made by third parties acting on behalf, at the direction, or with the knowledge of the company. To be liable under the FCPA, a company need not explicitly authorise the payment. As long as the company had a reasonable belief that the conduct was likely to occur, it can be held liable for the third party’s conduct. Knowledge of improper payments – or even the offer of anything of value – can be inferred from circumstances demonstrating a reasonable probability of illicit conduct. Thus, companies cannot avoid liability by consciously disregarding or ignoring red flags suggest-ing that a bribe has been or will be offered, promised or made. Walmart’s settlement with the Secu-rities and Exchange Commission (SEC) and the Department of Justice (DOJ) is a perfect example of the FCPA’s unforgiving nature towards alleged deliberate ignorance. In 2019, the SEC charged Walmart with violating the FCPA by failing to implement and operate a compliance programme sufficiently tailored to mitigate its risks. The order alleged that Walmart ignored red flags and corruption allegations when it expanded its business internationally, allowing its subsidiaries in Brazil, Mexico, China and India to use third-party intermediaries to make pay-ments to foreign government officials. Walmart allegedly failed to investigate and mitigate the risks and paid more than US$282 million in penalties and fines.
A company’s exposure to liability for third-party actions is not unique to the FCPA. Anti-corruption laws in most countries hold companies culpable for third-party conduct. Latin American countries are no exception. For example, Mexico has enacted a number of anti-corruption laws as part of its National Anti-Corruption System. Under these laws, a company can be held liable for the actions of individuals who engage in corrupt offences on behalf of the company. Brazil’s Clean Company Act takes this a step further. Under the Act, companies are held strictly liable for the corrupt conduct of their employees and agents. Take Glencore International A.G. (Glencore) as an example. From 2007 to 2018, Glencore allegedly paid more than US$100 million to third-party intermediaries, with a portion allegedly intended to be used to reward government officials in Nigeria, Cameroon, Ivory Coast, Equatorial Guinea, Brazil, Venezuela and the Democratic Republic of the Congo. The DOJ in its press release noted the involvement of high-level employees and agents of the company as an important factor in reaching the terms of the agreement. In May 2022, Glencore agreed to pay over US$700 million in criminal fines and disgorgement to US authorities related to the conduct of its third-party intermediaries and accepted a three-year compliance monitorship.
Liability exposure heightens the need for companies to exercise control and oversight over their business partners and agents, including suppliers and, in certain circumstances, clients. Companies must take the necessary steps to expand their compliance programmes to mitigate the risks that arise from their business dealings. Among the steps utilised by many companies and expected by many regulators are conducting thorough background checks or due diligence prior to engaging a third party; educating a third party on the applicable anti-bribery and anti-corruption laws; contractually mandating a third party’s compliance with the same; and monitoring the third party’s actions throughout the life of the contract. The level of due diligence, compliance training and monitoring to be performed by the company on the third party depends on the scope of work provided by the third party, the inherent risk of the work or the transaction, the geographic location of the deal, the industry and the compensation to be paid. A company’s vendor of office supplies, for example, will not be subject to the same scrutiny as the company’s customs broker or freight forwarder interacting with government officials on behalf of the company.
How to assess third parties
Risk-tiered due diligence
Before engaging a third party or entering into a transaction with a customer, companies must learn about the entity on the other end of the deal to fully evaluate the potential liability risks triggered by that entity and to ensure that the internal controls built into the company’s compliance programme are deployed appropriately to mitigate the risk. For example, a company may employ certain internal controls when contracting with a public sector entity, but those controls are only initiated if the entity is identified properly as public sector. If the individuals entering the information are unaware of the proper designation because no diligence is conducted, then the mechanisms to mitigate the risk of liability are not utilised. Similarly, when engaging third-party suppliers or other agents, it is critical to conduct sufficient due diligence to understand the third party’s experience, beneficial owners and reputation. These efforts often take the form of risk management programmes and analysis designed to understand multiple aspects, including the entity’s reputation for corrupt practices and whether the entity is designated on any sanctions lists.
Ultimately, the results of this analysis will help companies better understand, assess, and mitigate any risk that may arise throughout the course of the contractual relationship. For example, due diligence efforts could help uncover whether a third party has any familial or business connections to government officials or whether the third party is a politically exposed person. Similarly, due diligence may identify a financial institution as a publicly funded bank, thus triggering internal compliance safeguards. Uncovering these red flags early in the engagement can help inform further business dealings and save the company from future liability.
Eliminating all potential corruption risks that a third party could pose is neither possible nor required. For example, many companies distribute their product through a network of thousands of distributors and resellers, rely on dozens of manufacturers of component parts, employ consultants to provide market-relevant information, hire tax and legal advisers, use consultants with specialised technical skills, and outsource a host of other functions. Not all of these third parties present the same level and type of risk. Resources – both time and money – are limited, so vetting them all to the same degree is unrealistic. It is vitally important that any company considering its due diligence obligations intelligently allocates its resources to maximise the overall risk of those investments.
Risk-tiered due diligence helps companies focus their finite resources on those parties that present the most significant risks to the company. The extent of corruption risks varies from one third party to another, so the proportionality of the due diligence efforts applied also vary. This type of due diligence not only helps to prioritise risk monitoring, but also demonstrates that the company is taking an active and committed role to detecting and preventing corrupt practices should an investigation arise.
Risk-tiered due diligence factors to consider
Allocating risks among various third parties can often be difficult to establish and is not subject to a one-size-fits-all approach. However, there are certain factors that a company should consider when determining a third party’s risk level.
Interactions with government entities or public officials
Situations where the third party is either a government entity itself or works closely with a public official will give rise to increased anti-corruption enforcement scrutiny. Companies should note that a mere association with a foreign public official could lead to scrutiny and warrants heightened due diligence and internal controls around the third party’s activities. While most countries impose criminal liability for all forms of bribery in a commercial context and not just bribes to public officials, the vast majority of the corruption enforcement actions that impose significant financial and business consequences involve public sector contracts. Accordingly, it is critical to understand whether a third party supplier is beneficially owned or controlled by a current or former government official or his or her close family members, and if so, to monitor closely the performance of services by that entity should the company engage it.
In September 2022, the second largest airline in Brazil, GOL Linheas Aereas Inteligentes S.A. (GOL) was charged with paying millions of dollars in bribes to Brazilian government officials allegedly in exchange for the passage of legislation that benefitted the airline. Some of the alleged payments purportedly were funnelled through fake consulting agreements with an intermediary that maintained close ties with one of the implicated Brazilian officials. In the deferred prosecution agreement (DPA) entered into with DOJ, GOL agreed to improve its controls around third-party relationships, including updated due diligence, training, auditing, and annual compliance certification controls to support ongoing monitoring of third-party relationships. As another example of the importance of vetting an intermediary’s ties to government officials, the SEC’s December 2022 order with Swiss-based ABB Ltd (ABB) described that, in exchange for the award of a large construction contract in South Africa, ABB executives allegedly colluded with a high-ranking government official at a state-owned electricity company to funnel US$37 million through third-party service providers with whom the government official had close personal relationships. ABB paid US$460 million to settle the related charges.
Third parties engaged to interact with government officials must be subject to increased diligence and monitoring throughout the life of the contract to deter and detect potential illicit conduct. Additionally, interactions with customers beneficially owned or controlled by government entities merit enhanced scrutiny and the imposition of internal controls to mitigate risk as the liability exposure is not limited to charges of corruption, but may involve public procurement fraud or bid-rigging and misuse of taxpayer funds.
Where the third party is located and where the services are to be performed can help a company determine the level of potential risk that a third party might pose and thus, the commensurate level of due diligence required. The Corruption Perceptions Index published by Transparency International ranks the corruption levels of various countries, ranging from ‘highly corrupt’ to ‘very clean.’ If the country where the third party is primarily working or in which the transaction occurs ranks as highly corrupt, then the level of due diligence applied to that third party or to that transaction should be consistent with the heightened risk presented. Moreover, if the jurisdiction is one with strong enforcement of anti-corruption laws, a company would be well advised to invest more resources in scrutinising its business dealings. A decade ago, many companies accepted excuses from third parties or customers reluctant to participate in due diligence who pointed to the differences in business customs across jurisdictions. Today, with a greater focus on the deleterious consequences of unchecked corruption, many countries across the world, and particularly in Latin America, are engaged in enforcement measures to reduce fraudulent and corrupt practices, thus reducing the reliability of a ‘customs’ excuse.
The nature of the services that the third party will provide
Some services may be more susceptible to corruption risks than others. For example, agreements where a third party is to provide a service to a public official that may be compensated through commission or success fee arrangements create more of a risk than agreements in which the third party supplies the company with printer cartridges whose pricing is more transparent. While the latter may present conflict of interest or kickback concerns if the supplier is related to the person who awarded the contract, such contracts typically do not result in large-scale investigations that distract personnel and divert resources for months. To help mitigate potential risks, companies should ensure that the scope of the services expected is clearly defined, the fees and expenses are delineated and supported by documentation, and the third party is sufficiently aware of the conduct in which he or she cannot engage.
Third-party compensation and the value of the contract
Companies should consider compensation and the overall value of the contract when allocating risk. Compensation may raise a red flag if it is disproportionate to the typical compensation received for similar services. Higher-than-normal compensation may suggest that excess payments will be used for bribes or kickbacks. As part of due diligence, companies often examine the fair market value of a transaction to evaluate whether the supplier has experience pricing similar contracts, is padding the cost to allow for improper payments, or is offering an unfair rate. Similarly, in contracts with a customer, companies examine the request for proposal or any tender documentation to substantiate discount requests or the need for third-party sales or services intermediaries. For example, sales agents often request non-standard discounts on the basis of a customer’s budgetary restrictions or competitive pressures. To the extent the company has access to requests for proposal or other tender documentation, the due diligence process should include reviewing such documents to verify the veracity of the discount requests. Such documents, for example, may indicate that a tender is sole source, rendering a competitive pressure excuse invalid.
The overall value of the contract also could lead to potential risks. Higher valued contracts may tempt a third party to engage in corrupt conduct to obtain the benefits provided in the agreement. Similarly, a transaction with a percentage of the final sale as the commission payment may afford the supplier with significant funds to make improper payments, absent heightened scrutiny of the supplier’s experience, reputation, and compliance standards. Accordingly, higher-value contracts should be subject to greater internal controls and diligence to mitigate such risks. The ABB settlement discussed above illustrates this particular risk. According to the ABB DPA, certain ABB managers overrode due diligence controls, including ignoring red flags raised by ABB compliance personnel, to obtain subcontractor approval for the third parties who later funnelled payments to a South African government official allegedly in exchange for a contract worth US$160 million.
The company’s pre-existing relationship with the third party
A company’s long-standing experience or pre-existing relationship with a third party may mitigate the risk of impropriety or it may make a company complacent. Certainly, the presence of an existing business relationship presents relevant information about the entity’s experience and reputation, but if heightened risk factors are present in the transaction, companies would be well served to conduct some measure of due diligence to identify red flags and to mitigate risks should they arise. Companies also should monitor the third party throughout the life of the contract to ensure continued compliance. A long-standing relationship may make the supplier overly dependent on its business with the company such that it could be compromised by improper requests from a company sales manager, for example. Effective diligence and monitoring protects both parties in the transaction.
General due diligence factors to consider
While the level and severity of due diligence can vary, companies should seek certain background information on the following topics when conducting due diligence analysis.
Companies must know the actual identity of those with whom they are contracting. Companies should identify the third party’s principal shareholders to determine who has actual control and ownership of the business. This information can be established through the third party’s official company registration documents, but, in many cases, should not be limited to a review of the incorporation certificates. For example, someone seeking to disguise the true beneficial owners may list family members or individuals whose business is to incorporate entities under local law. Accordingly, requiring potential third parties to complete a due diligence questionnaire identifying their beneficial owners is a better practice than relying simply on company registration documents. Understanding the true ownership structure will help companies avoid liability for the misconduct of hidden owners, which has recently become an area of focus in the United States.
Asking third parties to submit financial reports or statements is critical to understanding the financial health of the third party, not simply for creditworthiness purposes, but also for exposure to legal risk. Financial reports can alert the company to those entities who may be compromised or unduly influenced by improper overtures to secure business. Additionally, financial reports often reflect whether the entity maintains its books and records in a manner that provides transparency and reliability – a key factor in anti-corruption analyses and one that can create liability or serve as a useful monitoring tool. Companies should endeavour to ensure that the information in the disclosed financial reports is accurate and detailed enough to allow the company to spot discrepancies or unusual payments. Moreover, the financial reports or statements may offer insight as to whether the third party is sufficiently experienced and reputable to perform the services anticipated for the company and can serve to verify the third party’s declarations of prior experience in the industry. Depending on the significance and risk of the third party’s activities on behalf of the company, the company’s diligence may include researching, and, if possible, independently verifying the third party’s financial activities to evaluate the potential sources of revenue. This independent corroboration would help guard against potential negative media narratives that unnecessarily could imperil the company’s good will and reputation if, for example, the third party’s revenue partially derives from criminal activities.
Companies must be on alert for red flags that indicate a third party has offered to provide services in an area where it seems to lack competence. This is especially true when the services offered involve interactions with government officials. Companies should ensure the third party has the actual expertise and experience required by checking references, researching the third party’s history, probing the third party’s knowledge of the industry and market, and examining the third party’s website for details that substantiate its declarations of experience. To avoid actual or perceived corrupt conduct, a company also should ensure that it has a legitimate business justification for entering into the agreement with the third party. A proper business justification will help mitigate the company’s potential risk in the future, provided there is no readily available information which the company failed to evaluate or collect that discredits the third party’s competency. The perceived lack of competency in a third-party was one of the key facts in Rio Tinto plc’s (Rio Tinto) settlement with the SEC. The company hired a consultant and close associate of a senior Guinean government official to help retain its mining rights in Guinea. The consultant purportedly had no direct work experience related to the mining business or Guinea specifically. The consultant was paid US$10.5 million for his services, despite red flags suggesting the consultant was providing advice to the government official and that some portion of the consultant’s fees allegedly would be shared with the government official. As part of the settlement, Rio Tinto agreed to pay a fine of US$15 million to the SEC.
Research the third party’s history
Another measure to assess potential risks is to run an internet search to identify any available reputational information regarding the third party. Adverse news alleging that the third party or its officers, directors or employees have engaged in corrupt, fraudulent or unethical practices in the past is a clear red flag that the company should consider before entering into further business dealings. Such adverse news also may offer insight on the third party’s competency. The company can conduct this research using the information provided by the third party itself or from information located in the public domain and behind relatively minor paywalls. In certain markets, this information may not be as readily available or reliable as in other jurisdictions, but, depending on the risk presented by the third party’s anticipated activities, may be worth the effort to uncover. For example, a sales intermediary responsible for negotiating with potential public sector customers in Honduras should be subject to greater due diligence scrutiny than a manufacturing supplier of component parts in Chile.
The third party’s reputation
A third party’s reputation often can be discerned through researching its history and any adverse news through internet searches. But in higher-risk cases, due diligence efforts also should involve other means. For example, companies should seek out references who personally know or have worked with the third party in question and can speak towards the party’s character, experience and past engagements. This can help establish whether the third party has engaged in corrupt practices in the past, has a propensity for behaviour that skirts the law or has a close relationship with a public official that may raise a red flag.
The third party’s approach to ethics and compliance
Lastly, companies should examine the ethics and compliance policies that the third party has in place for its own business. The third party’s overall tone and attitude towards compliance efforts should be noted as potential risk factors. This analysis includes inquiring whether the third party engages in its own due diligence of business partners, suppliers, contractors, and, in particular, any sub-contractors it may use in connection with the work to be performed for the company. Moreover, in many cases, this analysis includes understanding the financial and other controls in place by the third party to mitigate risks of misconduct and to monitor its employees’ and agents’ compliance. Additionally, with respect to customers, this inquiry may inform whether the company has an obligation to complete certain compliance certifications or to advise the customer of certain benefits offered or provided to its personnel in connection with the negotiation or performance of the contract. For example, certain public sector entities prohibit their employees from engaging in any events or accepting any benefits, even if nominal, absent pre-approval; understanding whether such prohibitions exist is critical to ensuring the success of the customer relationship and to mitigating liability for failure to abide by these requirements.
In recent years, more Latin American countries have enhanced and enforced anti-corruption laws. Anticorruption legislation in most countries emphasises the importance of corporate compliance programmes and imposes liability when companies fail to adopt adequate internal controls, including policies, procedures and monitoring mechanisms that cover their employees and agents. Accordingly, entering into a contract with an entity that has failed to adopt internal controls consistent with its risk profile and the applicable legal requirements is a key factor to consider in due diligence.
Due diligence efforts do not cease once the third party has been officially retained. Companies should continue to monitor the third party’s conduct throughout the business relationship to identify and follow up on potential red flags. This may include updating due diligence practices, providing additional training, periodically auditing the third party’s practices and compliance protocols, and requesting updated compliance certifications.
Due diligence does more than just mitigate potential risk, however. A robust and effective programme promotes ethical conduct among the various parties to an agreement. For example, conducting third-party due diligence may require that the third party itself examine and redefine its own compliance and anti-corruption efforts to avoid risk and to better position itself to build future business relationships. Thus, taking the time to expand due diligence efforts that encompass all third-party relationships will be beneficial for both parties to the transaction.
Approaching due diligence when negotiating and dealing with counterparties
Contracts with third-party suppliers or clients should clearly state the responsibilities of all of the parties and their compliance expectations. These contracts should reference the company’s due diligence efforts to ensure that the third party abides by all applicable anti-corruption laws. Third parties should be aware of the types of risks that would give rise to enforcement scrutiny so as to help mitigate the company’s potential liability should corrupt conduct occur. In most cases, the following representations and warranties should be included in the contract:
- agrees to comply with all applicable laws and policies and certifies compliance for at least the prior five years;
- certifies that no actions have been proposed or taken, directly or indirectly, that would cause a government official to benefit improperly;
- agrees to adopt (or certifies adoption of) adequate and effective compliance policies and internal controls, which include training on those policies and controls to employees;
- agrees to provide prompt notice to the company if it plans to retain other agents or representatives to assist in providing services under the contract;
- agrees to provide immediate notice to the company if it becomes aware of an allegation of a potential or actual violation of law;
- certifies that it maintains accurate, detailed, transparent, and up-to-date books and records setting forth the financial transactions related to any work conducted on behalf of the company, together with supporting documentation;
- agrees to allow the company to audit its books and records related to the contract; and
- permits the company to terminate rights under the contract in the event of a compliance breach, including a provision requiring the third party to forfeit any compensation agreed upon in the contract.
Means of mitigating potential exposure
Red flags that arise from due diligence efforts do not automatically mean that a company cannot contract with a third party. Certain risks can be mitigated to limit potential exposure.
Training third parties
Before contracting, companies should ensure that the third party is aware of the relevant anti-corruption, sanctions and other laws that affect the transaction and that it is aware of its customer’s policies and practices to ensure compliance with applicable laws. One method of ensuring adequate knowledge of the applicable laws and compliance policies is through substantive training. When investigating alleged misconduct, regulators around the world consider a company’s efforts to communicate its policies effectively through trainings and certifications. An effective training process takes into account the target audience. For example, the information and hypotheticals should revolve around situations that the third party would likely encounter, and training materials should be provided in the local language, if applicable. The more targeted and thorough the training, the more likely a company can mitigate potential liability risks should they arise.
Implementing a third-party code of conduct
All companies should implement a general code of conduct as a foundation for their overall compliance programmes. These codes should be clear and concise, and companies should ensure that they are made available to all employees and third-party agents working on behalf of the company. This includes providing the material in the local language, if necessary. Effective codes of conduct outline the company’s policies and procedures, as well as the expectations the company has in terms of compliance. When investigating alleged misconduct and imposing liability, regulators consider the effectiveness of a company’s code of conduct and whether the company has provided the code to its third parties and updated the code to account for current risks.
Enforcing contractual audit clauses
As stated above, companies should ensure that they include a contractual provision requiring compliance with applicable laws. However, merely stating that a third party must follow the applicable laws is not enough to fully mitigate the risks. Companies bear the responsibility to continue monitoring third parties throughout the life of the contract to better detect any potential issues that might arise. This can be done by periodic audits of the third party’s activities and invoices, as well as audits of the third party’s own compliance policies as they relate to its business with the company. In the context of a contract with a customer, the company can review the request for proposal, any tender documents, and the deal booking documents to ensure that applicable laws are being satisfied. This continued monitoring, like due diligence, is tiered based on the risks presented by the third party; a majority of third-party relationships will not necessitate regular monitoring.
The case of the online gaming and sports betting company Flutter Entertainment plc’s (Flutter) illustrates the consequences of failing to enforce the anti-bribery and anti-corruption clauses. Flutter’s predecessor-in-interest, the Stars Group, Inc. (Stars Group), acquired the Oldford Group Ltd. (Oldford Group) in 2014 and inherited Russia-based consultants responsible for promoting the legalization of poker in Russia. However, the consultants allegedly did not receive initial due diligence or maintain written contracts with the Stars Group until 2017. But, even after these contracts were in place with anti-bribery and anti-corruption provisions, Stars Group allegedly failed to enforce such provisions. For instance, consultants purportedly submitted invoices that contained vague and general statements without supporting documentation. Similarly, consultants often were reimbursed for expenses through third-party non-profit organisations without the proper supporting evidence. Flutter agreed to pay the SEC a fine of US$4 million for failing to maintain accurate books and records and internal controls.
Using data analytics and artificial intelligence
Enforcement agencies increasingly focus on data analytics when evaluating corporate compliance programmes. The March 2023 revision to the DOJ compliance guidelines requires prosecutors to investigate how a company is tracking the functionality of its operations and compliance efforts. Part of this determination is done by looking at the company’s use of data analytics. Data analytics allows a company to continuously and remotely gather data, monitor transactions and analyse risks. It provides the company with a method of analysing the effectiveness of its policies and controls to better address new concerns. This type of monitoring helps to identify risks as they emerge for compliance, auditing and investigation purposes, giving the company more time to evaluate and determine the best course of action to mitigate liability.
Finding patterns of improper behaviour by third parties is increasingly complex; companies can benefit from leveraging artificial intelligence (AI) and machine learning solutions. AI can help companies to identify relevant documents, as well as corruption-related patterns, especially when dealing with large volumes of data. For example, in 2020, Microsoft partnered with the Inter-American Development Bank to advance anti-corruption, transparency, and integrity objectives across Latin America and the Caribbean through its ACTS (Anti-Corruption Technology and Solutions) initiative, which is founded on the company’s cloud computing, data visualisation, AI and machine learning investments.
The use of third parties is both beneficial and necessary for most companies. Maximising the utility of such relationships, however, requires a deliberate and focused approach to due diligence to mitigate the inherent risks. Companies should take the necessary steps to identify potential risk factors before entering into a business relationship but need not terminate a relationship if risks arise. Implementing a robust and effective compliance programme that incorporates risk-tiered due diligence efforts will help mitigate the compliance risks and allow the companies to retain the benefit of third-party services.
 Palmina M Fava and G Zachary Terwilliger are partners at Vinson & Elkins LLP.
 The Foreign Corrupt Practices Act of 1977, 15 U.S.C. § 78dd-1.
 Press Release, Sec. and Exch. Comm’n, Walmart Charged With FCPA Violations (20 June 2019), https://www.sec.gov/news/press-release/2019-102; Press Release, Dep’t of Justice, Walmart Inc. and Brazil-Based Subsidiary Agree to Pay $137 Million to Resolve Foreign Corrupt Practices Act Case (20 June 2019), https://www.justice.gov/opa/pr/walmart-inc-and-brazil-based-subsidiary-agree-pay-137-million-resolve-foreign-corrupt. A more recent example involves WPP’s settlement with the SEC regarding allegations that WPP violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA. According to the SEC order, WPP acquired advertising agencies in high-risk areas, including India, China, Brazil and Peru, and failed to implement internal accounting controls and compliance policies to mitigate the risk of corruption. One of the allegations in the order stated that WPP received an accounting report and anonymous complaints suggesting that its subsidiary in India was engaging in corrupt practices through the use of a third-party intermediary. WPP failed to adequately respond to these warning signs. WPP paid more than US$19 million in fines and penalties to resolve the charges. See Press Release, Sec. and Exch. Comm’n, SEC Charges World’s Largest Advertising Group with FCPA Violations (24 September 2021), https://www.sec.gov/news/press-release/2021-191.
 See also Press Release, Dep’t of Justice, SBM Offshore N.V. and United States-Based Subsidiary Resolve Foreign Corrupt Practices Act Cases Involving Bribes in Five Countries (29 Nov 2017), https://www.justice.gov/opa/pr/sbm-offshore-nv-and-united-states-based-subsidiary-resolve-foreign-corrupt-practices-act-case. On 29 November 2017, SBM Offshore N.V. (SBM) was assessed a criminal penalty from the DOJ in the amount of US$238 million for an alleged bribery scheme in violation of the FCPA. For approximately 16 years, SBM allegedly paid third-party intermediaries US$180 million in commissions that were used to bribe government officials in Brazil, Angola, Equatorial Guinea, Kazakhstan, and Iraq. The order found that SBM was liable because it knew that a portion of the commission payments would be used to pay these bribes for the purposes of obtaining business with state-owned oil companies.
 For example, the United Kingdom’s Bribery Act states that an organisation or company is liable for the corrupt actions taken by a person ‘associated’ with the company and on the company’s behalf. The Act defines an associated person as one who performs services for the company, such as an employee or agent. See Bribery Act, 2010, c.23, § 7(1) (U.K.); Ministry of Justice, The Bribery Act 2010, at 16 (March 2011).
 See Ley General Del Sistema Nacional Anticorrupción [LGSNA], Diario Oficial de la Federación [DOF], 18 July 2016.
 See Brazil Clean Company Act (Law No. 12.846/2013).
 See Plea Agreement, United States v. Glencore Ltd., 3:22-cr-00071-SVN (D. Conn. 24 May 2022), https://www.justice.gov/opa/press-release/file/1562401/download; see also Press Release, Dep’t of Justice, Glencore Entered Guilty Pleas to Foreign Bribery and Market Manipulation Schemes (24 May 2022), https://www.justice.gov/opa/pr/glencore-entered-guilty-pleas-foreign-bribery-and-market-manipulation-schemes(Glencore DOJ Press Release).
 See Glencore DOJ Press Release.
 See id.; see also Press Release, Sec. and Exch. Comm’n, SEC Charges Amec Foster Wheeler Limited with FCPA Violated Related to Brazilian Bribery Scheme (25 June 2021), https://www.sec.gov/news/press-release/2021-112. From 2012 to 2014, Amec Foster Wheeler Limited’s (Foster Wheeler) UK subsidiary allegedly paid roughly US$1.1 million in bribes to Brazilian officials through the use of third-party agents. In June 2021, Foster Wheeler agreed to pay over US$43 million to resolve charges brought by anti-corruption authorities in the United States, Brazil, and the United Kingdom.
 See FCPA Resource Guide at 60–61.
 id.; see also Int’l Chamber of Com., ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises, at 14–21, https://iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf (ICC Anti-Corruption Guide).
 See FCPA Resource Guide at 60–62; OECD, OECD Due Diligence Guidance for Responsible Business Conduct (2018) (OECD Due Diligence Guide); ICC Anti-Corruption Guide, supra note 15, at 8–12.
 See Deferred Prosecution Agreement, United States v. Gol Linhas Aereas Inteligents S.A.S. v. GOL, No. 22-cr-325-PJM (D. Md. 15 September 2022), https://www.justice.gov/criminal-fraud/file/1535366/download; see also Press Release, Dep’t of Justice, GOL Linhas Aéreas Inteligentes S.A. Will Pay over $41 Million in Resolution of Foreign Bribery Investigations in the United States and Brazil (15 September 2022), https://www.justice.gov/opa/pr/gol-linhas-reas-inteligentes-sa-will-pay-over-41-million-resolution-foreign-bribery.
 See In the matter of ABB Ltd., Securities Act Release No. 96444, Sec. and Exch. Comm’n (3 December 2022), https://www.sec.gov/litigation/admin/2022/34-96444.pdf; see also Press Release, Sec. and Exch. Comm’n, ABB Settles SEC Charges that It Engaged in Bribery Scheme in South Africa (3 December 2022), https://www.sec.gov/news/press-release/2022-214; Deferred Prosecution Agreement, United States of America v. ABB LTD., No. 22-cr-0220-MSN (E.D. Va. 22 December 2022), https://www.justice.gov/opa/press-release/file/1556131/download (ABB DPA).
 See ABB DPA.
 FCPA Resource Guide at 60–62; ICC Anti-Corruption Guide, supra note 14, at 14–21; OECD Due Diligence Guide, supra note 15.
 The US has designated the fight against corruption as a ‘core national security interest’ and has increasingly focused on the need for transparency in financial transactions and effective third-party due diligence as a means to reduce the risk of corruption both domestically and abroad. See Joseph Biden, Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest, White House Briefing Room (3 June 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/03/memorandum-on-establishing-the-fight-against-corruption-as-a-core-united-states-national-security-interest. Under the Corporate Transparency Act (CTA) enacted by Congress in January 2021, certain entities will be required to report beneficial ownership information to the Financial Crime Enforcement Network. See Corporate Transparency Act, H.R. 6395 § 6403. One of the goals of the CTA is to thwart companies from concealing their ownership to ‘facilitate illicit activity.’ Id. § 6402(3). On 30 September, the Financial Crime Enforcement Network (FinCEN) issued a final rule requiring companies created or doing business in the US to disclose to FinCEN ‘any individuals who, directly or indirectly, either exercise substantial control over a Reporting Company or who own or control at least 25% of the ownership interests of such company.’ FinCEN defines ‘substantial control’ as one who: (1) serves as a senior officer of a Reporting Company, (2) has authority over the appointment or removal of any senior officer or a majority or dominant majority of the board of directors (or similar body) of a Reporting Company, and (3) those who direct, determine, or decide, or exercise substantial influence over, important matters affecting a Reporting Company. See Beneficial Ownership Information Reporting Requirements, 87 Fed. Reg. 59498 (proposed 30 September 2022) (to be codified at 31 C.F.R. pt. 1010).
 See, e.g., L. 1778, 2 February 2016, Diario Oficial [D.O.] (Colom.); Brazil Clean Company Act (Law No. 12.846/2013); Law No. 20.393, 2 December 2009, Gaceta Jurídica, G.J. (Chile).
 FCPA Resource Guide.
 See id. at 60-61.
 See In the matter of Flutter Entertainment plc, as successor-in-interest to The Stars Group, Inc., Securities Act Release No. 4384, Sec. and Exch. Comm’n (6 March 2023), https://www.sec.gov/litigation/admin/2023/34-97044.pdf .
 See Chapter 11, ‘Why Fresh Perspectives on Tech Solutions are Key to Evolving Data-Driven Compliance Monitoring’ by Gabriela Paredes, Dheeraj Thimmaiah, Jaime Muñoz and John Sardar.
 Dep’t of Justice, Evaluation of Corporate Compliance Programs at 2–3 (Updated March 2023), https://www.justice.gov/criminal-fraud/page/file/937501/download.
 See footnote 28.
 Dev Stahlkopf, Microsoft launches Anti-Corruption Technology and Solutions (ACTS), Microsoft Blog (9 December 2020), https://blogs.microsoft.com/on-the-issues/2020/12/09/microsoft-anti-corruption-technology-solutions-acts/.