9. Third-Party Due Diligence: Expanding a Compliance Programme to Suppliers and Clients
The use of third parties in a company’s efforts to expand its business, whether internationally, domestically or locally, is not only inevitable but necessary. From manufacturing to supply chain to distribution and product services and support – and including many other key functions of a business previously handled internally (e.g., human resources, information technology, finance and audit) – there is a fast-growing outsourced business model that relies on third parties. Often, using third parties is cheaper, faster and more effective, rendering it a competitive necessity. Third parties can take the form of a company’s agent, intermediary, supplier, consultant or joint venture partner and can provide the company with invaluable and critical services, ranging from product design or delivery to legal or tax advice to sales opportunities. For example, a third party could provide crucial transportation of goods without which a company could not bring its product to market. In 2021, we see just such an instance with the highly particular cold storage requirements for certain covid-19 vaccines.
The modern approach of disaggregating business functions necessarily means that doing business through a number of third parties is the norm and not the exception, resulting in a growing volume and diversity of third parties, which brings inherent corruption risks. Companies must be cognisant of and prepared to mitigate such risks to maximise the third parties’ utility.
Pursuant to the strictures of the Foreign Corrupt Practices Act (FCPA), companies are prohibited from either directly or indirectly bribing non-US government officials to obtain business. Indirect bribes expressly include payments made by third parties acting on behalf, at the direction, or with the knowledge of the company. To be liable under the FCPA, a company need not explicitly authorise the payment. So long as the company had a reasonable belief that the conduct was likely to occur, it can be held liable for the third party’s conduct. Knowledge of improper payments – or even the offer of anything of value – can be inferred from circumstances demonstrating a reasonable probability of illicit conduct. Thus, companies cannot avoid liability by consciously disregarding or ignoring red flags suggesting that a bribe has been or will be offered, promised or made.
Walmart’s recent settlement with the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) is a perfect example of the FCPA’s unforgiving nature towards alleged deliberate ignorance. In 2019, the SEC charged Walmart with violating the FCPA by failing to implement and operate a sufficient compliance programme nearly two decades earlier. According to the SEC, Walmart ignored red flags and corruption allegations when it expanded its business internationally, allowing its subsidiaries in Brazil, Mexico, China and India to use third-party intermediaries to make payments to foreign government officials. This prompted investigations in the United States and Mexico. According to the SEC’s order, Walmart allegedly failed to investigate and mitigate the risks as it expanded its operations, particularly in Latin America, and paid more than US$282 million in penalties and fines.
A company’s exposure to liability for third-party actions is not unique to the FCPA. Anti-corruption laws in most countries hold companies culpable for third-party conduct. Latin American countries are no exception. For example, Mexico has enacted a number of anti-corruption laws as part of its National Anti-Corruption System. Under these laws, a company can be held liable for the actions of individuals who engage in corrupt offences on behalf of the company. Brazil’s Clean Company Act takes this a step further. Under the Act, companies are held strictly liable for the corrupt conduct of their employees and agents. Take Keppel Offshore & Marine Ltd (KOM) as an example. KOM allegedly paid roughly US$55 million in bribes to Brazilian officials through the use of third-party intermediaries. In 2017, KOM agreed to pay a combined total of US$422 million to resolve charges brought by anti-corruption authorities in the United States, Brazil and Singapore.
Liability exposure presents issues for companies that lack significant control and oversight over their business partners and agents, including suppliers and, in certain circumstances, clients. Companies must take the necessary steps to expand their compliance programmes to mitigate the risks that arise from their business dealings. Among the steps used by many companies and expected by many regulators are: conducting thorough background checks or due diligence prior to engaging a third party, educating a third party on the applicable anti-bribery and anti-corruption laws, contractually mandating a third party’s compliance with the same, and monitoring the third party’s actions throughout the life of the contract. The level of due diligence, compliance training and monitoring to be performed by the company on the third party depends on the scope of work provided by the third party, the inherent risk of the work or the transaction, the geographic location of the services, the industry and the compensation to be paid. A company’s vendor of office supplies, for example, will not be subject to the same scrutiny as the company’s customs broker or freight forwarder interacting with government officials on behalf of the company.
How to assess third parties
Risk-tiered due diligence
Before engaging a third party or entering into a transaction with a customer, companies must learn about the entity on the other end of the deal to fully evaluate the potential liability risks triggered by that entity and to ensure that the internal controls built into the company’s compliance programme are deployed appropriately to mitigate the risk. For example, a company may employ certain internal controls when contracting with a public sector entity, but those controls are only initiated if the entity is identified properly as public sector. If the personnel entering the information are unaware of the proper designation because no diligence is conducted, then the mechanisms to mitigate the risk of liability are not utilised.
Similarly, when engaging third-party suppliers or other agents, it is critical to conduct sufficient due diligence to understand the third party’s experience, beneficial owners and reputation. These efforts often take the form of risk management programmes and analysis designed to understand multiple aspects, including the entity’s reputation for corrupt practices. Ultimately, the results of this analysis will help companies better understand, assess and mitigate any risk that may arise over the course of the contractual relationship. For example, due diligence efforts could help uncover whether a third party has any connections to government officials or whether the third party has been accused of engaging in corrupt practices in the past. Likewise, due diligence may identify a financial institution as a publicly funded bank, thus triggering internal compliance safeguards. Uncovering these red flags early in the engagement can help inform further business dealings and save the company from future liability.
Eliminating all potential corruption risks that a third party could pose is neither possible nor required. For example, many companies distribute their product through a network of thousands of distributors and resellers, rely on dozens of manufacturers of component parts, employ consultants to provide market-relevant information, hire tax and legal advisers, use consultants with specialised technical skills, and outsource a host of other functions. Not all of these third parties presents the same level and type of risk. Resources – both time and money – are limited, so vetting all third parties to the same degree is unrealistic. It is vital that any company considering its due diligence obligations intelligently allocates its resources to maximise the overall return of those investments.
Risk-tiered due diligence helps companies focus their finite resources on those parties that present the most significant risks to the company. The extent of corruption risks vary from one third party to another, so the proportionality of the due diligence efforts applied also vary. This type of due diligence not only helps to prioritise risk monitoring, but also demonstrates that the company is taking an active and committed role to detecting and preventing corrupt practices should an investigation arise.
Risk-tiered due diligence factors to consider
Allocating risks among various third parties can often be difficult to establish and is not subject to a one-size-fits-all approach. However, there are certain factors that a company should consider when determining a third party’s risk-level:
Interactions with government entities or public officials
Situations where the third party is either a government entity or works closely with a public official will give rise to increased anti-corruption enforcement scrutiny. Companies should note that a mere association with a foreign public official could lead to scrutiny and warrants heightened due diligence and internal controls around the third party’s activities. While most countries impose criminal liability for all forms of bribery in a commercial context and not just bribes to public officials, the vast majority of the corruption enforcement actions that impose significant financial and business consequences involve public sector contracts. Accordingly, it is critical to understand whether a third-party supplier is beneficially owned by a current or former government official or his or her close family members. If so, it is important to closely monitor the performance of services by that entity should the company engage it. Similarly, third parties engaged to interact with government officials must be subject to increased diligence and monitoring throughout the life of the contract to deter and detect potential illicit conduct. Additionally, interactions with customers beneficially owned or controlled by government entities merit enhanced scrutiny and the imposition of internal controls to mitigate risk, including the evaluation and pre-approval of entertainment, marketing, charitable or travel expenses involving those customers.
Where the third party is located and where the services are to be performed can help a company determine the level of potential risk that a third party might pose and thus, the commensurate level of due diligence required. The Corruption Perceptions Index published by Transparency International ranks the corruption levels of various countries, ranging from ‘highly corrupt’ to ‘very clean’. If the country where the third party is primarily working or in which the transaction occurs ranks as highly corrupt, then the level of due diligence applied to that third party or to that transaction should be consistent with the heightened risk presented. Moreover, if the jurisdiction is one with active enforcement of anti-corruption laws, a company would be well advised to invest more resources in ensuring that its business dealings do not invite scrutiny. A decade ago, many companies accepted excuses from third parties or customers reluctant to participate in due diligence who pointed to the differences in business customs across jurisdictions as justification for sharing limited or no information in diligence exercises. Today, with a greater focus on the deleterious consequences of unchecked corruption, many countries across the world, and particularly in Latin America, are engaged in enforcement measures to decrease fraudulent and corrupt practices, thus reducing the reliability of a ‘customs’ excuse.
The nature of the services that the third party will provide
Some services may be more susceptible to corruption risks than others. For example, agreements where a third party is to provide a service to a public official create more of a risk than agreements in which the third party is supplying the company with furniture or IT services. While the latter may present conflict of interest or kickback concerns that merit examination, they typically do not result in large-scale investigations that distract personnel and divert resources for months. To help mitigate potential risks, companies should ensure that the scope of the services expected is clearly defined, that all expenses are itemised and supported by documentation, and that the third party is sufficiently aware of the conduct in which he or she cannot engage.
Third-party compensation and the value of the contract
Companies should consider compensation and the overall value of the contract when allocating risk. Compensation may raise a red flag if it is disproportionate to the typical compensation received for similar services. Higher-than-normal compensation may suggest that excess payments will be used for bribes or kickbacks. As part of due diligence, companies often examine the fair market value of a transaction to evaluate whether the supplier has experience pricing similar contracts, may be padding the cost to allow for improper payments, or is offering an unfair rate. Similarly, in contracts with a customer, examine the request for proposal or any tender documentation to substantiate discount requests or the need for third-party sales or services intermediaries. For example, sales agents often request non-standard discounts on the basis of a customer’s budgetary restrictions or competitive pressures. To the extent the company has access to requests for proposal or other tender documentation, the due diligence process should include reviewing such documents to verify the veracity of the discount requests. Such documents, for example, may indicate that a tender is sole source, rendering a competitive pressure excuse invalid.
The overall value of the contract also could lead to potential risks. Higher valued contracts may tempt a third party to engage in corrupt conduct to obtain the benefits provided in the agreement. Similarly, a transaction with a percentage of the final sale as the commission payment may afford the supplier with significant funds to make improper payments, absent heightened scrutiny of the supplier’s experience, reputation, and compliance standards. Accordingly, higher value contracts should be subject to greater internal controls and diligence to mitigate such risks.
The company’s pre-existing relationship with the third party
A company’s long-standing experience or pre-existing relationship with a third party may mitigate the risk of impropriety or it may make a company complacent. Certainly, the presence of an existing business relationship presents relevant information about the entity’s experience and reputation, but if heightened risk factors are present in the transaction, companies would be well served to conduct some measure of due diligence to identify red flags and to mitigate risks should they arise. Companies also should monitor the third party throughout the life of the contract to ensure continued compliance. A long-standing relationship may make the supplier overly dependent on its business with the company such that it could be compromised by improper requests from a company sales manager, for example. Effective diligence and monitoring serves to protect both parties in the transaction.
General due diligence factors to consider
While the level and severity of due diligence can vary, companies should seek certain background information on the following topics when conducting due diligence analysis.
Companies must know the actual identity of those with whom they are contracting. Companies should identify the third party’s principal shareholders to determine who has actual control and ownership of the business. This information can be established through the third party’s official company registration documents, but, in many cases, should not be limited to a review of the incorporation certificates. For example, someone seeking to disguise the true beneficial owners may list family members or individuals whose business is to incorporate entities under local law.
In January 2021, the United States passed the Corporate Transparency Act as part of the National Defense Authorization Act. This new law creates a beneficial ownership registry within the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) in an effort to curtail corrupt practices. However, not all companies are required to report their beneficial ownership to the FinCEN under the Act. Accordingly, requiring potential third parties to complete a due diligence questionnaire identifying their beneficial owners is a better practice than relying simply on company registration documents. Understanding the true ownership structure will help companies avoid liability for the corrupt practices of hidden owners.
Asking third parties to submit financial reports or statements is critical to understanding the financial health of the third party, not simply for credit worthiness purposes, but also for exposure to legal risk. Financial reports can alert the company to those entities who may be compromised or unduly influenced by improper overtures to secure business. Additionally, financial reports often reflect whether the entity maintains its books and records in a manner that provides transparency and reliability – a key factor in anti-corruption analysis and one that can create liability or serve as a useful monitoring tool. Companies should endeavour to ensure that the information in the disclosed financial reports is accurate and detailed enough to allow the company to spot discrepancies or unusual payments. Moreover, the financial reports or statements may offer insight as to whether the third party is sufficiently experienced and reputable to perform the services anticipated for the company and can serve to verify the third party’s declarations of prior experience in the industry. Depending on the significance and risk of the third party’s activities on behalf of the company, the company’s diligence may include researching, and, if possible, independently verifying the third party’s financial activities to evaluate the potential sources of revenue. This independent corroboration would help guard against potential negative media narratives that unnecessarily could imperil the company’s good will and reputation if, for example, the third party’s revenue partially derives from criminal activities or has been laundered.
Companies must be on alert for red flags that indicate a third party has offered to provide services in an area where it seems to lack competence. This is especially true when the services offered involve interactions with government officials. Companies should ensure the third party has the actual expertise and experience required by checking references, researching the third party’s history, probing the third party’s knowledge of the industry and market, and examining the third party’s website for details that substantiate its declarations of experience. To avoid actual or perceived corrupt conduct, a company also should ensure that it has a legitimate business justification for entering into the agreement with the third party. A proper business justification will help mitigate the company’s potential risk in the future, provided there is no readily available information which the company failed to evaluate or collect that discredits the third party’s competency.
Another measure to assess potential risks is to run an internet search to identify any available reputational information regarding the third party. Adverse news alleging that the third party or its officers, directors or employees have engaged in corrupt, fraudulent or unethical practices in the past is a clear red flag that the company should consider before entering into further business dealings. Such adverse news also may offer insight on the third party’s competency. The company can conduct this research using the information provided by the third party or from information located in the public domain and behind relatively minor paywalls. In certain markets, this information may not be as readily available or reliable as in other jurisdictions, but, depending on the risk presented by the third party’s anticipated activities, it may be worth the effort to uncover. For example, a sales intermediary responsible for negotiating with potential public sector customers should be subject to greater due diligence scrutiny than a manufacturing supplier of component parts.
A third party’s reputation often can be discerned through researching its history and any adverse news through internet searches. But in higher-risk cases, due diligence efforts also should involve other means. For example, companies should seek out references who personally know or have worked with the third party in question and can speak towards the party’s character, experience, and past engagements. This can help establish whether the third party has engaged in corrupt practices in the past, has a propensity for behaviour that skirts the law, or has a close relationship with a public official that may raise a red flag.
The third party’s approach to ethics and compliance
Finally, companies should examine the ethics and compliance policies that the third party has in place for its own business. The third party’s overall tone and attitude toward compliance efforts should be noted as potential risk factors. This analysis includes inquiring whether the third party engages in its own due diligence of business partners, suppliers, contractors and, in particular, any sub-contractors it may use in connection with the work to be performed for the company. In many cases, this analysis includes understanding the financial and other controls in place by the third party to mitigate risks of misconduct and to monitor its employees’ and agents’ compliance. With respect to customers, this inquiry may inform whether the company has an obligation to complete certain compliance certifications or to advise the customer of certain benefits offered or provided to its personnel in connection with the negotiation or performance of the contract. For example, certain public sector entities prohibit their employees from engaging in any events or accepting any benefits, even if nominal, absent pre-approval; understanding whether such prohibitions exist is critical to ensuring the success of the customer relationship and to mitigating liability for failure to abide by these requirements.
In recent years, more Latin American countries have enhanced and enforced anti-corruption laws. Anti-corruption legislation in most countries emphasises the importance of corporate compliance programmes, consistent with the mandates of the OECD Anti-Bribery Convention, the United Nations Convention Against Corruption and the Inter-American Convention Against Corruption. Certain countries, such as Brazil, Mexico and Peru, have adopted guidelines for calculating fines and considering leniency premised on the adoption of corporate compliance programmes, and in Peru’s case, providing safe harbour from liability if an adequate compliance programme was in place prior to the corrupt activity.
Accordingly, whether an entity has failed to adopt internal controls consistent with its risk profile and the applicable legal requirements is a key factor to consider in due diligence.
Due diligence does more than just mitigate potential risk. A robust and effective programme promotes ethical conduct among the various parties to an agreement. For example, conducting third-party due diligence may require that the third party itself examine and redefine its own compliance and anti-corruption efforts to avoid risk and to better position itself to build future business relationships. Thus, taking the time to expand due diligence efforts that encompass all third-party relationships will be beneficial for both parties to the transaction.
Approaching due diligence when negotiating and dealing with counterparties
Contracts with third-party suppliers or clients should clearly state the responsibilities of all of the parties and their compliance expectations. These contracts should reference the company’s due diligence efforts to ensure that the third party abides by all applicable anti-corruption laws. Third parties should be aware of the types of risks that would give rise to enforcement scrutiny so as to help mitigate the company’s potential liability should corrupt conduct occur. In most cases, the following representations and warranties should be considered in the contract:
- agrees to comply with all applicable laws and policies and certifies compliance for at least the prior five years;
- certifies that no actions have been proposed or taken, directly or indirectly, that would cause a government official to benefit improperly;
- agrees to adopt (or certifies adoption of) adequate and effective compliance policies and internal controls, which include training on those policies and controls to employees;
- agrees to provide prompt notice to the company if it plans to retain other agents or representatives to assist in providing services under the contract;
- agrees to provide immediate notice to the company if it becomes aware of an allegation of a potential or actual violation of an anti-corruption or anti-bribery law;
- certifies that it maintains accurate, detailed, transparent, and up-to-date books and records setting forth the financial transactions related to any work conducted on behalf of the company, together with supporting documentation;
- agrees to allow the company to audit its books and records related to the contract; and
- permits the company to terminate rights under the contract in the event of a compliance breach, including a provision requiring the third party to forfeit any compensation agreed upon in the contract.
Means of mitigating potential exposure
Red flags that arise from due diligence efforts do not automatically mean that a company cannot contract with a third party. Certain risks can be mitigated to limit potential exposure to anti-corruption enforcement scrutiny.
Training third parties
Before contracting, companies should ensure that the third party is aware of the relevant anti-corruption laws that affect the transaction and that it is aware of its customer’s anti-corruption policies and practices. One method of ensuring adequate knowledge of the applicable laws and compliance policies is through substantive training. When investigating corrupt practices, regulators around the world consider a company’s efforts to communicate its policies effectively through trainings and certifications. An effective training process takes into account the target audience. For example, the information and hypotheticals should revolve around situations that the third party would likely encounter, and training materials should be provided in the local language, if applicable. The more targeted and thorough the training, the more likely a company can mitigate potential liability risks should they arise.
Implementing a third-party code of conduct
All companies should implement a general code of conduct as a foundation for their overall compliance programmes. These codes should be clear and concise, and companies should ensure that they are made available to all employees and third-party agents working on behalf of the company. This includes providing the material in the local language, if necessary. Effective codes of conduct outline the company’s policies and procedures, as well as the expectations the company has in terms of compliance. When investigating corrupt practices and imposing liability, regulators consider the effectiveness of a company’s code of conduct and whether the company has provided the code to its third parties and updated the code to account for current risks.
Due diligence efforts do not cease once the third party has been officially retained. Companies should continue to monitor the third party’s conduct throughout the business relationship to identify and follow up on potential red flags. This may include updating due diligence practices, providing additional training, periodically auditing the third party’s practices and compliance protocols, and requesting updated compliance certifications.
As an additional monitoring tool, ensure that the third party's invoices and supporting documentation are examined and their work verified prior to approving payments.
Enforcing contractual audit clauses
As stated above, companies should seek to ensure that they include a contractual provision requiring compliance with applicable anti-corruption laws. However, merely stating that a third party must follow the applicable laws is not enough to fully mitigate the risks. Companies bear the responsibility to continue monitoring third parties throughout the life of the contract to better detect any potential issues that might arise. This can be achieved through periodic audits of the third party’s activities and invoices, as well as audits of the third party’s own compliance policies. In the context of a contract with a customer, the company can review the request for proposal, any tender documents, and the deal booking documents to ensure that applicable laws are being satisfied. This continued monitoring, like due diligence, is tiered based on the risks presented by the third party.
The World Acceptance Corporation’s (WAC) case illustrates the consequences that a failure to implement the necessary auditing control can have. In that case, WAC’s Mexican subsidiary allegedly used third-party intermediaries to pay over US$4 million in bribes to Mexican officials for almost a decade. The SEC found that WAC lacked the necessary internal auditing controls to detect and prevent the payments, subjecting itself to the risk of liability. WAC agreed to pay US$21.7 million to resolve the charges.
Using data analytics
Anti-corruption enforcement agencies have increasingly focused on data analytics when evaluating corporate compliance programmes. The June 2020 revision to the DOJ compliance guidelines requires prosecutors to investigate how a company is tracking the functionality of its operations and compliance efforts. Part of this determination is done by looking at the company’s use of data analytics. Data analytics allows a company to continuously and remotely gather data, monitor transactions and analyse risks, including those presented by third parties. It provides the company with a method of analysing the effectiveness of its policies and controls to better address new concerns.
Using data analytics could help continuously monitor and ensure third-party compliance by identifying risks as they emerge. This gives companies more time to evaluate and determine the best course of action to mitigate potential liability.
The use of third parties is both beneficial and necessary for most companies. Maximising the utility of such relationships, however, requires a deliberate and focused approach to due diligence to mitigate the inherent risks. Companies should take the necessary steps to identify potential risk factors before entering into a business relationship but need not terminate a relationship if risks arise. Implementing a robust and effective compliance programme that incorporates risk-tiered due diligence and monitoring efforts will help mitigate the risks of corruption and allow the companies to retain the benefit of third-party services.
 Palmina M Fava, Zachary Terwilliger and Michael Ward are partners, Jose Sanchez is a counsel, and Natalie Cardenas is an associate at Vinson & Elkins LLP.
 The Foreign Corrupt Practices Act of 1977, 15 U.S.C. § 78dd-1.
 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 22 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.
 Press Release, Sec. and Exch. Comm’n, Walmart Charged With FCPA Violations (June 20, 2019), https://www.sec.gov/news/press-release/2019-102; Press Release, Dep’t of Justice, Walmart Inc. and Brazil-Based Subsidiary Agree to Pay $137 Million to Resolve Foreign Corrupt Practices Act Case (June 20, 2019), https://www.justice.gov/opa/pr/walmart-inc-and-brazil-based-subsidiary-agree-pay-137-million-resolve-foreign-corrupt.
 See Press Release, SFP Verifica Permisos Federales Para la Apertura y Operacion de las Tiendas de la Empresa Walmart de Mexico, Secretaria de la Funcion Publica (SFP) (25 April 2012).]
 See also, Press Release, Dep’t of Justice, SBM Offshore N.V. and United States-Based Subsidiary Resolve Foreign Corrupt Practices Act Cases Involving Bribes in Five Countries (Nov. 29, 2017), https://www.justice.gov/opa/pr/sbm-offshore-nv-and-united-states-based-subsidiary-resolve-foreign-corrupt-practices-act-case. On 29 November 2017, SBM Offshore NV (SBM) was assessed a criminal penalty from the DOJ in the amount of US$238 million for an alleged bribery scheme in violation of the FCPA. For approximately 16 years, SBM allegedly paid third-party intermediaries US$180 million in commissions that were then used to bribe government officials in Brazil, Angola, Equatorial Guinea, Kazakhstan and Iraq. The order found that SBM was liable because it knew that a portion of the commission payments would be used to pay these bribes for the purposes of obtaining business with state-owned oil companies.
 For example, the United Kingdom’s Bribery Act states that an organisation or company is liable for the corrupt actions taken by a person ‘associated’ with the company and on the company’s behalf. The Act defines an associated person as one who performs services for the company, such as an employee or agent. See, Bribery Act, 2010, c.23, § 7(1) (U.K.); Ministry of Justice, The Bribery Act 2010, at 16 (March 2011).
 See Ley General Del Sistema Nacional Anticorrupción [LGSNA], Diario Oficial de la Federación [DOF], July 18, 2016.
 See Brazil Clean Company Act (Law No. 12.846/2013).
 Press Release, Dep’t of Justice, Keppel Offshore & Marine Ltd. And U.S. Based Subsidiary Agree to Pay $422 Million in Global Penalties to Resolve Foreign Bribery Case (Oct. 22, 2020), https://www.justice.gov/opa/pr/keppel-offshore-marine-ltd-and-us-based-subsidiary-agree-pay-422-million-global-penalties.
 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 60-61 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.
 id.; see also ICC, ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises, at 14–21, https://iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf.
 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 60-62 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/.download; OECD, OECD Due Diligence Guidance for Responsible Business Conduct (2018); ICC, ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises, at 8-12, https://iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf.
 Transparency Int’l, Corruption Perceptions Index (2020), https://www.transparency.org/en/cpi/2020/index/nzl.
 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 60-62 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download; OECD; OECD Due Diligence Guidance for Responsible Business Conduct (2018); ICC, ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises, at 14-21, https://iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf.
 See, National Defense Authorization Act for Fiscal Year 2021, H.R. 6395, 116th Cong. (2020) § 6403, https://www.congress.gov/bill/116th-congress/house-bill/6395/text.
 Controladoria-Geral De Uniao – CGU, Programa de Integridade: Diretrizes para Empresas Privadas (22 September 2015); Mexico General Law of Administrative Responsibilities (GLAR or the Ley 3 de 3) (18 July 2016); Peru: Corruption Report, GAN Business Anti-Corruption Portal (last updated: September 2016).]
 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 60-61 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.
 Dep’t of Justice, Evaluation of Corporate Compliance Programs, at 3 (Updated June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.