Third-Party Due Diligence: Expanding a Compliance Programme to Suppliers and Clients
The use of third parties in a company’s efforts to expand its business, whether internationally, domestically, or locally, is not only inevitable but necessary. From manufacturing to supply chain through to distribution and product services and support – and including many other key functions of a business previously handled internally (e.g., human resources, information technology, finance and audit) – there is a fast-growing outsourced business model that relies on third parties. Often, using third parties is cheaper, faster and more effective, rendering it a competitive necessity. Third parties can take the form of a company’s agent, intermediary, supplier, consultant or joint venture partner and can provide the company with invaluable and critical services, ranging from product design or delivery to legal or tax advice to sales opportunities. For example, a third party could provide crucial transportation of goods without which a company could not bring its product to market. In 2021, we saw just such an instance with the highly particular cold storage requirements for certain covid-19 vaccines.
The modern approach of disaggregating business functions necessarily means that doing business through a number of third parties is the norm and not the exception, resulting in a growing volume and diversity of third parties that brings inherent corruption risks. Companies must be cognisant of such risks and prepared to mitigate them to maximise the third parties’ utility.
Pursuant to the strictures of the Foreign Corrupt Practices Act (FCPA), companies are prohibited from either directly or indirectly bribing non-US government officials to obtain business. Indirect bribes expressly include payments made by third parties acting on behalf, at the direction, or with the knowledge of the company. To be liable under the FCPA, a company need not explicitly authorise the payment. As long as the company had a reasonable belief that the conduct was likely to occur, it can be held liable for the third party’s conduct. Knowledge of improper payments – or even the offer of anything of value – can be inferred from circumstances demonstrating a reasonable probability of illicit conduct. Thus, companies cannot avoid liability by consciously disregarding or ignoring red flags suggesting that a bribe has been or will be offered, promised or made.
Walmart’s settlement with the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) is a perfect example of the FCPA’s unforgiving nature towards alleged deliberate ignorance. In 2019, the SEC charged Walmart with violating the FCPA by failing to implement and operate a compliance programme sufficiently tailored to mitigate its risks. The order alleged that Walmart ignored red flags and corruption allegations when it expanded its business internationally, allowing its subsidiaries in Brazil, Mexico, China and India to use third-party intermediaries to make payments to foreign government officials. Walmart allegedly failed to investigate and mitigate the risks and paid more than US$282 million in penalties and fines.
A company’s exposure to liability for third-party actions is not unique to the FCPA. Anti-corruption laws in most countries hold companies culpable for third-party conduct. Latin American countries are no exception. For example, Mexico has enacted a number of anti-corruption laws as part of its National Anti-Corruption System. Under these laws, a company can be held liable for the actions of individuals who engage in corrupt offences on behalf of the company. Brazil’s Clean Company Act takes this a step further. Under the Act, companies are held strictly liable for the corrupt conduct of their employees and agents. Take Amec Foster Wheeler Energy Limited (Foster Wheeler) as an example. From 2012 to 2014, Foster Wheeler’s UK subsidiary allegedly paid roughly US$1.1 million in bribes to Brazilian officials through the use of third-party agents. In June 2021, Foster Wheeler agreed to pay over US$43 million to resolve charges brought by anti-corruption authorities in the United States, Brazil and the United Kingdom related to the conduct of its third-party agents.
Liability exposure heightens the need for companies to exercise control and oversight over their business partners and agents, including suppliers and, in certain circumstances, clients. Companies must take the necessary steps to expand their compliance programmes to mitigate the risks that arise from their business dealings. Among the steps utilised by many companies and expected by many regulators are: conducting thorough background checks or due diligence prior to engaging a third party; educating a third party on the applicable antibribery and anti-corruption laws; contractually mandating a third party’s compliance with the same; and monitoring the third party’s actions throughout the life of the contract. The level of due diligence, compliance training and monitoring to be performed by the company on the third party depends on the scope of work provided by the third party, the inherent risk of the work or the transaction, the geographic location of the deal, the industry and the compensation to be paid. A company’s vendor of office supplies, for example, will not be subject to the same scrutiny as the company’s customs broker or freight forwarder interacting with government officials on behalf of the company.
How to assess third parties
Risk-tiered due diligence
Before engaging a third party or entering into a transaction with a customer, companies must learn about the entity on the other end of the deal to fully evaluate the potential liability risks triggered by that entity and to ensure that the internal controls built into the company’s compliance programme are deployed appropriately to mitigate the risk. For example, a company may employ certain internal controls when contracting with a public sector entity, but those controls are only initiated if the entity is identified properly as public sector. If the personnel entering the information are unaware of the proper designation because no diligence is conducted, then the mechanisms to mitigate the risk of liability are not utilised. Similarly, when engaging third-party suppliers or other agents, it is critical to conduct sufficient due diligence to understand the third party’s experience, beneficial owners and reputation. These efforts often take the form of risk management programmes and analysis designed to understand multiple aspects, including the entity’s reputation for corrupt practices and whether the entity is designated on any sanctions lists. Ultimately, the results of this analysis will help companies better understand, assess, and mitigate any risk that may arise throughout the course of the contractual relationship. For example, due diligence efforts could help uncover whether a third party has any familial or business connections to government officials or whether the third party is a politically exposed person. Similarly, due diligence may identify a financial institution as a publicly funded bank, thus triggering internal compliance safeguards. Uncovering these red flags early in the engagement can help inform further business dealings and save the company from future liability.
Eliminating all potential corruption risks that a third party could pose is neither possible nor required. For example, many companies distribute their product through a network of thousands of distributors and resellers, rely on dozens of manufacturers of component parts, employ consultants to provide market-relevant information, hire tax and legal advisers, use consultants with specialised technical skills, and outsource a host of other functions. Not all of these third parties presents the same level and type of risk. Resources – both time and money – are limited, so vetting them all to the same degree is unrealistic. It is vitally important that any company considering its due diligence obligations intelligently allocates its resources to maximise the overall risk of those investments.
Risk-tiered due diligence helps companies focus their finite resources on those parties that present the most significant risks to the company. The extent of corruption risks vary from one third party to another, so the proportionality of the due diligence efforts applied also vary. This type of due diligence not only helps to prioritise risk monitoring, but also demonstrates that the company is taking an active and committed role to detecting and preventing corrupt practices should an investigation arise.
Risk-tiered due diligence factors to consider
Allocating risks among various third parties can often be difficult to establish and is not subject to a one-size-fits-all approach. However, there are certain factors that a company should consider when determining a third party’s risk level:
Interactions with government entities or public officials
Situations where the third party is either a government entity itself or works closely with a public official will give rise to increased anti-corruption enforcement scrutiny. Companies should note that a mere association with a foreign public official could lead to scrutiny and warrants heightened due diligence and internal controls around the third party’s activities. While most countries impose criminal liability for all forms of bribery in a commercial context and not just bribes to public officials, the vast majority of the corruption enforcement actions that impose significant financial and business consequences involve public sector contracts. Accordingly, it is critical to understand whether a third party supplier is beneficially owned or controlled by a current or former government official or his or her close family members, and if so, to monitor closely the performance of services by that entity should the company engage it. Similarly, third parties engaged to interact with government officials must be subject to increased diligence and monitoring throughout the life of the contract to deter and detect potential illicit conduct. Additionally, interactions with customers beneficially owned or controlled by government entities merit enhanced scrutiny and the imposition of internal controls to mitigate risk as the liability exposure is not limited to charges of corruption, but may involve public procurement fraud or bid-rigging and misuse of taxpayer funds.
Where the third party is located and where the services are to be performed can help a company determine the level of potential risk that a third party might pose and thus, the commensurate level of due diligence required. The Corruption Perceptions Index published by Transparency International ranks the corruption levels of various countries, ranging from ‘highly corrupt’ to ‘very clean’. If the country where the third party is primarily working or in which the transaction occurs ranks as highly corrupt, then the level of due diligence applied to that third party or to that transaction should be consistent with the heightened risk presented. Moreover, if the jurisdiction is one with strong enforcement of anticorruption laws, a company would be well advised to invest more resources in ensuring that its business dealings do not invite scrutiny. A decade ago, many companies accepted excuses from third parties or customers reluctant to participate in due diligence who pointed to the differences in business customs across jurisdictions. Today, with a greater focus on the deleterious consequences of unchecked corruption, many countries across the world, and particularly in Latin America, are engaged in enforcement measures to reduce fraudulent and corrupt practices, thus reducing the reliability of a ‘customs’ excuse.
The nature of the services that the third party will provide
Some services may be more susceptible to corruption risks than others. For example, agreements where a third party is to provide a service to a public official that may be compensated through commission or success fee arrangements create more of a risk than agreements in which the third party supplies the company with printer cartridges whose pricing is more transparent. While the latter may present conflict of interest or kickback concerns if the supplier is related to the person who awarded the contract, such contracts typically do not result in large-scale investigations that distract personnel and divert resources for months. To help mitigate potential risks, companies should ensure that the scope of the services expected is clearly defined, the fees and expenses are delineated and supported by documentation, and the third party is sufficiently aware of the conduct in which he or she cannot engage.
Third-party compensation and the value of the contract
Companies should consider compensation and the overall value of the contract when allocating risk. Compensation may raise a red flag if it is disproportionate to the typical compensation received for similar services. Higher-than-normal compensation may suggest that excess payments will be used for bribes or kickbacks. As part of due diligence, companies often examine the fair market value of a transaction to evaluate whether the supplier has experience pricing similar contracts, is padding the cost to allow for improper payments, or is offering an unfair rate. Similarly, in contracts with a customer, companies examine the request for proposal or any tender documentation to substantiate discount requests or the need for third-party sales or services intermediaries. For example, sales agents often request non-standard discounts on the basis of a customer’s budgetary restrictions or competitive pressures. To the extent the company has access to requests for proposal or other tender documentation, the due diligence process should include reviewing such documents to verify the veracity of the discount requests. Such documents, for example, may indicate that a tender is sole source, rendering a competitive pressure excuse invalid.
The overall value of the contract also could lead to potential risks. Higher valued contracts may tempt a third party to engage in corrupt conduct to obtain the benefits provided in the agreement. Similarly, a transaction with a percentage of the final sale as the commission payment may afford the supplier with significant funds to make improper payments, absent heightened scrutiny of the supplier’s experience, reputation, and compliance standards. Accordingly, higher-value contracts should be subject to greater internal controls and diligence to mitigate such risks.
The company’s pre-existing relationship with the third party
A company’s long-standing experience or pre-existing relationship with a third party may mitigate the risk of impropriety or it may make a company complacent. Certainly, the presence of an existing business relationship presents relevant information about the entity’s experience and reputation, but if heightened risk factors are present in the transaction, companies would be well served to conduct some measure of due diligence to identify red flags and to mitigate risks should they arise. Companies also should monitor the third party throughout the life of the contract to ensure continued compliance. A long-standing relationship may make the supplier overly dependent on its business with the company such that it could be compromised by improper requests from a company sales manager, for example. Effective diligence and monitoring serves to protect both parties in the transaction.
General due diligence factors to consider
While the level and severity of due diligence can vary, companies should seek certain background information on the following topics when conducting due diligence analysis.
Companies must know the actual identity of those with whom they are contracting. Companies should identify the third party’s principal shareholders to determine who has actual control and ownership of the business. This information can be established through the third party’s official company registration documents, but, in many cases, should not be limited to a review of the incorporation certificates. For example, someone seeking to disguise the true beneficial owners may list family members or individuals whose business is to incorporate entities under local law. Accordingly, requiring potential third parties to complete a due diligence questionnaire identifying their beneficial owners is a better practice than relying simply on company registration documents. Understanding the true ownership structure will help companies avoid liability for the misconduct of hidden owners, which has recently become an area of focus in the US.
Asking third parties to submit financial reports or statements is critical to understanding the financial health of the third party, not simply for creditworthiness purposes, but also for exposure to legal risk. Financial reports can alert the company to those entities who may be compromised or unduly influenced by improper overtures to secure business. Additionally, financial reports often reflect whether the entity maintains its books and records in a manner that provides transparency and reliability – a key factor in anti-corruption analyses and one which can create liability or serve as a useful monitoring tool. Companies should endeavour to ensure that the information in the disclosed financial reports is accurate and detailed enough to allow the company to spot discrepancies or unusual payments. Moreover, the financial reports or statements may offer insight as to whether the third party is sufficiently experienced and reputable to perform the services anticipated for the company and can serve to verify the third party’s declarations of prior experience in the industry. Depending on the significance and risk of the third party’s activities on behalf of the company, the company’s diligence may include researching, and, if possible, independently verifying the third party’s financial activities to evaluate the potential sources of revenue. This independent corroboration would help guard against potential negative media narratives that unnecessarily could imperil the company’s good will and reputation if, for example, the third party’s revenue partially derives from criminal activities.
Companies must be on alert for red flags that indicate a third party has offered to provide services in an area where it seems to lack competence. This is especially true when the services offered involve interactions with government officials. Companies should ensure the third party has the actual expertise and experience required by checking references, researching the third party’s history, probing the third party’s knowledge of the industry and market, and examining the third party’s website for details that substantiate its declarations of experience. To avoid actual or perceived corrupt conduct, a company also should ensure that it has a legitimate business justification for entering into the agreement with the third party. A proper business justification will help mitigate the company’s potential risk in the future, provided there is no readily available information which the company failed to evaluate or collect that discredits the third party’s competency.
Research the third party’s history
Another measure to assess potential risks is to run an internet search to identify any available reputational information regarding the third party. Adverse news alleging that the third party or its officers, directors or employees have engaged in corrupt, fraudulent or unethical practices in the past is a clear red flag that the company should consider before entering into further business dealings. Such adverse news also may offer insight on the third party’s competency. The company can conduct this research using the information provided by the third party itself or from information located in the public domain and behind relatively minor paywalls. In certain markets, this information may not be as readily available or reliable as in other jurisdictions, but, depending on the risk presented by the third party’s anticipated activities, may be worth the effort to uncover. For example, a sales intermediary responsible for negotiating with potential public sector customers in Honduras should be subject to greater due diligence scrutiny than a manufacturing supplier of component parts in Chile.
The third party’s reputation
A third party’s reputation often can be discerned through researching its history and any adverse news through internet searches. But in higher-risk cases, due diligence efforts also should involve other means. For example, companies should seek out references who personally know or have worked with the third party in question and can speak towards the party’s character, experience and past engagements. This can help establish whether the third party has engaged in corrupt practices in the past, has a propensity for behaviour that skirts the law or has a close relationship with a public official that may raise a red flag.
The third party’s approach to ethics and compliance
Lastly, companies should examine the ethics and compliance policies that the third party has in place for its own business. The third party’s overall tone and attitude towards compliance efforts should be noted as potential risk factors. This analysis includes inquiring whether the third party engages in its own due diligence of business partners, suppliers, contractors, and, in particular, any sub-contractors it may use in connection with the work to be performed for the company. Moreover, in many cases, this analysis includes understanding the financial and other controls in place by the third party to mitigate risks of misconduct and to monitor its employees’ and agents’ compliance. Additionally, with respect to customers, this inquiry may inform whether the company has an obligation to complete certain compliance certifications or to advise the customer of certain benefits offered or provided to its personnel in connection with the negotiation or performance of the contract. For example, certain public sector entities prohibit their employees from engaging in any events or accepting any benefits, even if nominal, absent pre-approval; understanding whether such prohibitions exist is critical to ensuring the success of the customer relationship and to mitigating liability for failure to abide by these requirements.
In recent years, more Latin American countries have enhanced and enforced anti-corruption laws. Anticorruption legislation in most countries emphasises the importance of corporate compliance programmes and imposes liability when companies fail to adopt adequate internal controls, including policies, procedures and monitoring mechanisms that cover their employees and agents. Accordingly, entering into a contract with an entity that has failed to adopt internal controls consistent with its risk profile and the applicable legal requirements is a key factor to consider in due diligence.
Due diligence efforts do not cease once the third party has been officially retained. Companies should continue to monitor the third party’s conduct throughout the business relationship to identify and follow up on potential red flags. This may include updating due diligence practices, providing additional training, periodically auditing the third party’s practices and compliance protocols, and requesting updated compliance certifications.
Due diligence does more than just mitigate potential risk, however. A robust and effective programme promotes ethical conduct among the various parties to an agreement. For example, conducting third-party due diligence may require that the third party itself examine and redefine its own compliance and anti-corruption efforts to avoid risk and to better position itself to build future business relationships. Thus, taking the time to expand due diligence efforts that encompass all third-party relationships will be beneficial for both parties to the transaction.
Approaching due diligence when negotiating and dealing with counterparties
Contracts with third-party suppliers or clients should clearly state the responsibilities of all of the parties and their compliance expectations. These contracts should reference the company’s due diligence efforts to ensure that the third party abides by all applicable anti-corruption laws. Third parties should be aware of the types of risks that would give rise to enforcement scrutiny so as to help mitigate the company’s potential liability should corrupt conduct occur. In most cases, the following representations and warranties should be included in the contract:
- agrees to comply with all applicable laws and policies and certifies compliance for at least the prior five years;
- certifies that no actions have been proposed or taken, directly or indirectly, that would cause a government official to benefit improperly;
- agrees to adopt (or certifies adoption of) adequate and effective compliance policies and internal controls, which include training on those policies and controls to employees;
- agrees to provide prompt notice to the company if it plans to retain other agents or representatives to assist in providing services under the contract;
- agrees to provide immediate notice to the company if it becomes aware of an allegation of a potential or actual violation of law;
- certifies that it maintains accurate, detailed, transparent, and up-to-date books and records setting forth the financial transactions related to any work conducted on behalf of the company, together with supporting documentation;
- agrees to allow the company to audit its books and records related to the contract; and
- permits the company to terminate rights under the contract in the event of a compliance breach, including a provision requiring the third party to forfeit any compensation agreed upon in the contract.
Means of mitigating potential exposure
Red flags that arise from due diligence efforts do not automatically mean that a company cannot contract with a third party. Certain risks can be mitigated to limit potential exposure.
Training third parties
Before contracting, companies should ensure that the third party is aware of the relevant anti-corruption, sanctions and other laws that affect the transaction and that it is aware of its customer’s policies and practices to ensure compliance with applicable laws. One method of ensuring adequate knowledge of the applicable laws and compliance policies is through substantive training. When investigating alleged misconduct, regulators around the world consider a company’s efforts to communicate its policies effectively through trainings and certifications. An effective training process takes into account the target audience. For example, the information and hypotheticals should revolve around situations that the third party would likely encounter, and training materials should be provided in the local language, if applicable. The more targeted and thorough the training, the more likely a company can mitigate potential liability risks should they arise.
Implementing a third-party code of conduct
All companies should implement a general code of conduct as a foundation for their overall compliance programmes. These codes should be clear and concise, and companies should ensure that they are made available to all employees and third-party agents working on behalf of the company. This includes providing the material in the local language, if necessary. Effective codes of conduct outline the company’s policies and procedures, as well as the expectations the company has in terms of compliance. When investigating alleged misconduct and imposing liability, regulators consider the effectiveness of a company’s code of conduct and whether the company has provided the code to its third parties and updated the code to account for current risks.
Enforcing contractual audit clauses
As stated above, companies should ensure that they include a contractual provision requiring compliance with applicable laws. However, merely stating that a third party must follow the applicable laws is not enough to fully mitigate the risks. Companies bear the responsibility to continue monitoring third parties throughout the life of the contract to better detect any potential issues that might arise. This can be done by periodic audits of the third party’s activities and invoices, as well as audits of the third party’s own compliance policies as they relate to its business with the company. In the context of a contract with a customer, the company can review the request for proposal, any tender documents, and the deal booking documents to ensure that applicable laws are being satisfied. This continued monitoring, like due diligence, is tiered based on the risks presented by the third party; a majority of third-party relationships will not necessitate regular monitoring.
The World Acceptance Corporation’s (WAC) case illustrates the consequences of failing to implement the necessary auditing controls. In that case, WAC’s Mexican subsidiary allegedly used third-party intermediaries to pay over US$4 million in bribes to Mexican officials for almost a decade. The SEC found that WAC lacked the necessary internal auditing controls to detect and prevent the payments, subjecting itself to liability. WAC agreed to pay US$21.7 million to resolve the charges.
Using data analytics
Enforcement agencies increasingly focus on data analytics when evaluating corporate compliance programmes. The June 2020 revision to the DOJ compliance guidelines requires prosecutors to investigate how a company is tracking the functionality of its operations and compliance efforts. Part of this determination is done by looking at the company’s use of data analytics. Data analytics allows a company to continuously and remotely gather data, monitor transactions and analyse risks. It provides the company with a method of analysing the effectiveness of its policies and controls to better address new concerns. This type of monitoring helps to identify risks as they emerge for compliance, auditing and investigation purposes, giving the company more time to evaluate and determine the best course of action to mitigate liability.
The use of third parties is both beneficial and necessary for most companies. Maximising the utility of such relationships, however, requires a deliberate and focused approach to due diligence to mitigate the inherent risks. Companies should take the necessary steps to identify potential risk factors before entering into a business relationship but need not terminate a relationship if risks arise. Implementing a robust and effective compliance programme that incorporates risk-tiered due diligence efforts will help mitigate the compliance risks and allow the companies to retain the benefit of third-party services.
 Palmina M Fava and Zach Terwilliger are partners and Natalie Cardenas is an associate at Vinson & Elkins LLP.
 The Foreign Corrupt Practices Act of 1977, 15 U.S.C. § 78dd-1
 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the US Foreign Corrupt Practices Act, at 22 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.
 Press Release, Sec. and Exch. Comm’n, Walmart Charged With FCPA Violations (20 June 2019), https://www.sec.gov/news/press-release/2019-102; Press Release, Dep’t of Justice, Walmart Inc. and Brazil-Based Subsidiary Agree to Pay $137 Million to Resolve Foreign Corrupt Practices Act Case (20 June 2019), https://www.justice.gov/opa/pr/walmart-inc-and-brazil-based-subsidiary-agree-pay-137-million-resolve-foreign-corrupt. A more recent example involves WPP’s settlement with the SEC regarding allegations that WPP violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA. According to the SEC order, WPP acquired advertising agencies in high-risk areas, including India, China, Brazil and Peru, and failed to implement internal accounting controls and compliance policies to mitigate the risk of corruption. One of the allegations in the order stated that WPP received an accounting report and anonymous complaints suggesting that its subsidiary in India was engaging in corrupt practices through the use of a third-party intermediary. WPP failed to adequately respond to these warning signs. WPP paid more than US$19 million in fines and penalties to resolve the charges. See Press Release, Sec. and Exch. Comm’n, SEC Charges World’s Largest Advertising Group with FCPA Violations (24 September 2021), https://www.sec.gov/news/press-release/2021-191.
 See also Press Release, Dep’t of Justice, SBM Offshore N.V. and United States-Based Subsidiary Resolve Foreign Corrupt Practices Act Cases Involving Bribes in Five Countries (29 November 2017), https://www.justice.gov/opa/pr/sbm-offshore-nv-and-united-states-based-subsidiary-resolve-foreign-corrupt-practices-act-case. On 29 November 2017, SBM Offshore N.V. (SBM) was assessed a criminal penalty from the DOJ in the amount of US$238 million for an alleged bribery scheme in violation of the FCPA. For approximately 16 years, SBM allegedly paid third party intermediaries US$180 million in commissions that were used to bribe government officials in Brazil, Angola, Equatorial Guinea, Kazakhstan, and Iraq. The order found that SBM was liable because it knew that a portion of the commission payments would be used to pay these bribes for the purposes of obtaining business with state-owned oil companies.
 For example, the United Kingdom’s Bribery Act states that an organisation or company is liable for the corrupt actions taken by a person ‘associated’ with the company and on the company’s behalf. The Act defines an associated person as one who performs services for the company, such as an employee or agent. See, Bribery Act, 2010, c.23, § 7(1) (U.K.); Ministry of Justice, The Bribery Act 2010, at 16 (March 2011).
 See Ley General Del Sistema Nacional Anticorrupción [LGSNA], Diario Oficial de la Federación [DOF], 18 July 2016.
 See Brazil Clean Company Act (Law No. 12.846/2013).
 Press Release, Sec. and Exch. Comm’n, SEC Charges Amec Foster Wheeler Limited with FCPA Violated Related to Brazilian Bribery Scheme (25 June 2021), https://www.sec.gov/news/press-release/2021-112.
 See also Press Release, Dep’t of Justice, Keppel Offshore & Marine Ltd. and US Based Subsidiary Agree to Pay $422 Million in Global Penalties to Resolve Foreign Bribery Case (22 October 2020), https://www.justice.gov/opa/pr/keppel-offshore-marine-ltd-and-us-based-subsidiary-agree-pay-422-million-global-penalties. Keppel Offshore & Marine Ltd (KOM) allegedly paid roughly US$55 million in bribes to Brazilian officials through the use of third-party intermediaries. In 2017, KOM agreed to pay a combined total of US$422 million to resolve charges brought by authorities in the United States, Brazil and Singapore.
 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the US Foreign Corrupt Practices Act, at 60–61 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.
 id.; see also ICC, ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises, at 14–21, https://iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf.
 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the US Foreign Corrupt Practices Act, at 60–62 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download; OECD, OECD Due Diligence Guidance for Responsible Business Conduct (2018); ICC, ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises, at 8–12, https://iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf.
 Transparency Int’l, Corruption Perceptions Index (2020), https://www.transparency.org/en/cpi/2020/index/nzl.
 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the US Foreign Corrupt Practices Act, at 60–62 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download; OECD; OECD Due Diligence Guidance for Responsible Business Conduct (2018); ICC, ICC Anti-Corruption Third Party Due Diligence: A Guide for Small and Medium Size Enterprises, at 14–21, https://iccwbo.org/content/uploads/sites/3/2015/07/ICC-Anti-corruption-Third-Party-Due-Diligence-A-Guide-for-Small-and-Medium-sized-Enterprises.pdf
 The US has designated the fight against corruption as a ‘core national security interest’ and has increasingly focused on the need for transparency in financial transactions and effective third-party due diligence as a means to reduce the risk of corruption both domestically and abroad. See Joseph Biden, Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest, White House Briefing Room (3 June 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/03/memorandum-on-establishing-the-fight-against-corruption-as-a-core-united-states-national-security-interest. Under the Corporate Transparency Act (CTA) enacted by Congress in January 2021, certain entities will be required to report beneficial ownership information to the Financial Crime Enforcement Network. See Corporate Transparency Act, H.R. 6395 § 6403. One of the goals of the CTA is to thwart companies from concealing their ownership to ‘facilitate illicit activity’. Id § 6402(3).
 See, e.g., L. 1778, 2 February 2016, Diario Oficial [D.O.] (Colom.); Brazil Clean Company Act (Law No. 12.846/2013); Law No. 20.393, 2 December 2009, Gaceta Jurídica, G.J. (Chile).
 See Dep’t of Justice & Sec. and Exch. Comm’n, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 7 (July 2020), https://www.justice.gov/criminal-fraud/file/1292051/download.
 See id. at 60-61.
 Dep’t of Justice, Evaluation of Corporate Compliance Programs, at 3 (Updated June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.
 See Chapter 10, ‘Embracing Technology’.