Investigations Involving Third Parties: Practical Considerations for UK Organisations
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Despite being a focus for compliance teams in the United Kingdom for many years, third-party management remains a challenge, with organisations continuing to search for the most effective ways to influence conduct and quickly identify and act on risk. Legislative developments and recent enforcement activity illustrate the increasing expectations placed on organisations around third-party compliance. This article provides practical guidance on approaches to engaging with and monitoring third parties across multiple jurisdictions, including suggestions for overcoming potential roadblocks to investigations.
- Changing landscape of UK law and increasing regulatory risk around third-parties
- Use of due diligence as first line of defence
- Challenges for organisations engaging with third-party agents, intermediaries or partners
- Guidance on approaches to continuous monitoring
- Barriers to conducting and completing third-party reviews
- Consideration of potential investigation outcomes
Referenced in this article
- UK Ministry of Justice guidance
- UK Serious Fraud Office v Amec Foster Wheeler Energy Limited
- UK Serious Fraud Office v Petrofac Limited
- Alstom Transport SA v Alexander Brothers Ltd
- US DOJ, Evaluation of Corporate Compliance Programs (updated June 2020)
Third parties have long been identified as posing a key compliance risk for organisations, with analysis showing that between 1977 and 2022, nearly 90 per cent of all US Foreign Corrupt Practices Act-related enforcement actions involved third-party intermediaries, such as agents, consultants and contractors.
The picture in the United Kingdom is similar, with UK agencies – including the Serious Fraud Office (SFO), the Financial Conduct Authority and the National Crime Agency – repeatedly highlighting the role of third parties in relation to enforcement action taken in the past five years. For example, in 2021 the SFO described the role of third parties, particularly agents, in facilitating the payment of bribes in connection with cases settled in the year:
A key feature of the case was the complex and deliberately opaque methods used by these senior executives to pay agents across borders, disguising payments through sub-contractors, creating fake contracts for fictitious services and, in some cases, passing bribes through more than one agent and one country, to disguise their actions.
The SFO further stated the following:
In the course of the investigation, the SFO has identified evidence which demonstrates that FWEL used agents to assist it in obtaining or retaining business, or an advantage in the conduct of business. The SFO alleges that FWEL's employees and directors conspired with others (most notably agents) to make corrupt payments to public officials.
Beyond bribery and corruption, third parties also feature in relation to compliance topics from supply chain integrity to sanctions compliance, with recent UK legislation such as the Modern Slavery Act of 2015 and the expanded sanctions regime increasing the need for companies to actively manage their third-party relationships.
Despite being a fundamental part of business and a focus for compliance teams in the United Kingdom for many years, third-party management remains a challenge, with organisations continuing to search for the most effective ways to influence conduct and quickly identify and act on risk, not only at the point of onboarding but also throughout the life cycle of the relationship.
Third-party checks are a key building block of a robust anti-bribery and corruption compliance programme and a baseline expectation of most bribery and corruption standards, for example:
a company's third-party management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to "detect the particular types of misconduct most likely to occur in a particular corporation's line of business.
Although some organisations only focus on their third-party compliance programme in response to misconduct, regulatory pressure or stakeholder expectations, most large British organisations with international operations have actively engaged in improving their approach to third-party compliance.
A typical third-party compliance framework will include due diligence processes applied to new third parties during onboarding and existing third parties on a periodic basis.
Due diligence activities may include a review of publicly available corporate information and a search of watch lists and can extend to mapping the corporate structure and ultimate beneficial ownership of the organisation, or the use of human sources to provide their perspective on the reputation and profile of the company, its shareholders and management, and aspects of its operations and supply chain.
These processes follow a structured workflow of planned checks and, in order to be effective, require organisations to establish an accurate view of their third-party population and the nature of their relationships with different third parties.
Effective due diligence programmes are a key part of third-party compliance programmes and can be used to obtain available corporate information that helps organisations to filter out partners with known red flags or a poor track record; however, in some instances, there are gaps in the public record, or the available information is conflicting or unclear. Even where the due diligence is clear, it is not only the integrity of the third party, but the substance of the relationship between the organisation and the third party that must be understood in assessing risk.
For organisations to determine whether further steps are proportionate in assessing underlying third-party relationships and investigating concerns, it is necessary to understand how third-party relationships can lead to compliance challenges. The following section summarises three areas where clients often encounter challenges.
In some cases, individuals within an organisation can collude with a third party to facilitate bribery, circumvent company controls or provide distance and deniability in transactions commissioned for the benefit of the organisation.
|Examples of ways third-party relationships can be exploited||Control weaknesses associated with these activities|
Weaknesses in internal controls, or a lack of risk awareness within the business, can also allow high-risk entities and interactions to pass onboarding processes and standard transaction approvals. More detailed analysis and review is sometimes required to identify risk.
Use of subcontractors
Even where there have been thorough checks on a prospective third party, there may be a lack of oversight regarding how the third party will fulfil the contract and who will perform the work. If subcontractors or additional entities are involved, due diligence on the immediate supplier may not be sufficient to address:
- the risk of poor-quality work arising from unvetted providers that impacts the overall project delivery, cost and quality; or
- the risk of the subcontractor being used as part of a scheme to conceal the transfer of value from the third party (and ultimately the company).
Common red flags include:
- a recently set-up firm with limited or non-existent reputation or qualifications;
- a low number of employees relative to the work required;
- a lack of evidence of the need for work or why the subcontractor is required; and
- a lack of clarity regarding ownership of the company or links between the third party and the subcontracted entity.
A detailed understanding of the local context is often required when assessing the role of a subcontractor or supporting entity. In some cases, local content rules may require the use of domestic partners, but risks can be magnified where local officials insist on particular companies being engaged or where the population of accredited or qualified entities leaves limited choice for the company.
Attitude to compliance
The mere fact that a supplier or intermediary does not present red flags and passes due diligence checks does not mean the organisation shares the values of the company or a commitment to compliance. Some third parties, particularly smaller organisations, can have less developed compliance practices and may not have relevant staff training, necessary processes or confidential channels for people to report any concerns.
This is not to say all third parties should have the same systems in place, with organisations of different sizes, operating in different markets, likely to require different structures proportionate to their needs and risks. In some cases, it can be difficult for smaller entities to produce the full raft of compliance documentation expected of them, and this can interpreted, sometimes unfairly, as indicating a lack of regard for integrity and compliance.
UK companies operating abroad can also be faced with partner entities that are governed by different local legislation, for example, in relation to the treatment of facilitation payments or the definition of public officials; however, regardless of the details of the compliance framework, it is always important to consider whether the values and ways of doing business of the two entities are aligned.
At the extreme end, some organisations have a very limited regard for compliance, with some local representatives willing to pay bribes or offer lavish gifts and entertainment on behalf of their clients to secure contract awards and obtain licences or permits. Differentiating between an immature compliance programme and an entity that does not take compliance seriously can be difficult to do without more detailed checks.
Where there is potential risk, further work is often required to enable an understanding of how the third party does business and the business context for the relationship, as well as a more detailed review of transactions.
The expectation that organisations will go beyond due diligence where necessary has been explicitly stated. For example, according to the UK Ministry of Justice adequate procedures guidance:
In higher risk situations, due diligence may include conducting direct interrogative enquiries, indirect investigations, or general research on proposed associated persons. Appraisal and continued monitoring of recruited or engaged 'associated' persons may also be required, proportionate to the identified risks.
This message has subsequently been reinforced by others, including the US Department of Justice, in its 2020 Evaluation of Corporate Compliance Programs best practice guidance:
Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.
Ongoing engagement and monitoring
Any additional monitoring should focus on third parties with characteristics that have the greatest potential to cause reputational and financial damage. Such considerations are likely to include an assessment of whether the third party:
- acts as a representative of the company;
- makes payments on behalf of the company;
- engages with public officials;
- operates in markets or activities that are considered to be more risky; or
- has been implicated in internal or external allegations or reports.
We have also observed a growing appetite to conduct proactive as well as retrospective reviews, including transaction-level reviews involving the third-party agent before finalisation of the contract with the end customer.
Given the time, cost and resources required to conduct detailed third-party reviews, it is common for organisations to employ a tiered approach to any additional review steps, enabling the company to focus efforts on a smaller pool of entities that can be refreshed on a rolling basis.
The third-party review programme should be integrated with other compliance processes, including relevant information from due diligence, confidential reporting channels and the findings of other internal reviews, to enable potential red flags identified by other checks to be incorporated into a risk assessment.
Understanding potential wrongdoing often requires access to information held by both the entity or the third party, and the ability to compare the information provided by different sources.
A tiered range of additional compliance steps can include third-party outreach and training, transaction monitoring and detailed entity-level reviews.
Third-party outreach and training
If prepared in the relevant language and with practical examples, these schemes can help improve the risk awareness and understanding of third-party employees, and can be delivered to multiple entities using common material.
If the data is available on a timely basis, introducing standard tests to map trends and highlight key exceptions and anomalies can be a powerful way of tracking conduct among a group of high-risk third parties. It is useful in those circumstances to segregate the third-party population into groups, for example, by entity type, service or geography.
The most significant limiting factor is often identifying and collecting the required data, with international organisations typically using multiple systems and recording data in different ways. Specific transaction reviews can also be performed.
Where red flags are identified, it is important to develop an approach that enables access to the information necessary to make an informed assessment of the situation.
Detailed entity-level reviews
Detailed entity-level reviews can help to reinforce the commitment of the organisation to ethical conduct. These reviews can either be performed via desktop review or expanded on-site review.
|Desktop review||On-site review|
Regardless of whether a desktop review or an expanded on-site review is performed, it is important to understand the overall business relationship and history with the third party, test the underlying transactions to inform the focus of the review and carry out an appropriate level of testing.
Any financial data should be clean and reconciled at the outset. Data analysis can then be used to identify anomalies or inconsistencies and to apply standard sample selection methodologies to select an initial risk-based sample for review. Such standard tests can consider high-risk expenditure categories (eg, entertainment) along with tests such as round-sum or high-value payments, transactions recorded close to quarter ends, high-value discounts or transaction references to state-owned enterprises or politically exposed persons.
Any potential red flags should be considered with all available documentation, including relevant internal company correspondence and financial records and explanations sought from management.
Practical challenges to consider
The tone of engagement with the third party is a key part of any review. Although a successful review depends on cooperation, it is also a test of the dynamics of the business relationship. If the review feels like an investigation, it is likely the third party will become defensive and resist cooperation unless it is under significant commercial pressure.
Regardless of the approach, it is unlikely the company will be able to access the full gamut of information relating to the third party that would usually be available in an internal investigation. For example, internal emails and electronic communications at the third party or financial information and documents involving transactions that do not relate directly to the company are usually not available. It is therefore important to engage with the third party in a way that increases the prospects of accessing the maximum amount of relevant information.
A key part of the process, and a critical step in engagement, is facilitating a proper kick-off meeting between all those involved, setting out the aims and objectives of the review, providing an overview of the programme and identifying individuals who can be contacted with questions or concerns.
While the process should feel collaborative, it is important to recognise that the consequences of the review can be significant, so the company and the review team must find the right balance between establishing an effective working relationship and ensuring the importance of the process is appreciated. In practice, the best engagement often happens when the company is prepared to state clearly how serious it is about compliance in general, particularly with regard to its third-party review programme.
Ultimately, if the company cannot reach an understanding where the third party is willing to engage with the review, it is important that the company be willing to consider the implications, recognising the third party is likely to be considered high risk. Some of the best examples of engagement have been when the company has stopped new business with the third party pending results or has made clear the future relationship is contingent on a successful review.
Data access and cooperation
One of the key barriers our clients face is in having the required contractual terms – particularly audit rights and, where necessary, non-disclosure agreements – in place that are acceptable to all parties. While these requirements can often cause delays, they are not usually sufficient to prevent a review from taking place if the right commercial relationship exists.
Even where the appropriate contractual provisions are in place, there are often challenges in accessing information for the review. For example, the third party may have confidentiality considerations that restrict sharing information relating to general operations and that can limit the potential of the review to assess activities such as general business development, including hospitality and entertainment.
Organisations can also seek to use data protection and privacy rules to protect relevant information that may be desired as part of the review. There are also third parties in some countries that can coordinate and share information in an attempt to delay or obfuscate the review. It is therefore important for the company to have anticipated those arguments and reached an agreed internal position on what level of information sharing they are prepared to accept from the third party.
In some countries, staff at the third party engage more openly and extensively with individuals from the same country. Beyond shared language, which is fundamental, having a team familiar with local ways of doing business, business etiquette and business regulations is an important consideration for delivering a successful review.
There can also be difficulties in finding where a third party operates. In the fashion industry, where companies take advantage of cheap labour across South Asia, clothing factories do not always have a proper, published address.
Ultimately, some third parties choose to adopt consistent delaying tactics or simply refuse to cooperate. Failure to engage with the third-party review process should be viewed as a significant red flag, and the company should consider whether ongoing business activity should be paused until further notice.
Concluding the review
For any third-party review to be effective, it is important to act on the results. Given the limitations in data, decisions often need to be made without certainty. Being in possession of potentially relevant but incomplete information is a difficult situation for compliance teams, where any decision not to act may be subject to future review and challenge.
It is therefore important for any decisions to be well documented and for there to be work done to ensure the decision is implemented on the ground. For example, there have been cases where relationships with an entity have been formally discontinued (eg, a contract has not been renewed) but they continue to be used.
Regardless of the outcome, it is important that any review findings be fed back into existing compliance systems to enable the refinement of processes, controls and ongoing monitoring systems, and updates to training and guidance for the business.
In some cases, it may be appropriate to work collaboratively with the third party to support improvement in its compliance processes and develop new information sharing or monitoring solutions; however, in other cases, the company may decide to take more significant action.
Any decisions about changing the third-party relationship should consider the practical aspects of implementation, including the contractual relationship between the parties and the potential impact on the local operating environment. There is a risk that any decision to terminate a relationship owing to concerns about misconduct or corrupt activity by the third party may be subject to legal challenge for breach of contract, failure to pay for goods or services, or loss of profits.
In some cases, third-party relationships that have been initiated to capitalise on the political or community connections of the third party can be difficult to terminate without the risk of retaliation or disruption. It is essential not only to document the decision but also to take time to consider how best to communicate and structure any disengagement.
 Stanford Law School, Foreign Corrupt Practices Act: Statistics & Analytics.
 Serious Fraud Office (SFO), ‘Serious Fraud Office secures third set of Petrofac bribery convictions’ (4 October 2021).
 SFO, ‘SFO enters into £103m DPA with Amec Foster Wheeler Energy Limited’ (2 July 2021).
 US Department of Justice (DoJ), ‘Evaluation of Corporate Compliance Programs’ (June 2020), page 8.
 UK Ministry of Justice, ‘Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing (section 9 of the Bribery Act 2010)’ (March 2011), page 28.
 DOJ, ‘Evaluation of Corporate Compliance Programs’ (June 2020), page 7.
 For example, see paragraph 13 of the statement of facts released in connection with the deferred prosecution agreement between the UK SFO and Amec Foster Wheeler Energy Limited.
 See Alstom Transport SA v Alexander Brothers Ltd, for example, in relation to Alexander Brothers Limited (Hong Kong SAR) v Alstom Transport SA and Alstom Network UK Limited  EWHC 1585 (Comm).