How to do FCPA due diligence on third party intermediaries

Typically, a TPI refers to an individual or entity engaged by a company to assist in any function of the business involving interaction with the government. TPIs are different from other suppliers or vendors in that their behaviour creates a touch point with the government in relation to the business of the company, exposing the company to a risk of FCPA compliance.

Certain TPIs are easily identifiable as their function naturally implies an interaction with the government. By this token, litigation lawyers, tax agents, customs clearance brokers or company registration agents are all TPIs. In other cases, the interaction between a vendor and the government may not be obvious. Here is a recommended and non-exclusive list of indicators that helps to identify the potential interactions: (1) the vendor is designated or recommended by the government; (2) the vendor that sends you certain licences, permits or records of filing issued by the government and in name of your company; or (3) the vendor asks your company for reimbursement by showing an invoice or receipt issued by the government.

Interacting with the government does not necessarily qualify the vendor as a TPI. Two more conditions must be satisfied. First, the TPI should be an entity independent from the control of the government or it might be considered simply a so-called “instrumentality” of the government and thus not an independent vendor at all. These “instrumentalities” of the government are prevalent in China. A significant number of shi ye dan wei (事业单位) assumes more or less administrative functions and thus may be regarded as quasi-government entities.

The second additional condition is that the interaction must relate to the business and be on behalf of the company. For example, a newspaper platform accepts subscription from all kind of members, including government officials, business members and individual members. The routine member mixers discussing the economic environment or general policy issues are insufficient to render the platform a TPI because they are not specifically relevant to its business members' business.

Going through the process

A robust pre-engagement due diligence usually contains a questionnaire to be completed by the TPI, and a third party forensic investigation through public sources and the internet. A standard questionnaire will include three parts: information on the business, information on the key persons associated with the business and a consent form to be signed by the TPI for third party forensic investigation. The questionnaire gives an opportunity for the TPI to disclose its or its key persons' relationship with the government.

The third party forensic investigation undertaken is to ascertain and confirm the TPI's qualification, reputation and relationship with the government. Due diligence has at least two levels: level one involves open source intelligence on the target and its owners, controllers and key executives, checking relevant industry sources, adverse media reports, litigation or records of misrepresentation, retrieving and analysing information in the global public domain such as OFAC, UN, EU and other sanction lists; level two involves discrete inquiries and in-depth integrity due diligence on certain TPIs on specific issues identified in level I.

Finding the red flags

Certain signs revealed in the due diligence may suggest compliance risks and the need for further inquiries. A list of such red flags include: (1) misrepresentation of the TPI's and its key persons' professional, academic qualifications and career details; (2) misrepresentation of the TPI's corporate interests; (3) key persons identified as being involved in potentially illegal or unethical conduct; (4) adverse media coverage; (5) litigation, sanctions, debarment; (6) key persons holding positions in the local people's congress, political parties or organisations in close association with the government; and (6) the close family members of the key persons holding positions in the government and the ruling political party.

With the red flags identified, the compliance team of the company may be able to decide whether to begin the engagement, and the reasonable level of protection the company may need, for example, inserting a tailored FCPA clause into the contract or obtaining an enhanced audit right towards the TPI.