India is one of the most high-risk jurisdictions for bribery and corruption risks. According to Transparency International’s report in 2022, India ranks 85th in the world in terms of the Corruption Perceptions Index. In India, it is an accepted culture to use intermediaries for obtaining permissions, approvals, licenses, creating high risk for corruption on account of significant interaction between the government agencies and the agents acting on behalf of the company. While this offers access to specialized expertise and scalability, third parties expose organizations to unforeseen vulnerabilities. Regulators across the globe expect companies to have effective oversight on third parties. Interestingly, majority of reported Foreign Corrupt Practices Act (FCPA) cases have involved bribery through third parties. Just last year, a global chemical manufacturer agreed to pay more than USD 218 million to resolve probes by the Department of Justice and U.S. Securities and Exchange Commission into reported violations of the FCPA tied to the company’s participation in corrupt schemes to pay bribes (through its third-party sales agents and subsidiary employees) to government officials in multiple foreign countries, including India, Vietnam and Indonesia. In 2020, a leading alcoholic beverage maker, agreed to pay around USD 19 million to resolve FCPA charges of improper payments by its Indian subsidiary. The Company paid bribes/improper payments to various Indian government officials to obtain or retain business in the Indian market, majority of which was through third-party sales promoters and distributors. Similarly, in 2019, an American multinational information technology company agreed to pay USD 25 million to settle FCPA charges, and two of the company’s former executives were charged for their roles in facilitating the payment of millions of dollars in a bribe to an Indian government official through a third-party contractor / vendor. Also, sanctions by US anti-corruption authorities on the Arkansas-based global retail corporation, in 2019, of USD 282 million for violating the FCPA – all these cases go on to prove that a strong internal compliance program is crucial for smooth business operations. By proactively carrying out some basic measures, companies can go a long way in safeguarding their fiscal, legal and reputational interests. For a company to assess its preparedness to effectively manage risks posed by third parties, it needs to self-assess (a) the necessity for third parties; (b) the overall reliance on third parties and (c) the extent of oversight on their actions.
So, what systems, processes, policies and procedures a company can implement to protect their business while working with third parties? Well, as a practical first step, a standard operating procedure / guideline should be introduced for conducting diligence/on-boarding and all dealings with third parties. Companies are required to conduct a comprehensive due diligence (and categorizing third parties based on the level of risks) at the time of onboarding, which can be done in-house or by an external consultant. Detailed diligence must be carried out on third parties who may be required to interact with government entities and officials on behalf of the company and findings should be properly documented. Personal acquaintances or prior business relationships should not be the reason to not conduct due diligence and background checks.
In addition to conducting proper due diligence, written agreements should be executed with third parties, which provide for (apart from scope of services and agreed remuneration) robust anti-bribery/anti-corruption compliance clauses, compliance with the company’s internal policies, right to audit and terminate if the third party fails to abide by such obligations. Agreements should also include clauses intended to mitigate cybersecurity and data privacy risks. In case, where only purchase orders are being issued, the terms and conditions of such purchase orders should contain obligations to comply with anti-corruption provisions, similar to the requirements laid down under the agreements. The company should also secure a third-party declaration to abide by the company’s policies and procedures.
Further, third-party payments must be subject to extra scrutiny and vague or ambiguous payments must be questioned. It is a good practice to, benchmark cost through competitive bids and provide anti-bribery and anti-corruption (ABAC) trainings (online or in-person) to third parties, if the work profile allocated to them carries a significant risk, such as interaction with government officials. The key point here is that companies must also ensure that comprehensive risk management controls are in place to detect and prevent third party risks on an ongoing basis (through regular assessments, audits and review of vendor controls).
Subsequent to an amendment in 2018 to Indian’s principal legislation for combating bribery and corruption involving public officials, the Prevention of Corruption Act (PCA), Indian companies can also be held liable for bribes given or offered by ‘persons associated’ (which includes third parties) to public servants on their behalf. It is immaterial whether a public servant obtains or accepts or attempts to obtain the undue advantage directly or through a third party. PCA imposes liability on directors, managers, and other officers of companies who consent to or conspire with an individual who commits PCA violation. Foreign commercial entities conducting business in India also come under the ambit of PCA.
With this in mind, it is paramount for companies to ensure that the third parties understand the standards/policies (zero-tolerance to fraud/unethical behavior) and agree to adhere to those standards. Senior leadership needs to reiterate the need for honesty and integrity at all levels of the organization and all stakeholders (including third parties) should report any suspicious behavior or fraud. To summarize, a dedicated/comprehensive risk assessment process (considering India specific operational and regulatory risks) should be implemented to understand the risks from an anti-corruption compliance perspective, in relation to the nature of business transactions undertaken with and by third parties.
Written by Madhvi Datta, Partner, Kocchar & Co.