Four Regulatory Enforcements Against Alleged Third Party Compliance Failures

Global companies have been fined hundreds of millions of dollars for alleged compliance breaches in the last year. Whether the allegations against them related to bribery and corruption or breaches of new human rights due diligence legislation, a recurring theme in many cases was the involvement of third parties. In the first blog in our Third-Party Risk series, we dive deeper into four of those cases and offer clear lessons that companies can learn to improve their third party due diligence–with help from LexisNexis.

Regulators are actively enforcing against unmanaged third party risks

Managing risk should be a priority for any company in the modern world of business characterized by interconnections and globalized supply chains. Companies are generally able to control their own activities to ensure they comply with regulatory requirements and ethical expectations. But they have less control, and more risk exposure, over the activities of their third parties, suppliers and subsidiaries. These risks are reflected in the frequency with which third parties were cited in the regulators’ explanations of recent enforcement actions against companies. For example:

Enforcement 1: A chemicals firm was fined $218 million by US regulators in September 2023 over its alleged use of third parties to bribe government officials in Vietnam, Indonesia and India. This violated the US Foreign Corrupt Practices Act (FCPA), which prohibits foreign bribery. At the announcement of the settlement, the US Attorney warned other firms: “Corruption has no borders, but neither does justice. Companies are expected to adhere to the same ethical and legal standards whether they are doing business on US soil or overseas.”

The lesson from this fine is that firms need to carry out due diligence on all third parties to determine their risk of bribery and corruption. They should employ a risk-based model which applies enhanced due diligence to third parties in countries or industries with a greater perceived risk of corruption. In this case, the firm in question also received leniency from the regulator because they identified and self-reported the activity, which is further incentive for companies to put in place effective third party monitoring.

Enforcement 2: In March 2023, a multinational telecommunications company based in Sweden pleaded guilty to breaching the anti-bribery provisions of the FCPA and was fined $206 million. This came after it allegedly failed to meet the conditions of a previous Deferred Prosecution Agreement over alleged bribery of government officials and falsification of records in China, Vietnam, Indonesia, Kuwait and Djibouti. The regulator singled out the use of third parties to allegedly facilitate bribery payments and hold “slush funds”.

This fine offers several takeaways for compliance officers. One is that Politically-Exposed Persons (PEPs) such as government officials can raise the risk of bribery and corruption, so checks should be done against lists of PEPs to identify any connections to third parties. This case also showed that regulators will come down especially hard on companies which have been warned in the past, as this firm was already under a Deferred Prosecution Agreement. A company’s senior management should set clear expectations to employees and third parties about conducting business ethically and in line with all relevant regulations.

Enforcement 3: A UK tobacco firm agreed to pay more than $635 million in April 2023 after its subsidiary in Singapore admitted to violating US sanctions by selling products to North Korea. The US has previously imposed economic sanctions against North Korea to ensure companies are not indirectly supporting its nuclear and ballistic missile activities.

This fine reflects the growing risk firms face from economic sanctions. Sanctions are constantly being imposed, and lifted, by national authorities like the US and Russia, and supranational bodies like the United Nations and the European Union. Firms need to screen all third parties and subsidiaries against sanctions lists to ensure they are not inadvertently in breach, or face severe penalties. Regulators also expect them to refresh this monitoring on an ongoing basis to capture any future changes.

Enforcement 4: One of the first cases under Germany’s Supply Chain Due Diligence Act was brought against several major car companies in mid-2023. It was alleged that forced labor was involved further down the supply chain in the production of their vehicles in Xinjiang, China. These are only allegations at the time of writing, and no fines or convictions have followed.

A key trend in global legislation and regulations has been to mandate companies to carry out human rights and environmental due diligence on their third parties and suppliers. It often takes a few years for enforcement actions to follow the introduction of new regulations, so it is significant to see cases already being brought only six months after Germany’s legislation came into force. The lesson for companies is that it is no longer enough to carry out due diligence on third parties for legal and financial risks, but they must also understand their third parties’ ESG records.

What should companies do?

It should be clear by now that, if companies fail to identify and manage third-party risk appropriately, they will face legal and financial penalties–not to mention reputational damage and strategic risks of interruptions to their operations. It is therefore critical that companies embed a due diligence process that captures all relevant risks posed by current and prospective third parties, to allow management to decide whether or not to proceed with each third party relationship.

Technological tools can make this process more efficient and effective than requiring compliance officers to spend vast amounts of time undertaking manual searches. Solutions like Nexis Diligence+ allow companies to upload spreadsheets of their third parties, then provide risk scores based on a search of our comprehensive data sources. These include:

• Reputational, legal and financial content, including sanctions, blacklists, Interpol watch lists, and more.
• A global news archive that draws from more than 38,000 sources, some dating back 40 years.
• A trove of legal documents, including cases, dockets, verdicts and more.
• ESG ratings and news so you can determine who is (and isn’t) living up to their commitments.

Looking for more tips on how to implement an effective due diligence operation to identify and manage third party risks? Our new E-Book identifies the ten main trends companies need to understand and respond to. Download it for free today.