Whether your organisation does business only in South Africa or across multiple jurisdictions, today's business environment requires significant reliance on external partners. This, however, can expose you to corrupt activity by these third parties, for which your organisation could be held liable without a proper due diligence process in place.
The Prevention and Combating of Corrupt Activities Act, 2004 ("PRECCA"), is the central law governing anti-corruption in South Africa. It also has extra-territorial reach, meaning that individuals and organisations domiciled in South Africa can be prosecuted for the corruption of public officials in other countries. PRECCA is generally in line with international standards to which South Africa is a signatory, including the Organisation for Economic Co-operation and Development (OECD) Convention on Combating Bribery of Foreign Public Officials in International Business Transactions ("OECD Convention").
If your organisation has operations or does business in foreign jurisdictions, it is most likely subject to the domestic anti-corruption legislation of those jurisdictions. Many of those jurisdictions however also have extra-territorial anti-corruption legislation, which is increasingly enforced against organisations and individuals globally. Notable examples are the United States (through the Foreign Corrupt Practices Act – "FCPA") and the United Kingdom (through the United Kingdom Bribery Act ("UKBA"). Other jurisdictions are also increasing global anti-corruption enforcement of their extra-territorial anti-corruption legislation, including France, Canada and the Netherlands.
The case for implementing anti-corruption measures
Under South African legislation, your organisation is subject to corporate criminal liability, which means that it could be prosecuted for bribery and corruption offences. Furthermore, there are regulatory and legal obligations that require organisations to combat corruption.
Regulations to the South African Companies Act, 2008 require listed companies, state-owned entities and certain other companies to establish social and ethics committees to ensure that the organisation complies inter alia with the OECD Convention.
If your organisation is subject to the UKBA, it is important to know that the UKBA criminalises the failure of organisations to prevent bribery and imposes strict penalties.
If your organisation is subject to the FCPA, the Department of Justice and the Securities Exchange Commission, which enforces the FCPA, will evaluate whether the organisation has an appropriate anti-bribery and corruption compliance programme in place when deciding whether to bring charges against the organisation.
The role of third parties in corruption
Reported law enforcement actions over the past decade under the FCPA and UKBA reveal that the majority of corrupt corporate activities involve third parties that the organisation does business with.
These third parties can be found throughout the business cycle of an organisation, including through:
- the supply chain (vendors and suppliers);
- the sales process (agents, distributors, foreign and local customers);
- advisors and consultants;
- outsourcing (payroll, accounting, tax and custom clearing agents); and
- the expansion of the organisation's footprint (consortia, joint venture partners).
Domestic legislation expressly prohibits bribes made on behalf of the organisation through third parties. Some foreign extra-territorial legislation however extends liability to the organisation in circumstances where the organisation may not have direct knowledge of the misconduct of the third party:
- the FCPA provides that knowledge of the third party's misconduct includes "conscious disregard" and "deliberate ignorance" on the part of the organisation;
- The UKBA provides for strict liability of the organisation where the bribe is made by the third party, unless the organisation can demonstrate that it had adequate procedures in place to prevent corruption involving its third parties.
The importance of conducting due diligence on third parties
In South Africa the King IV Report on Corporate Governance for South Africa, 2016 ("KING IV"), a set of voluntary corporate governance principles and recommended practices to achieve the governance outcomes, places a strong focus on combatting corruption through compliance. Organisations with primary listings on the Johannesburg Stock Exchange are required to adopt, implement and disclose compliance with, King IV. Certain of the recommended practices of King IV regarding compliance are also entrenched in the South African Companies Act.
Previous global enforcement actions suggest that an effective anti-bribery and corruption ("ABAC") compliance programme can influence a regulator's or law enforcement's decision to initiate prosecutions against an organisation and can influence the value of the fines.
Best practice requires that an effective ABAC compliance programme consists not only of appropriate codes of conduct, ABAC policies and procedures, risk assessments, training and ongoing monitoring procedures, but also the performance of appropriate due diligence procedures over third parties that the organisation does business with:
- the resource guides to the FCPA, issued by the US Department of Justice and the Securities Exchange Commission, repeatedly emphasise the need to perform due diligence over third parties in order to minimise the likelihood of violations of the FCPA;
- guidance on the UKBA, issued by the UK Serious Fraud Office, specifically references third party due diligence as one of the six principles that organisations should consider when implementing an effective ABAC compliance programme
Organisations require a robust and appropriate third-party due diligence process as part of its overall ABAC compliance programme, not only to avoid the pitfall of engaging with a third party of questionable ethics, but also to demonstrate to the regulator that it as an organisation has taken appropriate measures to mitigate the risk of corruption posed by its third parties.
What is the aim of a third-party due diligence process then?
A third-party due diligence process ("TPDD process") aims to:
- gather sufficient information for the organisation to be able to assess the ABAC risk posed by the third party;
- determine whether, as a result of the initial information provided and assessed, enhanced due diligence procedures are required. If so, to perform the enhanced procedures;
- assess the risk level posed ie, traditionally low, medium or high risk;
- take an informed initial decision as to whether the organisation wishes to enter into or continue the business arrangement with the third party;
- where it is initially decided to enter into or continue with a third party assessed with higher risk, determine whether the risk can be mitigated to a level of risk that the organisation is comfortable with, for example, through additional monitoring procedures or through the introduction of anti-corruption clauses, warranties or representations in the contracts to be concluded; and
- document the processes followed.
Steps before designing and implementing a TPDD process
An appropriate ABAC compliance programme must initially consider where the organisation is exposed to the risks of corruption, and a risk assessment should therefore be performed by the organisation to identify such risks. The TPPD process should therefore be designed to focus on preventing and mitigating those key risks that may involve its third parties.
A TPDD process needs to be flexible so as to accommodate future risks that may be identified through regular ongoing ABAC risk assessment by the organisation.
A TPDD process should be designed to complement and make use of existing processes of the organisation, including standard supplier vetting processes (including financial stability), B-BBEE verification procedures, customer vetting procedures (including credit scoring) and other processes that may already be in place in the organisation, such as community investment, sustainability, anti-fraud, anti-sanctions and anti-money laundering measures.
A TPDD process should be continuous throughout the life cycle of the business relationship with the third party. Depending on the changing risk environment and the risk score ultimately attributed to the third party, regular re-assessments of the third party should take place at suitable junctures.
In our next article, we will provide specific details regarding the design and implementation of an appropriate TPDD process.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.