Conducting the Critical Compliance Risk Assessment: Your Customers

This post continues our series on risk assessment components. In our last post, we analyzed geographical considerations. We now turn to another key aspect of the compliance risk assessment: your company’s customers and how they engage in business. Knowing your customers is a basic part of complying with pivotal anti-corruption laws such as the US Foreign Corruption Practices Act (FCPA) and the UK Bribery Act (UKBA), which prohibit offering and giving bribes to foreign government officials.

Both laws focus on your customer counterparty’s position, role, and associations. If your customers are government agencies, ministries, or state-owned companies, the customer representatives you deal with are likely “foreign officials” (or the equivalent) under the FCPA, UKBA, and other anti-corruption laws. The coverage of applicable persons is broad and includes government officers and employees, consultants and agents acting on behalf of foreign governments, employees of public international organizations (like the World Bank or UN), and officials and employees of state-owned enterprises.

For example, if you provide healthcare products to a state hospital in another country, chances are that the hospital officials and doctors you are dealing with would be considered foreign officials by relevant law enforcement authorities. The same would apply if you contract directly with state utility companies, energy companies, universities, or defense organizations. Even if your end customers are private companies, paying bribes to a board member or executive who also holds a government position could subject your company to liability under the FCPA and similar laws. (And even if they aren’t foreign officials, you could still face liability under private-to-private bribery laws that apply, such as the UKBA.)

Once it has been determined whether the people you are dealing with are possibly foreign officials, the focus shifts to putting in place procedures and controls to help guard against the risk that bribes might be offered or provided to them. For example, you might want to develop a “web-based approval process to review and approve routine gifts, travel, and entertainment involving foreign officials and private customers with clear monetary limits and annual limitations” in order to help prevent and detect potential wrongdoing. Depending upon your assessment of the likelihood and severity of the bribery risk in this (and other related) context(s), internal controls over petty cash, accounts payable, entertainment, travel and other accounting areas may be appropriate – combined with inclusion in the annual internal audit plan.

It is also important to consider the facts and circumstances of your customers’ specific projects and the risks those transactions themselves present. What is the risk that a particular customer may act unethically in a given tender or project? For example, consider the following issues (adopted from OECD, World Bank, and UNODC, Anti-Corruption Ethics and Compliance Handbook for Business):

• Whether there is reason to believe that a potential customer may operate corruptly – given its past history or standing – and that adverse reputational consequences could flow from being involved in the project;
• Whether the customer will operate “a genuine, transparent, robust, competitive tender process” for the proposed project – or whether a form of collective action may be desirable to apply commercial and civil society influences to support fair and open competition;
• Whether there is anything suspicious about the tender or project (for example, if it appears that it includes biases towards a particular technology or standard that seemingly favor a certain supplier);
• Whether there is any way the contracting or tender process could be subverted (for example, through late stage technical revisions or procedural amendments);
• Whether it is possible for an honest bidder to win on merit; and
• If a bid were not won on merit, whether there would be a right to protest or other recourse to overturn the corrupt award and/or recover some or all of the expended costs.

The specific risks associated with interactions with government officials – whether customers, regulators, or others – is another analysis area that is part of the overall corruption risk assessment. We’ll discuss this topic in our next post.