Third Party Red Flags

Knowing who you conduct business within your supply chain is a very good if not leading business practice. Many organizations are being held responsible for the actions of their business partners and vendors. In fact most, more than 90%, Foreign Corrupt Practices Act (FCPA) violations involve a third-party!

Whether it be the FCPA, the UK Bribery Act, or recently enacted anti-bribery and corruption regulations in other countries, governments are focusing on punishing organizations that make improper payments through third parties.

Certain signs or the lack of transparency in accounting records may suggest that improper payment activity has occurred or may be occurring. Standing alone, these red flags certainly do not prove the existence of illicit or improper activity. However, they may suggest the need for further inquiry and economic justification for certain business arrangements as well as greater vigilance and increased audit activity.

What is a Red Flag?

My definition is as follows – an observable action or event, or a pattern of actions or events (See a list of potential red flags by category – data, documents, lack of controls, behaviors) that could link to a concealment strategy that requires you to stop or pause, think and assesses the situation, act accordingly and possibly investigate, and then rethink ensuring your have eliminated any unconscious bias – be skeptical and you will be a STAR.

Practice Pointer

red flags acfe

According to the ACFE, the six most common behavioral indicators of occupational fraud were: (1) living beyond means; (2) financial difficulties; (3) unusually close association with a vendor or customer; (4) excessive control issues or unwillingness to share duties; (5) recent divorce or family problems; and (6) a general “wheeler-dealer” attitude involving shrewd or unscrupulous behavior. These six red flags have been the six most common behavioral indicators since the ACFE began tracking this data in 2008

Some fraud concealment strategies are easily detected.  Lets use a vendor-billing scheme as an example.  In a vendor-billing scheme the fraudster might employ the use of false documents, representations, and approvals, or simply override all controls, to on-board a vendor (possibly a shell company controlled by the fraudster) and hide the fraudulent nature of their activity.

Remember, not all concealment strategies are easily detected and thus red flags may not be observable as they might be hidden in plain sight or the concealment strategy put in play by the fraudster is just that good! That is why having a robust fraud risk management program is essential in the fight against fraud.

Warning Signs

These third-party warning signs that can portend FCPA problems are listed next. Although these red flags focus on agents and consultants, they apply equally to joint ventures, contractors, and other business partners.

The list below is in no particular order and is by no means complete (emphasis added).

  1. No track record in the industry.
  2. Third party has or close ties to an existing or former foreign official]
  3. The agent or consultant resides outside the country in which the services are to be rendered.
  4. Payments to the agent or consultant are to be made outside the country and/or to a country linked to money laundering activity.
  5. Company wire transfers do not disclose the identity of the sender or recipient
  6. The agent or consultant demands an unusually high commission without a corresponding level of services or risk (e.g., an agent who bears financial risks on delivery of goods or performs substantial pre-or post-sales services may be entitled to greater compensation than a pure commission agent/broker).
  7. The agent or consultant refuses to disclose its complete ownership, ownership structure, or other reasonable requested information.
  8. The commission payments to the agent or consultant are required to be made outside the country and/or to a country linked to money laundering activity.
  9. The agent or consultant’s commissions are greater than the range that is customary or typical within the industry and region.
  10. The agent or consultant refuses to sign representations, warranties, and covenants stating that he or she has not violated and will not violate the requirements of the FCPA.
  11. The agent or consultant requests or requires payment in cash.
  12. The agent or consultant requests that payments be made to a bank located in a foreign country unrelated to the transaction, or be made to undisclosed third parties.
  13. The agency or consultancy is headquartered in a country with a reputation for corruption.
  14. The agent or consultant requests a substantial up-front payment or fee.
  15. The agent or consultant insists on the involvement of other individuals or parties who bring no apparent value.
  16. The agent or consultant intends to or reserves the right to assign its rights or obligations to another party.
  17. The agency or consultancy is incorporated in a tax haven.
  18. The agent or consultant requests that false invoices or other documents be prepared in connection with a transaction.
  19. The transaction involves or takes place in a country with a general reputation for bribery and corruption.
  20. There is a lack of transparency in expenses and/or accounting records.
  21. A party to a contract requests that a cash or undisclosed campaign contribution be made to a foreign party.
  22. The agent or consultant insists on the involvement of individuals or other parties who bring no apparent value.
  23. The agent or consultant requests that false invoices or other documents be prepared in connection with a transaction.

What the Department of Justice is Expecting

  • Risk-Based and Integrated Processes – How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?
  • Appropriate Controls – What was the business rationale for the use of the third parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?
  • Management of Relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties?
  • Real Actions and Consequences – Were red flags identified from the due diligence of the third parties involved in the misconduct and how were they resolved? Has a similar third-party been suspended, terminated, or audited as a result of compliance issues? How has the company monitored these actions (e.g., ensuring that the vendor is not used again in case of termination)?


As we all should have learned from a recent enforcement action, there is no requirement for the payment of a bribe for there to be a civil enforcement action brought by the SEC.

From a compliance program perspective, no third-party representative can ever be hired without appropriate due diligence.

If there is some level of due diligence that is less than standard, there must be an appropriate level of compliance review, coupled with senior management and, perhaps, even Board oversight.

  • All contracts must be in writing with clearly specified terms.
  • All invoices must be in writing, with sufficient specificity to enable a regulator (or auditor) looking at it years later to determine what services were delivered that were compensated by the company.
  • Auditing of third parties: A company was specifically sanctioned for not monitoring the activities of Agent No. 1.
  • Audit rights are specifically set out in the FCPA Guidance as appropriate compliance terms and conditions for every contract with third-party representatives. But you must do more than simply secure such rights, you must actually use them to make sure your third-party representative is not using the funds you pay them for nefarious purposes.

If you only draw one lesson from the above, it might be “having a compliance program is far from doing compliance”.

See my prior post on Third Party Due Diligence.

I welcome your comments and suggestions.


Jonathan T. Marks

Special thanks to Tom Fox for his contributions and friendship.