Skip to main content
Oct 10, 2011

First line of defense in third-party risk

Companies face liability risks from vendors, business partners and customers.

Although companies find tracking their own regulatory compliance a tough enough challenge, they should be aware they can also find themselves liable for the breaches of others, including business partners, vendors and even customers. From money laundering and bribery to data security and privacy, regulators are increasingly focusing on corporate activities that cross boundaries. When the operations of two businesses intersect, they are both often liable for compliance: if one company slips, the other can now become entangled in something executives may not have even realized was happening.

Fairfield County Bank is a financial institution in a heavily regulated industry where data privacy is mandatory by law. Vice president and compliance officer John Bonora rates all the companies the bank does business with for potential risk of disclosing sensitive information, including contractors and cleaning companies – yes, contractors and cleaning companies. If a vendor has access to a facility, that inherently increases a risk of disclosure of information because [its workers] might see something, Bonora says.

Equally disturbing is the fact that a third partys actions can, in effect, break the law on behalf of the primary company. Regulators and prosecutors may take managements knowledge of an issue into account, but they often don't have to. In such cases, a third party can drag a company into the fray. Many of these laws are strict liability laws, explains Ed Rubinoff, a partner with law firm Akin Gump. If you break one, you're liable.
 
Damage in more ways than one

Even without a formal finding against a company, publicity can be damaging, as Apple learned when workers at a Foxconn contract plant in China committed suicide. Or a company could find itself the defendant of a shareholder lawsuit – according to partners at Reed Smith, the law firm has defended more than 60 class actions that arose from data security breaches.

When you outsource and rely on operations overseas, the downside is increasing the risk of compliance or quality issues, and decreasing your visibility into what third parties are doing, says Frank Murray, senior counsel at Foley & Lardner.

The danger doesnot only come from vendors or joint venture business partners, either. Customers, clients and counterparties offer additional potential risk contagion, according to Kelvin Dickenson, senior product director of global risk management solutions at Dun & Bradstreet. There is a whole range of money laundering and terrorism financing laws that can come into play.

Although money laundering primarily affects financial services companies, terrorism financing regulations can apply to any organization, Dickenson points out. Business partners have no shortage of ways to deliver trouble to companies: data privacy laws, money-laundering statutes, anti-corruption and anti-bribery, and import and export controls are just a few.

Anti-corruption legislation, such as the US Foreign Corrupt Practices Act or the UK's Anti-Bribery Act, can leave a company vulnerable when business partners or agents make illegal payments. You may not even have a controlling interest [in a joint venture], but you can have liability and exposure and risk, says Glenn Pomerantz, a partner with BDO Consulting and co-leader of the firms anti-corruption practice. We've run across that several times where US companies have ventures abroad. The BRIC nations – Brazil, Russia, India and China  –  are particularly fertile ground because those countries are booming and they have a historical culture that is a little bit blind to – or acceptable of – corruption, he adds.

Changing regulations can also put unprepared partners under the onus of compliance with laws they never had to consider before. A bank that previously had no direct responsibility under the Health Insurance Portability and Accountability Act (HIPAA) might now if processing payment information for hospitals that puts them in direct contact with patient information, explains Mark Melodia, head of the global data security and privacy practice at Reed Smith, adding that even if said bank is familiar with Gramm-Leach-Bliley privacy requirements, it likely does not understand HIPAA compliance.

Alternatively, a company could make a sale to the US government and suddenly find itself – and, as a result, its subcontractors _ the subject of regulations. Logan Robinson, a distinguished visiting professor at the University of Detroit Mercy School of Law and former Delphi general counsel, offers this example: You could, with the smallest modifications, sell a tailpipe to a defense contractor for use in government vehicles. Suddenly, the product is no longer considered off-the-shelf, but something specially modified for the government. And that means you have suddenly signed up for the Federal Acquisition Regulation System regulations, Robinson adds.

Keeping others in line

barnierA company can't assume that partners, vendors, agents or customers won't drag it into regulatory and legal conflicts, so the first step to avoid problems is anticipation. The organizations handling it best are asking themselves, How do we address this in the context of overall risk management? says Brian Barnier, a principal at ValueBridge Advisors.

As with handling compliance of international subsidiaries, a company should have all the necessary people communicating, given how many functional areas different regulations can involve: finance, IT, legal, human resources, marketing, sales and operations. Compliance must become an activity tied to core business objectives, because it has an impact on the performance of those objectives. That means having compliance-related metrics for which executives are accountable, and making compliance an aspect of compensation.

Companies should periodically review all service level agreements annually, not just when they are up for renewal, and ensure their vendors actually comply with the compliance fine print. Unless they're being pointed to where that language is in the contract, they're not so focused on it, says John Fodera, a partner with accounting firm EisnerAmper.

A company should ensure contract clauses support compliance and not defeat it. Can a vendor or customer claim it made good faith efforts to avoid liability? Does a company have audit rights to inspect a partners operations? Equally as important, corporations should investigate the reputations and practices of third parties before they do business. If things go wrong, having done proper due diligence can go a long way to calm regulators and prosecutors.

Corporate secretaries or compliance officers can act as hubs for third-party compliance. Barnier says they can make a difference by educating themselves enough to identify the different types of third-party risks and then mentioning [these risk types] to colleagues so they can take advantage of them, by which he means alerting executives and then creating a plan to avoid risks before things go wrong.

Monitoring your own compliance can be time-consuming. Adding vendors, partners and customers is just that much worse. But it's all a necessary investment that can mitigate or eliminate the pains of investigations and fines.

Erik Sherman

Erik Sherman regularly covers business and technology for national and international magazines and is also a book author and playwright