Introduction
This checklist is aimed at in-house lawyers and compliance professionals across various industries in the UK. This checklist suggests the steps an organisation should take in conducting due diligence on third parties to mitigate risk and promote compliance with the Bribery Act 2010 (BA 2010). Third parties to your organisation might be suppliers, distributors or other resellers, joint venture partners, subcontractors, agents, service providers, etc. Bribery risks can arise from working with external parties if they do not operate to the same or similar standards as your business.
The checklist covers the following steps:
- Prepare to conduct third party risk assessment and due diligence
- Conduct risk assessment
- Conduct due diligence
- Managing third party bribery risk
- Review and monitor third party bribery risk
It is presented as a list of requirements that can be reviewed as they are addressed. It also includes explanatory notes and specific notes that correspond to each step in the checklist.
This checklist can be used in conjunction with How-to guides: Understanding the Bribery Act 2010 offences, Understanding penalties for breach of the Bribery Act 2010, How to prevent bribery and corruption and How to identify and assess bribery and corruption risk; as well as Checklists: Anti-bribery and corruption risk assessment and Anti-bribery and corruption procedures.
Step 1 – Prepare to conduct third-party risk assessment and due diligence
| No. | Task name |
| 1.1 | Record the rationale for engaging with the third party |
| 1.2 | Identify the internal and external resources required to carry out a risk assessment and due diligence |
| 1.3 | Identify and document the risk assessment and due diligence procedures |
| 1.4 | Ensure periodic engagement with senior management including sign-off on finalised risk assessment, due diligence and the decision on whether or not to proceed with the engagement |
Step 2 – Conduct risk assessment
| No. | Task name |
| 2.1 | Identify country risk |
| 2.2 | Identify sectoral risk |
| 2.3 | Identify transaction risk |
| 2.4 | Identify business opportunity risk |
| 2.5 | Identify business partnership risk |
| 2.6 | Assign an overall initial level of risk to the third party |
| 2.7 | Document the risk assessment |
Step 3 – Conduct due diligence
| No. | Task name |
| 3.1 | Review information provided as part of the procurement process |
| 3.2 | Request basic company information |
| 3.3 | Request information on ownership |
| 3.4 | Confirm whether the third party will have any relations with foreign public officials relating to the performance of the contract |
| 3.5 | Confirm whether subcontractors will be used in performance of the engagement |
| 3.6 | Conduct a search of available sources of information |
| 3.7 | Check the third party has a good track record of compliance with laws |
| 3.8 | Check the third party has a culture of compliance with anti-bribery laws |
| 3.9 | Clarify any queries arising from the due diligence |
| 3.10 | Consider results of the due diligence and feed them back into the risk assessment |
| 3.11 | Consider whether it might be possible to manage risks |
Step 4 – Effectively manage third-party bribery risk
| No. | Task name |
| 4.1 | Ensure that the contract with the third party includes appropriate anti-bribery clauses |
| 4.2 | Establish a process for ensuring that compensation is appropriate and paid through bona fide channels |
| 4.3 | Consider whether additional training would be beneficial |
| 4.4 | Ensure that there are systems in place to monitor the conduct of third parties |
| 4.5 | Consider whether the measures put in place as part of this step will be sufficient to mitigate the risk of bribery |
Step 5 – Review and monitor third-party bribery risk
| No. | Task name |
| 5.1 | Conduct refresher review of third parties |
Explanatory notes
General notes
This checklist sets out a structured set of steps you can follow in order to carry out a third- party risk assessment and due diligence.
What is third-party due diligence?
Within the context of bribery, third-party due diligence is the process of investigating, reviewing or auditing third parties in order to identify risks and allow for their management. Due diligence is typically carried out prior to entering into a contractual relationship with a third party and is important where that contractual relationship could lead to reputational damage or legal liability.
Why is third-party due diligence important in respect of bribery?
The engagement of third parties could lead to risk of legal liability under the BA 2010 and reputational damage.
A detailed explanation of the various BA 2010 offences and how they might be committed can be found in How-to guide: Understanding the Bribery Act 2010 offences. However, these are set out in summary below.
- The section 1 BA 2010 offence involves offering, promising or giving an advantage to another person. This other person could be to a third party engaged by the company.
- The section 2 BA 2010 offence involves requesting, agreeing to receive or accepting an advantage. That advantage may be from a third party engaged by the company.
- The section 6 BA 2010 offence involves bribery of a foreign public official (eg, an owner of a third party).
Section 7 of the BA 2010 creates a corporate offence for organisations that fail to prevent bribery committed by their associated persons (ie, any person performing services for a commercial organisation, such as your business partners, agents and intermediaries, etc). However, even where an associated person commits bribery, it is a defence to the section 7 offence for an organisation to prove that it had adequate procedures in place to prevent those persons from committing bribery. The implementation of adequate procedures to prevent associated persons from committing bribery is therefore of utmost importance. The Ministry of Justice considers that procedures put in place by commercial organisations wishing to prevent bribery being committed on their behalf should be informed by six principles. Risk assessment and due diligence are two of these principles. Accordingly, risk assessment and due diligence are important elements of establishing that adequate procedures were in place to prevent bribery by associated persons.
Every third-party engagement will be different in terms of the risk to an organisation. The level of risk will vary depending on a number of factors, including the third party’s ownership, where they operate, what sector they operate in, etc.
The level of risk that a third party represents will feed into a determination as to the level of due diligence and mitigating measures to implement.
Step 1 – Prepare to conduct a third-party risk assessment and due diligence
Step 1 of the checklist covers the steps that your organisation should take in preparation for conducting due diligence on a third party.
For a more general guide on how to conduct a risk assessment to prevent bribery and corruption in your organisation and comply with the BA 2010, see Checklist: Anti-bribery and corruption risk assessment.
1.1 Record the rationale for engaging with the third party
At the outset, it is important to consider and record the rationale for engaging with a third party. This should include a record of the following:
- why it is necessary to engage a third party;
- why any alternative options were dismissed;
- how the third party was selected;
- why it is proposed that the third party in question is engaged;
- the jurisdictions in which the third party is incorporated and operates;
- the sector that the third party is active in;
- the role that the third party will play for your organisation; and
- the nature of the activities that they will undertake as part of that role.
This record of rationale should include an explanation of the qualifications that the third party possesses for the engagement in question. Such qualification might include their expertise, knowledge, past experience, licences, etc. This record will help to demonstrate that the third party possesses the necessary competence for the engagement and dispel any suggestion that engagement of and payment to the third party is anything other than a legitimate payment for services. There should be a valid business case for engaging the third party.
1.2 Identify the internal and external resources required to carry out a risk assessment and due diligence
You should identify the key internal personnel and external resources required to carry out due diligence on the third party. You should consider appointing a business unit or departmental senior executive (with sufficient seniority or authority) to oversee due diligence work undertaken by the chosen implementation team.
Allocate appropriate project management resources and budget – this should reflect the scale of the due diligence exercise to be conducted and the resources required. The need for budget is an important reason why senior management buy-in is critical.
1.3 Identify and document the risk assessment and due diligence procedures
Document the means of conducting the risk assessment and due diligence throughout the process. At the outset, this process of identification and documentation should identify the means of conducting the risk assessment and due diligence, who is responsible for conducting it, which issues will be covered and the level of detail.
1.4 Ensure periodic engagement with senior management including sign-off on finalised risk assessment, due diligence and the decision on whether or not to proceed with the engagement
Ensure periodic engagement with senior management to keep them updated in relation to this task and any changes to the original timeline or scope of the risk assessment and due diligence. Obtain their final sign-off on the results of the risk assessment, due diligence and the decision on whether or not to proceed with the engagement.
Step 2 – Assess risk
Step 2 of the checklist assists in identifying the risks presented by a third party in order to determine an overall risk rating which will inform the level of due diligence to undertake on the third party and the type of procedures to put in place to mitigate the risk of bribery.
2.1 Identify country risk
Country risk is an external risk which arises from corruption risks presented by countries in which third parties operate. According to the Ministry of Justice, country risk ‘is evidenced by perceived high levels of corruption, an absence of effectively implemented anti-bribery legislation and a failure of the foreign government, media, local business community and civil society effectively to promote transparent procurement and investment policies’.
One means of considering country risk is Transparency International’s Corruption Perceptions Index which ranks 180 countries and territories around the world by their perceived levels of public sector corruption. The results are given on a scale of 0 (highly corrupt) to 100 (very clean).
Risk bands (high, medium and low) could be set and allocated to countries based on their points score.
Then give consideration to where the third party operates and where the project is to be located to determine an indicative level of country risk.
2.2 Identify sectoral risk
Although no sector is immune to bribery or bribery risks, there are some sectors in which the incidence of bribery is greater than in others. Sectors that seem to be prone to bribery include extractive industry, construction, transportation and storage, and information and communication. Therefore, companies active in these sectors might be considered high risk.
This does not mean that companies active in other sectors are necessarily low risk. Certain aspects of business might give rise to a higher risk of bribery. These include markets characterised by procurement and tendering, businesses reliant on supply chains, logistics issues that need to be managed, and businesses that need regulatory approvals or licences. Where one or a combination of these features are present, this will increase the sectoral risk.
2.3 Identify transaction risk
The Ministry of Justice acknowledges that certain types of transactions will give rise to higher risks such as charitable or political contributions, licences and permits, and transactions relating to public procurement. In contrast, a contract (eg, for cleaning services) in the UK where the third party is performing the services directly is likely to be lower risk.
2.4 Identify business opportunity risk
Ministry of Justice guidance states that business opportunity risks might arise in high value projects or with projects involving many contractors or intermediaries; or with projects which are not apparently undertaken at market prices, or which do not have a clear legitimate objective. The presence of any of these factors leads to an increase in the level of risk.
2.5 Identify business partnership risk
Entering into a business relationship with certain counterparties may present a higher level of risk than with others. Certain relationships may involve higher risk, for example, the use of intermediaries in transactions with foreign public officials; consortia or joint venture partners; and relationships with politically exposed persons where the proposed business relationship involves, or is linked to, a prominent public official. This is particularly relevant for the section 7 offence.
2.6 Assign an overall initial level of risk to the third party
Based on the identification of the various types of risk set out above, allocate an overall level of risk; for example, where the majority of risks identified were ranked as being high, then the third party is high risk.
The overall level of risk will then feed into the level of due diligence that should be carried out in Step 3. Clearly document the determination of the risk level and reasons for the determination.
A high level of risk suggests that due diligence should involve detailed due diligence. This may mean engaging external consultants to conduct a detailed investigation into the third party, physical visits to the third party, interviews with the third party’s staff, etc. In contrast, a low level of risk may, for example, take the form of desk-based due diligence focused on publicly available information.
2.7 Document the risk assessment
As a matter of good practice, document the risk assessment to bolster a defence to any section 7 prosecution. In addition, identify the due diligence that will be undertaken as a result of the outcome of the risk assessment along with who will be responsible, how it will be undertaken and issues it will seek to identify.
Step 3 – Conduct third-party due diligence
Step 3 of the checklist provides actions that you could take when conducting third-party due diligence. The level of due diligence to be conducted will be informed by the results of the risk assessment carried out under Step 2.
3.1 Review information provided as part of the procurement process
Review any information provided as part of the procurement process, including in any pre-qualification questionnaire or invitation to tender. Such documents normally include information about the company and questions on bribery and compliance matters. Consider whether the answers reveal any red flags (eg, any previous convictions for bribery on the part of either the third party or its senior management).
3.2 Request basic company information
Ensure that you obtain basic company information including details of incorporation (eg, year and country) and a company structure chart that identifies any parent or subsidiaries that will be involved in the provision of services. This will help you document the bona fides of the company and also identify any others from whom due diligence might be required.
3.3 Request information on ownership
Obtain information on both direct and beneficial ownership of the third party. Typically, you should identify all shareholders with a greater than 5% shareholding. Verify this information. This information is important for a number of reasons. It enables further due diligence to be conducted, it will help to establish whether any particular risks arise from ownership (eg, ownership by a foreign public official) and may also assist in related due diligence such as diligence related to sanctions.
3.4 Confirm whether the third party will have any relations with foreign public officials relating to the performance of the contract
Bribery of a foreign public official is a common form of bribery which can lead to the infringement of either section 6 BA 2010 or section 1 BA 2010. Foreign public officials may be in a position to be influenced in their role by receipt of a bribe. Accordingly, due diligence should seek to ascertain whether the third party might, in the performance of the contract, have any relations with a foreign public official. If so, this indicates a higher level of risk.
3.5 Confirm whether subcontractors will be used in performance of the engagement
Subcontractors add an additional layer of bribery risk. They have a relationship with your organisation but are one step removed from the main contractor (ie, your organisation does not have a direct contractual relationship with the subcontractor) and therefore it may be more difficult to have oversight over them and control their actions.
There could be liability for your organisation under sections 1, 2 or 6 of the BA 2010 where subcontractors are involved and all the other criteria for the offences are met.
For the purposes of the section 7 offence, the scope of the definition of ‘associated persons’ is broad. Section 8 of the BA 2010 provides that ‘a person (“A”) is associated with C if (disregarding any bribe under consideration) A is a person who performs services for or on behalf of C’ and goes on to state that ‘[t]he capacity in which A performs services for or on behalf of C does not matter’. The legislation does not limit associated persons to those who perform services directly for or on behalf of a commercial organisation and therefore it is possible that a subcontractor could be considered an associated person. Ministry of Justice guidance suggests that ‘[w]here a supply chain involves several entities or a project is to be performed by a prime contractor with a series of subcontractors, an organisation is likely only to exercise control over its relationship with its contractual counterparty. Indeed, the organisation may only know the identity of its contractual counterparty. It is likely that persons who contract with that counterparty will be performing services for the counterparty and not for other persons in the contractual chain’. However, this guidance is non-binding and there is yet to be case law which considers this point. Accordingly, approach the use of subcontractors with caution.
3.6 Conduct a search of available sources of information
Conduct a search of available sources of information for any information that might raise questions about the third party’s conduct, associations or ownership. This might involve a general internet search, a search of the website of any relevant regulator or the use of specialised screening services.
3.7 Check the third party has a good track record of compliance with laws
Due diligence should seek to obtain disclosure of any past proceedings or ongoing investigations into the company or directors for breach of the BA 2010 or other foreign bribery laws, such as the US Foreign Corrupt Practices Act 1977.
In addition to seeking disclosure of such proceedings, it may be prudent to conduct research of information in the public domain, which could reveal further information that raises question marks, for example, a close association or contractor relationship with a company that has been convicted of bribery offences.
Responses to questions about or research that reveals a breach of other laws (eg, competition laws) could indicate a lack of sufficient internal compliance training and controls. If directors of the company have been subject to individual criminal proceedings, this might indicate a lack of personal integrity.
3.8 Check the third party has a culture of compliance with anti-bribery laws
Carry out due diligence into the third party’s commitment to a culture of compliance with anti-bribery laws and the sufficiency of their own controls. In order to assess this, make a request for the following:
- a copy of any codes of conduct or other anti-bribery policies that apply to its business activities and those of its employees;
- a copy of any training materials given to members of staff and details of how frequently that training is refreshed;
- details of how employees and agents are vetted and any potential conflict of interest or Politically Exposed Person status is declared;
- a copy of any policies or a description of procedures in place that support a commitment to compliance, such as procedures for internal reporting of suspected misconduct (eg, a whistle-blower programme) or gifts and hospitality procedures;
- a description of how top-level management demonstrate a commitment to compliance; and
- a description of how compliance with anti-bribery laws is monitored or audited and any action taken to remediate non-compliance.
Carefully consider the responses to these requests. The third party’s compliance programme should be comprehensive, tailored to its activities and risks and communicated to employees and agents, with appropriate training given on a regular basis.
3.9 Clarify any queries arising from the due diligence
Seek clarification from the third party if the due diligence raises queries that require more information or which raise risk. Depending on the nature of the query, it may be prudent to involve either internal or external legal counsel in this process to determine what information is needed and how to best verify it.
External verification of the answers may be required. This might be sought through information on the public record, court documentation, external experts or references.
3.10 Consider results of due diligence and feed them back into the risk assessment
Once due diligence has been carried out and any clarifications and verifications received, consider the results of the due diligence and feed back into the initial risk assessment. Consider whether any of the results of the due diligence mean increasing or decreasing the risk level. The resulting risk level will be indicative of the extent of measures that need to be put in place to manage the risk.
3.11 Consider whether it might be possible to manage risks
If the risk of bribery is more than low and an initial consideration suggests that it will not be possible to manage the risk of bribery, then it may be in the organisation’s best interests to walk away from the engagement. Record the reasons to proceed or not at this stage. If it might be possible to manage the risks then appropriate measures to do so would need to be considered (see Step 4).
Step 4 – Managing third party bribery risk
Commercial organisations should adopt a risk-based approach to managing bribery risks. The Ministry of Justice acknowledges that no policies or procedures are capable of detecting and preventing all bribery and advocates for a risk-based approach with procedures that are proportionate to the risks faced by the organisation.
The measures that should be taken to address risk and the procedures that should be put in place will depend on the outcome of the risk assessment and due diligence both in terms of subject matter and scope. The considerations below represent an indicative but non-exhaustive list of some of the steps that might generally be appropriate in mitigating third- party bribery risk.
4.1 Ensure that the contract with the third party includes appropriate anti-bribery clauses
The insertion of appropriate anti-bribery clauses into the contract with the third party is important in ensuring that procedures are in place to prevent bribery. Contract clauses are also important in ensuring that if bribery takes place (or is suspected) your organisation becomes aware of it and has rights to obtain the information that it needs to assess the potential impact and the next steps to take.
4.1.1 Compliance with your organisation’s anti-bribery programme
There should be an obligation on the third party to comply with your organisation’s anti-bribery programme. This might include your organisation’s code of conduct, business values, policies and procedures, etc.
4.1.2 Compliance with anti-bribery laws
The contract with the third party should contain an express obligation on the part of the third party to comply with all anti-bribery laws applicable either to them or your organisation. Such an obligation should also explicitly include a requirement that the third party will procure that its employees and agents (including subcontractors, service providers, etc) will not offer or accept anything of value that might be considered as improper or amount to bribery in order to obtain, influence, induce, reward or secure any improper advantage in connection with the contract.
4.1.3 Flow-down of requirements to subcontractors
Where subcontractors are to be used, the contract should provide for appropriate flow-down of bribery obligations in substantially the same terms as contained in the contract between your organisation and the main contractor.
4.1.4 Reporting requirements
In order to ensure that your organisation becomes aware of bribery within the third party or its subcontractors, it is prudent to include a requirement that the third party report any known or suspected breach of its contractual obligations related to bribery.
Similarly, you may wish to insert a requirement to report certain other events, for example, a foreign official becoming an owner of the third party.
4.1.5 Audit rights and cooperation in investigations
In the event of bribery or suspected bribery, your organisation may need access to documents and records of the third party. Accordingly, the contract should contain an obligation on the third party to maintain proper books and records relating to the performance of the contract and an obligation to allow for audit or access to these books and records by your organisation.
In addition, it may be prudent to include in the contract a cooperation obligation on the third party in the event of an investigation into your organisation which relates to the performance of the contract.
4.1.6 Representations, warranties and indemnities
You may wish to consider certain representations and warranties, for example, inclusion of a representation or warranty that neither the third party nor any related party involved in the performance of the contract is a foreign official.
You may also wish to consider an indemnity clause under which your organisation would be indemnified against any losses arising from breach of any representation or warranties or any other breach of the anti-bribery obligations.
4.1.7 Termination rights and sanctions
In the event that your organisation knows or has reasonable grounds to suspect that there has been a breach on the part of the third party of any of its contractual obligations related to bribery, there should be an immediate right to terminate the third party or suspend any payment or services supplied to the third party.
Consider whether there is an additional benefit to including sanctions in the event of breach by the third party of its contractual obligations related to bribery.
4.2 Establish a process for ensuring that compensation is appropriate and paid through bona fide channels
Establish that procedures are in place to ensure that compensation to be paid to the third party is justifiable for the services rendered and that this is paid through bona fide channels. For example, your organisation may make it a policy not to pay offshore accounts.
4.3 Consider whether additional training is required
Depending on the level of risk and the sufficiency of compliance measures already in place internally within the third party, it may be prudent to require that staff from the third party undertake additional training prior to working on the relevant project.
4.4 Ensure that there are systems in place to monitor the conduct of third parties
Due diligence should be ongoing in the sense of continual monitoring of any changes that might raise the risks associated with the third party (eg, new ownership which includes a foreign public official). Specialist services are available that could assist with this; alternatively, other free options such as setting up Google Alerts may be sufficient to keep abreast of any changes.
4.5 Consider whether the measures put in place as part of this step will be sufficient to mitigate the risk of bribery
Referring to your risk assessment, consider whether the risk management steps put in place will be sufficient to manage the risk of third-party bribery. If additional measures are required, consider their implementation. If the risks cannot be adequately managed then you will need to consider whether to proceed with the engagement. Document this assessment.
Step 5 – Review and monitor third party bribery risk
Step 5 of the checklist considers the actions that should be taken on an ongoing basis to ensure that your due diligence is kept up to date.
5.1 Conduct refresher review of third parties
Your policies should state how often to conduct a review of your due diligence on a third party. In addition to refreshing due diligence on a new engagement, you may wish to consider a policy of refreshing due diligence when the third party merges or acquires another company, there is a change in company ownership or structure, or there has been a breach of the bribery laws, or money laundering regulations, etc. Conduct regular periodic reviews to ensure that risks remain the same and mitigated against. Document these reviews and record any changes, along with the steps taken to address any increase in risk.
Additional resources
Related Lexology PRO content
How-to guides:
Understanding the Bribery Act 2010 offences
Understanding penalties for breach of the Bribery Act 2010
How to identify and assess bribery and corruption risk
How to prevent bribery and corruption
How to conduct an internal investigation into bribery allegations
Checklists:
Anti-bribery and corruption risk assessment
Anti-bribery and corruption procedures
Charitable and political donations
Gifts and hospitality
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments, but you should not use them for transactions or legal advice, and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.