Introduction
This checklist suggests steps an organization can take to conduct risk-based, pre-engagement due diligence of third-party intermediaries, to prevent violations of the Foreign Corrupt Practices Act (FCPA). It is aimed at in-house counsel and compliance teams in organizations of all sizes and sectors in the United States.
The checklist addresses the following:
- Determine the level and order of the due diligence process
- Analyze and evaluate existing or potential third-party intermediaries
- Undertake specific due diligence investigation of third parties
- Determine whether to engage third-party intermediary
- Conduct ongoing governance and compliance
It is presented as a list of requirements that you can check off as each is addressed. At the end of the document, there are explanatory notes corresponding to each requirement in the checklist.
There is no one solution to ensuring FCPA compliance, so due diligence procedures should be tailored to an organization's specific circumstances.
For further information on compliance in terms of the FCPA for your organization, see How-to guides: How to protect your company from violations of the FCPA and How to protect your organization from third party liability under the FCPA and Checklist: What to include in an FCPA compliance program.
Step 1 – Determine the level and order of the due diligence process
| No. | Task |
|---|---|
| 1.1 | Assess third-party intermediaries and assign them to risk categories |
| 1.2 | Determine the depth of due diligence based on the risk category |
| 1.3 | Establish order of due diligence, beginning with existing third-party intermediaries |
| 1.4 | Perform due diligence on highest risk potential or new third-party intermediaries |
| 1.5 | Perform due diligence on third party intermediaries that are under a contingency-based compensation agreement |
| 1.6 | Process due diligence on the remaining third-party intermediaries |
Step 2 – Analyze and evaluate existing or potential third-party intermediaries
| No. | Task |
| 2.1 | Find third-party intermediaries through reputable sources |
| 2.2 | Conduct third-party intermediary questionnaire |
| 2.3 | Check that all questions on the third-party intermediary questionnaire are accurately answered |
| 2.4 | Evaluate the territory where the transaction takes place and where the third-party intermediary resides |
| 2.5 | Understand and evaluate the business transaction in relation to the business opportunity and proposed engagement |
Step 3 – Undertake specific due diligence investigation of third parties
| No. | Task |
| 3.1 | Determine the third-party intermediary’s competence |
| 3.2 | Determine the third-party intermediary’s integrity |
| 3.3 | Identify the third-party intermediary’s relationship to foreign government officials |
| 3.4 | Conduct a comprehensive background check of the third-party intermediary’s business associates |
| 3.5 | Determine the reasonableness of proposed third-party intermediary’s compensation and method of payment |
| 3.6 | Ensure proposed contractual terms and engagement of third-party intermediary complies with local law |
| 3.7 | Conduct a facility or office visit, or in-person interview with high-risk third-party intermediary to ensure validity of identification and to view capabilities |
Step 4 – Determine whether to engage third-party intermediary
| No. | Task |
| 4.1 | Draft a report based upon due diligence information collected |
| 4.2 | Conduct a meeting with the compliance committee to discuss findings from the report |
| 4.3 | Determine whether the third-party intermediary passes due diligence |
Step 5 – Conduct ongoing governance and compliance
| No. | Task |
| 5.1 | Integrate FCPA safeguards into third-party intermediary agreements |
| 5.2 | Mitigate any red flags encountered during all phases of engagement and determine next steps if red flags cannot be mitigated |
| 5.3 | Maintain accurate books and records related to all aspects of third-party intermediary’s engagement |
| 5.4 | Continuously oversee and monitor the third-party intermediary's activities and reputation by conducting periodic due diligence |
Explanatory notes
General notes
There are two different types of due diligence that must be conducted under the FCPA: 1) third-party intermediary and 2) pre-and post-acquisition merger. There are potential risks associated with either engagement. With both third-party intermediaries and mergers and acquisitions, your organization can be liable for the actions of another party. See How-to-guide: How to protect your organization from third party liability under the FCPA for further detail on this. Taking the time from the outset to vet the best relationships and decline any relationships that present too many red flags or too high a risk provides a solid foundation for complying with the FCPA.
Notes on specific requirements
Step 1 – Determine the level and order of the due diligence process
Generally, your due diligence should start with this assessment.
1.1 Assess third-party intermediaries by assigning them to risk categories
Before your organization begins the due diligence process, assess the third-party intermediaries by assigning them to risk categories. Knowing what level of risk is associated with each intermediary will allow for better organization of a complete due diligence process within your organization. Risk categories depend on the types of risks present with each intermediary. These risks can be broken down into categories such as: high, medium and low. The level of risk will determine how in-depth your investigation of an intermediary will be, as seen in step 1.2 below. For a complete discussion on risk red flags, proper risk assessment and assignment of risk levels, please see Checklist: Anti-bribery risk assessment for more information.
1.2 Determine the depth of due diligence based on the risk category
After completing the risk assessment from step 1.1 above, you can determine what depth of due diligence must be conducted on a certain party, ie, low, medium, or high.
1.2.1 Low-depth diligence to high-depth diligence
Low-depth due diligence
This foundational level of due diligence aims to capture essential information about every intermediary, ensuring a basic understanding of their operations, ownership, and adherence to fundamental compliance principles. It serves as an initial screening process to identify any immediate red flags before more extensive evaluations are considered.
This will be conducted on all intermediaries, no matter the risk level. Under this baseline, all third-party intermediaries will receive a questionnaire, as outlined in step 2.2 below.
Design the questionnaire to be comprehensive yet efficient, collecting data on legal structure, primary business activities, and initial declarations of compliance with anti-corruption laws.
Medium-depth due diligence
This is reserved for the intermediaries that are a step above low-depth, but not so critical as to warrant high-depth due diligence procedures. For example, if an intermediary handles a significant, but not substantial, portion of your sales, they will likely fall into the category requiring medium due diligence.
For medium-depth due diligence, expand the basic questionnaire to include a more thorough review of publicly available information, such as adverse media searches, regulatory filings, and basic background checks on key principals. This level of scrutiny allows for a more nuanced assessment of potential risks without the full resource commitment of a high-depth review.
It is particularly useful for intermediaries that have a moderate impact on your business or that operate in regions with elevated, but not extreme, corruption risks.
High-depth due diligence
This most rigorous level of due diligence is critical for intermediaries that pose the greatest potential risk to your organization, often due to their direct involvement with government officials, their substantial influence on your revenue, or their operation in high-risk jurisdictions.
More in-depth due diligence will be required for these higher-risk intermediaries. It should involve the questionnaire from the baseline low-depth analysis, an office or facility visit and in-person interview, detailed financial reviews, extensive background checks on all relevant individuals and entities, and potentially even forensic audits. The goal is to uncover any hidden risks, conflicts of interest, or past misconduct that could jeopardize your organization’s compliance standing.
High-risk intermediaries may include those with limited interaction with your organization but substantial contact with government officials in the territory in which they operate. Consider the factors below in determining how to categorize an intermediary and, when in doubt, classify the intermediary in the highest applicable category.
1.2.2 Considerations when deciding what level of diligence to perform
The following are additional considerations when determining the level of depth of diligence required for a particular intermediary:
- purpose for retaining the intermediary (eg, Are they taking over already existing business operations in a territory? Are they required to establish new business operations and, thus, are likely to have more contact with local government officials?);
- amount of contact an intermediary has with a government official;
- type of compensation the intermediary receives for services (eg, one-time payments may encourage fast results, while a long-term compensatory structure may encourage the intermediary to act in the best interests of both parties);
- amount of total interaction with and use of that intermediary by your organization;
- volume of sales the intermediary has in the territory in which the intermediary operates;
- status of intermediary as a publicly-traded company listed on a stock exchange; and
- the intermediary's rights to sell and market the organization in a particular country.
1.3 Establish order of due diligence, beginning with existing third-party intermediaries
It is important to determine an order to conducting diligence. It is advisable to start by assessing existing third-party intermediaries because these relationships may have been established prior to implementing a comprehensive due diligence plan. If this is the case, perform due diligence on the existing relationships before vetting out new relationships. It is likely your organization will conduct more business with existing intermediaries given there is an established relationship.
1.4 Perform due diligence on highest risk potential or new third-party intermediaries next
After completing due diligence on existing third-party intermediaries, the next group on which to conduct due diligence is high-risk potential or new intermediaries. The high-risk intermediaries have the most chance of affecting your organization because they bring the most risk (as seen and determined in step 1.1, above). It is important to perform due diligence on these parties in the beginning of the vetting process to eliminate or mitigate any chance of your organization being responsible for a FCPA violation. Remember, however, to keep detailed records of your vetting process in case an FCPA concern should arise later.
1.5 Perform due diligence on third-party intermediaries that are under a contingency-based compensation agreement
Due diligence should be performed on intermediaries that are being paid on a contingency basis, ie, only if they secure a successful outcome. They carry risk because they have more incentive to bribe an official to achieve an outcome irrespective of the associated costs or potential violations. For example, a third-party agent may be hired with the contingency that if they secure a project site in country X, they will receive 10% of the project value. In this case, prioritize due diligence from the outset. Given the only way the third party will be paid is if they secure the contract, there is a higher chance that they are willing to bribe an official to achieve the desired outcome.
1.6 Process due diligence on the remaining third-party intermediaries
For the final step, process due diligence on the remaining third-party intermediaries, including those not already processed in steps 1.3 to 1.5. All intermediaries and organizations going through merger and acquisition should have due diligence performed before initiating a relationship with your organization.
Step 2 – Analyze and evaluate existing or potential third-party intermediaries using reputable sources
2.1 Find third-party intermediaries through reputable sources
It is important to choose reputable intermediaries. This can be achieved by employing third party, neutral government resources. As seen in the DOJ opinion release on due diligence here, the first step the DOJ noted was the use of publicly available information. There are government resources available, for example here, from the International Trade Administration, that help with international business partner searches. Do not underestimate checking local newspapers or media sites as well.
2.2 Conduct third-party intermediary questionnaire
Before entering into a new business relationship with an intermediary, have them fill out a questionnaire to collect basic information. The questionnaire can be standard and should collect the following information:
- basic contact information, such as name, address, phone number, email, fax, names of officers or members, etc;
- company structure and ownership, such as the type of business entity, makeup of managers and members, and key employees;
- company description, including types of work, years in business, annual revenue, and whether they have a website with more information;
- list of references to check (Remember to actually conduct the check and document it).;
- past history, including bankruptcies, lawsuits, antitrust violations, and any prior prevention from dealing with certain groups or governments;
- financial questions, such as compliance with books and records and accounting measures, as well as willingness to submit to external audits;
- corporate registration documents, to ensure proper ownership and business structure; and
- local law requirements, to ensure the intermediary knows their obligations and limitations.
2.3 Check that all questions on the third-party intermediary questionnaire are accurately answered
Verify information provided by the third-party intermediary during due diligence, including comparing answers regarding the intermediary’s organization and ownership to local records.
Steps include:
- confirming structure of business;
- checking references;
- conducting review of financial records;
- reviewing registration documents in the territory; and
- confirming local law requirements are consistent with their views.
2.4 Evaluate the territory where the transaction takes place and where the third-party intermediary resides
As an important part of the due diligence process, evaluate both the territory where the transaction has or will take place and the territory where the third-party intermediary resides. Certain countries are more prone to government corruption than others. Consider reports issued periodically by non-government organizations, such as Transparency International’s Corruption Perception Index. Be mindful of any recent corruption scandal in a country, particularly any scandal associated with a specific governmental customer. This requires staying up to date on research and the news. Territory factors to consider are economic stability, political stability, type of legal system, and banking structure.
Note: there will be challenges in conducting due diligence in regions where information is restricted by the government or otherwise minimal.
2.5 Understand and evaluate the business transaction in relation to the business opportunity and proposed engagement
As a last step in conducting initial due diligence, make sure to fully understand and evaluate the business transaction or opportunity. Some business sectors, such as the banking industry, are riskier than others due to dealing with large financial transactions, where bribes may be disguised as small costs or fees. Some compensation arrangements, while standard practice within the industry, may make it harder to prevent the third-party intermediary from paying a bribe due to the size or nature of the financial transaction or opportunity.
Understanding the nature of the business transaction, the risks associated with it and its potential weaknesses or gaps in control measures, will lead to a more comprehensive risk-based due diligence. For example, at some point in the transaction or course of dealing there may be an opportunity for an untrustworthy third-party intermediary to provide unreasonable gratuities or compensate a foreign official’s family or associates through hiring or engaging them to assist with the transaction. Therefore, it is important to know all the parties involved in winning bids and performing on contracts, including related ancillary parties. Hence, as a due diligence step, counsel may request the employee roster of the third-party intermediary or conduct due diligence on its organization’s processes, such as hiring or vendor onboarding/relationships. Consider whether the intermediary has a written policy ensuring compliance with the FCPA and whether they have a compliance team or internal audit structure to implement the policy. Smaller businesses may not have the resources to create or implement such procedures. In that case, consider having the intermediary agree in writing to your organization’s existing FCPA compliance procedures before proceeding.
Step 3 – Undertake specific due diligence investigation of third parties
3.1 Determine the third-party intermediary’s competence
Ensure that the intermediary has the skill and competence to provide the contemplated services or product. Inquire about education, experience, and past military or government service. Require proof to support the answers. Such proof may be provided in writing or through a list of references provided by the intermediary.
3.2 Determine the third-party intermediary’s integrity
Ascertain the intermediary’s general business reputation in the territory. More vigorous efforts are necessary in a country with a reputation for corruption. See step 2.4, above.
Specifically, contact government or reputable private organizations such as the appropriate country desk at the United States Department of State, the Department of Commerce, the US Embassy or consulate personnel, military assistance personnel, major banks, the country’s Ministry of Trade or equivalent office, the American Chamber of Commerce and community leaders to assess reputation. It may be advisable to contact local counsel to find information regarding an intermediary’s reputation, as they may have the appropriate connections. Check with the relevant government databases, as they often house a list of past violations by businesses in their territory.
Consider retaining a private investigative organization (many major US accounting firms and other entities have such forensic services available in foreign countries) to conduct discrete investigations, particularly where unsubstantiated rumors of illegal conduct or other inconsistent information has surfaced. For high-risk intermediaries, consider a full forensic audit.
Contact the business references that the intermediary claimed in their initial questionnaire to ascertain the length of the business relationship, the effectiveness of the intermediary and the integrity of the intermediary. Consider requesting financial references.
Beware of any intermediary who resists or expresses undue aggravation at normal due diligence inquiries.
Stay vigilant by reviewing any media sites, including that of intermediary, owners, key employees, subsidiaries, and third parties for the past ten years.
3.3 Identify the third-party intermediary’s relationship to foreign government officials
Determine whether the intermediary or any officer, director, employee, agent, or anyone with a direct or indirect financial interest in the intermediary, is a foreign government official within the meaning of the FCPA. Third parties owned by blind trusts or nominee shareholders are high risk.
The intermediary must identify any family relationships it or any of its officers, directors or employees may have with government officials. A payment in such circumstances may be an indirect benefit to a government official, and thus a violation.
3.4 Conduct a comprehensive background check of the third-party intermediary’s business associates
Once your organization reaches the point where it believes that an intermediary is a good fit, conduct a comprehensive background check on the intermediary’s associates. This provides a complete view of whether there has been anything illegal or any red flags associated with that intermediary in the past. Additionally, background checks can be a point where you view whether there are any conflicts of interest between your organization and the intermediary.
Background checks can be ordered through the International Trade Administration here.
3.5 Determine the reasonableness of proposed third-party intermediary’s compensation and method of payment
Do not pay unusually high compensation to international business associates. The market or ‘going’ rate for the services in question should be determined and documented through local sources such as the US Embassy, local business contacts, local counsel, or prior experience by the organization.
Counsel should ensure that the organization documents its rationale for the compensation it pays to the third-party intermediary, including any efforts to negotiate with the intermediary and the basis for believing the compensation is reasonable.
To prevent the appearance of potential corruptness, it is advisable not to make payments in the following ways:
- cash payments;
- payments to numbered accounts;
- payments to a financial institution or address outside the country in which the services were rendered, absent an opinion by local counsel that such payment complies with local law; or
- agreements to last-minute increases in compensation or the introduction of an ‘eleventh hour’ consultant or new foreign associate considered ‘critical’ to closing a deal.
Consider requiring or obtaining an opinion by local foreign outside counsel and/or an opinion by United States outside counsel on the engagement. Also consider such a legal opinion in connection with any ‘hospitality’ payments contemplated for foreign officials, including lodging, per diem, entertainment, and transportation. Such opinions are important even if the payments appear clearly to fall within the FCPA’s affirmative defenses. See Checklist: Anti-bribery risk assessment for more information.
3.6 Ensure proposed contractual terms and engagement of third-party intermediary complies with local law
An opinion by local counsel that the proposed agreement and compensation comports with local law is strongly advised. This is particularly important in those countries that prohibit the payment of commissions or inclusion of commissions or consultant fees in the price of a government contract or that require notice to the government of an organization's use of an in-country consultant or sales representative.
3.7 Conduct a facility, office visit, or in-person interview with high-risk third-party intermediaries to ensure validity of identification and to view capabilities
Lastly, for those intermediaries that have red flags and/or pose the most risk, consider an in-person facility visit to their business site. Ensure that the interview and visit are only with the significant party and that they do not have help in answering questions. This can give more insight into their suitability for the type of work for which you want to retain them. This also provides a means to check and verify business filings, conduct interviews in person, evaluate the body language of key employees, and see how the intermediary conducts business hands-on. This could require hiring a translator in order to conduct a full evaluation and reach a complete understanding of the situation.
Step 4 – Determine whether to engage third-party intermediary
4.1 Draft a report based upon due diligence information collected
Gather all information from steps 1 to 3, above, and generate a report reflecting the findings about the intermediary. Having a concise summary of all the specific steps and inquiries in the due diligence process will help assist in deciding whether to hire an intermediary or whether to merge with or acquire a particular intermediary. In the case of multiple intermediaries, having one collection of the gathered due diligence information will help your organization better evaluate the best intermediary with the lowest possible FCPA risk. Retain records of these collections and findings as part of your overall compliance program.
4.2 Conduct a meeting with the compliance committee to discuss findings from the report
Once the report is completed, conduct a meeting where all stakeholders or committee members (as established in your FCPA compliance program cross-department team) will have input in the decision-making as recommended in creating a compliance program. See How-to-guide: How to protect your organization from third party liability under the FCPA.
4.3 Determine whether the third-party intermediary passes due diligence
The final step in an initial risk-based due diligence assessment is to determine whether the intermediary passes or fails. Your organization must determine whether the intermediary in question is fit to conduct third-party business or merge with your organization. If at any point in the analysis of the due diligence findings it is determined that engaging the intermediary poses too much of a risk for your organization, then the intermediary is not a good fit for your organization or the proposed transaction.
Step 5 – Conduct ongoing governance and compliance
5.1 Integrate FCPA safeguards into intermediary agreements
Once an intermediary is chosen, it is critical to have specific provisions in the form of a written agreement to protect your organization. In particular, the written agreement should contain the intermediary’s representation and warranties to comply with the FCPA, as well as other laws and regulations.
5.1.1 Provisions for intermediary agreements
FCPA compliance
A representation by the intermediary’s principal or owner that he or she has read and understands the FCPA and agrees, on behalf of the intermediary, to abide by its prohibitions.
Compliance with laws
A representation and warranty by the intermediary that it will comply with all applicable laws, including the FCPA and local laws.
Termination for FCPA violation
A provision giving your organization the right to immediately terminate the agreement upon reasonable belief that the intermediary has failed to comply with or will violate the FCPA. Specify what constitutes reasonable belief and any notice requirements as well.
Audit right
This grants your organization the right to audit the intermediary’s books and records at any time, either with or without advance notice.
No assignment without approval
A provision prohibiting the appointment of subagents or subconsultants without prior written approval of your organization and the same diligence testing.
Prohibition of payment
This prohibits payment to a foreign associate in a country other than his normal place of business or where the services are being performed.
Termination without cause
This gives your organization the right to terminate an agreement on short notice (30 or 60 days) without cause and without compensation.
Notice of change of ownership
This requires prompt notice of any change of ownership otherwise termination and/or penalties may be imposed by your organization.
Annual certification
This requires the intermediary to certify annually that they have read and will abide by all laws and policies. The certification should specifically state that it has complied with the FCPA and all anti-corruption laws and will do so in the future.
5.2 Mitigate any red flags encountered during all phases of engagement and determine next steps if red flags cannot be mitigated
If issues arise during the engagement and cannot be resolved, your organization should take the interim steps of halting work on the engagement, conducting a review or investigation, and potentially exercising contractual remedies to terminate. See How-to guides: How to protect your company from violations of the United States Foreign Corrupt Practices Act and How to protect your organization from third party liability under the FCPA.
5.3 Maintain accurate books and records related to all aspects of third-party intermediary’s engagement
Ensure that your organization’s books and records accurately describe the nature and amount of any payments made to an intermediary. The written agreement with the intermediary should specify, in detail, the nature and amount of any payments to be made and the purpose for those payments.
Require detailed documentation of expenses and activity for which the organization will reimburse and pay the intermediary, including activity reports, receipts to substantiate travel, entertainment, meals, and other incurred costs.
All invoices submitted by the intermediary should be accompanied by a certification that the activity for which payment will be made complied with the FCPA and all applicable US and local laws.
For monitoring and audit purposes, designate one central location or organization from which payments to intermediaries are made. Payments should only be made after review and approval by those individually responsible for monitoring the intermediary and by at least one level of senior management. Local payments should be prohibited.
Your organization must ensure that it fully and accurately reports any fees or commissions as required by United States and foreign law. This includes reporting requirements under 22 CFR section 130, known as ITAR Part 130, which deals with political contributions, fees, and commissions made in conjunction with sales of defense articles and defense services, and certifications on export license applications, or in proposals to the United States and foreign governments in connection with foreign government contracts.
5.4 Continuously oversee and monitor the third-party intermediary’s activities and recreation by conducting periodic due diligence
Due diligence is an ongoing process that continues long after initial approval of the business relationship. An organization must remain vigilant and alert to any new information that may be material to its relationship with the intermediary. This includes continuous monitoring of news in English and the local language for negative news stories.
Conducting periodic and pre- and post-acquisition due diligence is even more important than at the outset of a third-party relationship. The interval at which to re-conduct due diligence depends on the type of intermediary, the type of threat, and whether there are red flags present. You should not complete due diligence once and think it is done. It is important to maintain a schedule of regular reviews. A failure to conduct due diligence and monitoring appears to be the cause of charges that were launched in a high profile case against the global software company SAP SE (In the Matter of SAP SE, SEC File No. 3-21824, January 10, 2024). In that case, SAP failed to make and keep accurate books and records. The SEC also alleges that SAP also failed to devise and maintain a sufficient system of internal accounting controls necessary to detect and prevent the improper payments The order issued by the SEC stated that:
‘SAP failed to make and keep accurate books and records and failed to devise and maintain a sufficient system of internal accounting controls necessary to detect and prevent the improper payments. The bribes were inaccurately recorded as legitimate business expenses in SAP’s books and records. SAP failed to implement sufficient internal accounting controls over the engagement of, and payments to, third parties and lacked sufficient entity level controls over its subsidiaries in South Africa, Greater Africa, Indonesia, and Azerbaijan.’
You must be alert to and promptly investigate any suggestions of improper conduct. Designate in writing a specific employee at the managerial level as the individual responsible for monitoring the activity of the intermediary.
Additional resources
A Resource Guide to the US Foreign Corrupt Practices Act DOJ and SEC guide that sets out hallmarks of effective compliance programs.
Commercial Services User Services International Trade Administration list of resources to assist in conducting assessments of countries and companies for due diligence.
Due Diligence Guidance for Responsible Business Conduct The Organisation for Economic Co-operation and Development guidance on conducting due diligence to ensure compliance with its Guidelines for Multinational Enterprises on Responsible Business Conduct.
Anti-bribery due diligence for transactions Transparency International guidance on due diligence.
DOJ opinion release 10-02 DOJ opining on the due diligence controls to minimize FCPA violations.
DOJ opinion release 08-02 DOJ opining on pre-acquisition due diligence.
Good Practice Guidelines on Conducting Third-Party Due Diligence World Economic Forum resource on third-party due diligence.
Related Lexology Pro content
How-to guides:
How to protect your company from violations of the United States Foreign Corrupt Practices Act
How to protect your organization from third party liability under the FCPA
Checklists:
Anti-bribery risk assessment
What to include in an FCPA compliance program
Charitable and political donations and gifts, travel, entertainment compliance
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.