Most significant corporate integrity failures originate not inside the organisation — but in the relationships it keeps.
When a major enforcement action unfolds, the narrative tends to focus on the individuals involved and the internal failures that enabled them. The rogue executive. The weak control environment. The culture that allowed the wrong behaviour to continue. These elements are real, and the compliance response they demand is well understood.
But look at the pattern of enforcement actions under the FCPA, UK Bribery Act, Sapin II, and LkSG over the past decade, and a different picture emerges. In the majority of major corporate bribery cases, the corrupt payment did not come from the company's own accounts, processed by its own employees, through its own systems. It came through an agent, a distributor, a joint venture partner, a consultant — a third party acting on the company's behalf, in markets where the company needed local presence and local relationships, using the company's money and its commercial authority to secure business that could not be secured any other way.
The company, in most of these cases, did not plan the payment. It did not know about it — or at least, it did not know in a way that could be established. What it did do was create the conditions that made the payment possible: it selected the third party without adequate scrutiny, compensated it in a way that created obvious incentive for improper conduct, failed to communicate or enforce the conduct standards it expected, and exercised no oversight that would have surfaced what was happening in time to stop it.
You do not control a third party the way you control an employee.
The compliance architecture that organisations build to manage their own operations — codes of conduct, training programmes, approval processes, internal controls, monitoring systems — rests on a fundamental assumption: the people it applies to are within the organisation's authority. They can be required to comply. Their behaviour can be monitored. They can be disciplined or removed if they do not meet the standard.
Third parties sit outside that architecture. The organisation cannot require them to complete its training. It cannot monitor their day-to-day activities through its own systems. It cannot easily discipline an agent in a distant market for a payment that occurred without anyone in headquarters knowing about it. The compliance tools that work internally do not translate cleanly to external relationships — and a compliance programme that assumes they do has a structural gap that third-party risk will eventually find.
The structural difference creates a specific challenge: the organisation is legally accountable, under multiple frameworks, for the conduct of parties over whom it has limited operational control. The FCPA's anti-bribery provisions apply to payments made by third parties authorised to act on behalf of a US person or issuer. The UK Bribery Act's corporate offence applies to persons associated with the organisation, a category that encompasses agents, subsidiaries, and anyone who performs services for or on behalf of the company. Sapin II requires due diligence on business partners. CSDDD and LkSG extend due diligence obligations across the value chain.
The test that every compliance function should apply to its third-party portfolio is this: for the relationships that carry the greatest integrity risk — the intermediaries, the agents, the distributors in high-risk markets — do we know enough about what they actually do, how they actually generate results, and who they actually pay to be confident that our name is not attached to something we would not authorise? If that question cannot be answered with confidence, the programme has a gap at precisely the point where the exposure is greatest.
Multiple frameworks now require third-party due diligence. The obligations are cumulative.
Third-party due diligence is no longer a best practice that sophisticated compliance programmes choose to implement. It is a legal requirement under multiple overlapping frameworks — and for companies with international operations, those requirements stack on top of each other in ways that demand a programme sophisticated enough to address all of them simultaneously.
Under the FCPA, adequate procedures requires a risk-based third-party due diligence process. Under the UK Bribery Act, adequate procedures — the statutory defence — requires proportionate procedures that include due diligence on persons performing services for the organisation. Under Sapin II, third-party due diligence on customers, suppliers, and intermediaries is one of eight mandatory measures. Under LkSG and CSDDD, risk analysis and preventive measures must cover the extended supply chain. Under ISO 37001, the anti-bribery management system standard requires due diligence on business associates.
The organisation that builds a third-party due diligence programme responding to one of these frameworks and ignores the others is not managing its full compliance exposure. The programme that is adequate for Sapin II but does not address the FCPA's third-party liability standard leaves a gap. The programme that covers anti-bribery risk but does not address human rights due diligence leaves a different gap. Building a programme that is coherent across all applicable frameworks — and that produces evidence adequate for all of them — is the work.
This article reflects the compliance advisory perspective of Compliance House and is intended for informational purposes. It does not constitute legal advice. Organisations seeking specific guidance should consult qualified legal counsel in the relevant jurisdiction.
Download this article
Save a PDF copy for offline reading, or share it with a colleague who might find it useful.