Contractual Protections Are Not Due Diligence: What Your Third-Party Contracts Actually Need to Contain

Having a contract with a third party is not the same as having a compliance contract with a third party.

Most organisations have contracts with their significant third parties. These contracts cover the commercial terms of the relationship: scope of services, compensation, term, termination rights, liability allocation, dispute resolution. They have been reviewed by legal counsel. They are signed, filed, and managed through the organisation's contract management process.

What a significant number of these contracts do not contain — or contain in forms so generic as to be operationally meaningless — are the compliance protections that transform a commercial contract into a component of the organisation's integrity risk management architecture. The representations about anti-corruption conduct. The audit rights that allow the organisation to verify what it has been told. The obligation to maintain an adequate compliance programme. The termination right that gives the organisation a clear exit if its third party is implicated in misconduct. The notification obligation that requires the third party to inform the organisation if it becomes aware of a relevant investigation or proceeding.

The gap between what a contract contains commercially and what it requires for compliance purposes is, in many organisations, substantial — and it matters not only for the organisation's ability to manage its third-party relationships in practice, but for its ability to demonstrate adequate procedures to a regulator. A due diligence process that identifies risks and a contract that provides no mechanism to address, monitor, or respond to them is not a functioning third-party compliance programme. It is a partially completed one.

Seven clauses that a compliance-adequate third-party contract requires.

First, anti-corruption and anti-bribery representations. The third party must represent that it has not made, and will not make, any improper payment in connection with the relationship — and that it is not aware of any fact, circumstance, or event that would constitute a violation of applicable anti-corruption law. These representations should be specific, not generic: referencing the applicable laws by name, defining what constitutes a prohibited payment in terms that are clear and operational, and extending to the third party's subcontractors and agents.

Second, a compliance programme obligation. The third party should be required to maintain, and to be able to demonstrate on request, policies and procedures designed to prevent and detect bribery and corruption. For high-risk relationships, this obligation should be specific: a written anti-bribery policy, a training programme for relevant personnel, a mechanism for raising concerns. The right to request evidence of compliance with this obligation should be explicit.

Third, audit rights. The organisation must have the contractual right to audit the third party's books and records relevant to the relationship — or to appoint a third party to do so — on reasonable notice. Audit rights that are conditioned on reasonable suspicion of a violation are inadequate: the value of an audit right is partly prospective, as a deterrent, and partly practical, as a mechanism to identify issues before they become enforcement matters.

Fourth, notification obligations. The third party must be required to notify the organisation promptly if it becomes aware of any investigation, proceeding, or allegation relating to anti-corruption law, or of any fact that would constitute a violation of its representations. This obligation closes the information gap that makes third-party misconduct so difficult to detect — and it creates a contractual basis for the organisation to act on information that it would otherwise not have received.

Compliance provisions are only valuable if they can be acted upon.

The compliance provisions in a third-party contract are not deterrents in the abstract. They are instruments that the organisation must be prepared to use — and whose use depends on having drafted them with sufficient clarity and specificity to be enforceable. A representation that the third party will comply with 'applicable law' provides less traction in an enforcement context than a representation that references specific statutes, defines prohibited conduct, and extends to specific categories of third-party personnel.

Termination rights linked to compliance breaches require similar precision. A generic right to terminate for material breach may or may not be available in a specific situation depending on how the breach is characterised and what the governing law provides. An explicit right to terminate — without penalty and on short notice — if the third party is investigated for, charged with, or found guilty of a violation of any applicable anti-corruption law is an unambiguous instrument that is available when the organisation needs it.

The right to withhold payment pending the resolution of a compliance concern is a provision that few organisations include and that provides significant practical leverage in the event of a suspected issue. The right to conduct an independent investigation into alleged misconduct, with cooperation from the third party as a contractual obligation, is another provision that transforms what would otherwise be a difficult conversation into a defined process.