Foreign Corrupt Practices Act (FCPA): How to Assess Third-Party Anti-Bribery Practices

Editors note: On February 10, 2025, the Trump Administration announced a pause in FCPA enforcement actions while a review of the Act is conducted. We will monitor changes to the Act and update our guidance accordingly.

Originally passed into law in 1977 and amended in 1988 and 1998, the U.S. Foreign Corrupt Practices Act (FCPA) makes it unlawful for U.S. citizens and companies to make payments to foreign government officials to assist in obtaining or retaining business. The law also contains provisions prohibiting foreign representatives from doing the same within the territory of the United States. The FCPA also requires companies whose securities are listed in the U.S. to keep records and maintain internal accounting controls to detect such transactions.

Foreign Corrupt Practices Act Requirements

With fines for violations of up to $5 million and 20 years in prison and $25 million for companies, it is important to ensure that not only your organization's practices but also your third-party vendor's and supplier's practices are compliant with FCPA to avoid business disruptions or reputational damage.

Provisions in the FCPA include:

• Public companies filing annual documentation with the Securities & Exchange Commission (SEC) attesting to adherence to FCPA provisions
• Keeping financial records for all in-scope transactions, which are auditable at any time
• Maintaining internal accounting controls and monitoring to track and prevent potential violations

Many organizations face problems when assessing their third parties’ anti-bribery and corruption (ABAC) policies because the effort is highly manual and lacks real-time insights into legal filings.

5 Recommendations to Assess Third-Party Vendor and Partner Anti-Bribery & Corruption Policies per the FCPA

Assessing third parties doesn’t have to be a manual, spreadsheet-based process. Consider these five recommendations to simplify and automate third-party ABAC risk assessments under FCPA.

1. Implement comprehensive supply chain partner pre-screening

Ensure that procurement and sourcing teams have access to intelligence pertaining to all new supply chain partner ABAC practices. This can include centralized assessment results, reputational information, legal actions, country-level corruption perception index (CPI) scores, and sanctions data – enabling procurement to make informed supplier-sourcing decisions.

2. Regularly assess your supply chain partners

Leverage an automated solution that hosts assessment questionnaires, raises risks if results don’t align with expected risk tolerance levels, and offers specific remediation recommendations. Include supporting evidence and ABAC policy documentation with assessment results to simplify audit reporting.

3. Fill gaps between assessments with continuous reputational monitoring

Regular (usually annual) assessments and attestations are essential to documenting third-party controls, policies, and processes, but they are static and point-in-time. Adding real-time monitoring of the following sources will help to catch potential adverse events and validate the results of risk assessments.

• Supplier Reputation: Public and private sources of reputational information, including regulatory and legal actions, M&A activity, adverse media, and conflicts of interest.
• Financials and Investments: Financial performance, turnover, profit and loss, and shareholder funds transparency.
• Global Sanctions: Screen against the world’s most important sanctions lists (including OFAC, EU, UN, BOE, FBI, BIS, etc.), global enforcement lists, and court filings (such as the FDA, U.S. HHS, UK FSA, SEC and more).
• Politically Exposed Persons (PEP): Politically exposed person profiles, including families and associates, to identify potential leadership risks.
• State-Owned Enterprises: A list of government-owned and government-linked enterprises.

4. Know your Nth parties

Your third parties rely on their suppliers and third parties to deliver goods and services to you and other customers. And you need to respond quickly when adverse events surface in your extended partner ecosystem. That’s why it’s important to identify and visualize relationships between your organization and third, fourth and Nth parties to discover dependencies and risks and avoid reputational hits.

5. Simplify compliance reporting

The fastest, least-complex approach to meeting audit requirements is to automatically map the assessment results discussed in recommendation number 2 to reporting that aligns with FCPA requirements. This can’t be done using spreadsheets and email – you will need a central platform for collecting, assessing, analyzing, and reporting on findings.