Although the “culture” of compliance can hardly be quantified in units of measurement, we have more and more sources of information and tools that help to shed some light on where the organisation is at any given moment (which is essential in order to better focus the next steps). And, in this sense, it is legitimate for companies that have been carrying out “Compliance” in a comprehensive sense and with adequate resources, to conclude that an important part of the road has already been travelled: that which has to do with the commitment of our organisation and of those of us who form part of it.
But is it the same for our ecosystem?
In the 21st century, a company does not need to be very large for its viability to depend on a network of commercial and/or legal relationships with actors outside its perimeter. These are not only its customers (as the ultimate recipients of its products or services), but above all other subjects who, in the supply chain or, more broadly, in the value chain, play a key role.
What is a “third party”?
In this scenario, if the company is, to paraphrase Ortega, “itself and its circumstances”, the mission of its compliance programme can hardly be honoured without involving those “circumstances” and those who embody them: the “third parties”.
The concept of a “third party” is a strange one. In principle, it should be someone outside the relationship between a “first person” and a “second person”. The Dictionary of the RAE offers us a possible meaning: “A person who is not one of two or more of those involved in a business of any kind”. Moreover, legally speaking, the third party is a person who is a stranger to the relationship between two others (for example, the parties to a contract or to a lawsuit). In this light, a “business partner” would not be a “third party”. Anecdotally (or not), the recent Directive 2024/1760 on corporate due diligence on sustainability does not recognise the implied unrelatedness of the “business partner” to the “third party”, and in fact aims, with the natural limitations, to place the company and its direct allies (who do not qualify as third parties) on a comparable level of review.
However, in Compliance, the assimilation, under the title of “third party”, of any person, natural or legal, other than one’s own, including the “second person”, is virtually consolidated. The idea already appears in criminal jurisprudence and related public documentation, and is a reality in the increasingly prolific voluntary compliance standards (UNE/ISO) that regulate compliance functions (which define “third party” as “any person or body that is independent of the organisation”), and in guides as essential as the one used by the Department of Justice (USA) to evaluate companies’ compliance programmes (which devotes an entire section to “third party management”).
The objective: the “management” of relations with third parties
This conception of the third party, from Compliance’s point of view, as anyone other than oneself, is interesting because it helps to better understand this increasingly comprehensive vision of our function. The one that demands that, if clients are excluded in non-financially regulated environments (which would give rise to a more far-reaching discussion), we must deal directly with “managing” the relationship with the rest of our counterparties.
The key is to understand the objectives, which are multiple: to protect the company from legal breaches directly related to contracting with the third party (e.g. international sanctions); to prevent the “use” of the company or its employees by the third party (e.g. conflicts of interest, hospitality, money laundering), or conversely, of the third party by the company or its employees (e.g. corruption cases); to ensure that the company will not be tainted in its (more or less direct) relationship with the third party by any cause affecting or for which the latter is responsible (e.g. contingencies during the life of the contract or reputational impacts), or even as a consequence of the integration of the third party with the company through a merger operation, acquisition of control, etc. (M&A compliance).
The challenge is not an easy one, and presents no small number of legal difficulties.
Due diligence
The world of third party management is, to a large extent, the world of due diligence, which admits different layers depending on the risk faced: generalised “screening” through databases, or more exhaustive analyses in cases of qualified risk by type of transaction. Here the greatest difficulty always lies in managing the “hit”, which must be adapted to the circumstances of the third party and the transaction.
Other protections
The “analysis” of the third party can and should be complemented by a system of responsible declarations (contractual clauses, certifications, etc.) guaranteeing the contractual indemnity of the company when it is merely the passive subject of a breach by the third party.
This can in turn be completed through an environment of enhanced internal controls, increasingly embedded in the Compliance function: instruments for analysis and management of hospitality (active and passive), conflicts of interest, additional validations at the time of payment (“intervention” functions), etc.
The necessary company commitment
Finally, the hackneyed message that “Compliance is everyone” is also applicable to this cause. For the system of controls in which the management of third parties is materialised to be fully effective, it must be known throughout the organisation. This is the only way to activate the deployment of those controls; circumstantially, in a detective manner (we are experiencing the rise of “internal information systems” or whistleblowing channels); but structurally, in a preventive manner, as preventive is, by definition, the nature of most controls. In this respect, the automation of flows and processes is particularly relevant, which in turn involves other areas of the company (e.g. procurement) that are key to achieving the objectives.
In recent years, Telefónica has made considerable efforts to make our “third party management” system a reality that, despite its complexity and sophistication, works fully and efficiently. And, more importantly, we are committed to continuing to improve this system, for the benefit of the company we serve and, let’s say it unashamedly, the society of which we are a part.
