services for managing or augmenting compliance functions add both value
and vulnerability. The concern is that a “CCO can perform her job effectively
only if she has unfettered access to information about the firm.” 42 The
question is whether this unfettered access is potentially compromised by both
the sheer volume of third-party’s suppliers as well as the use of contracted
compliance services that meet the demands of regulators.
III. OVERSIGHT OF THIRD-PARTIES
The oversight and management of third-party relationships raise legal and
ethical concerns and risks for a company’s compliance function. Several
studies point out the challenges in managing third-party compliance risk.
Critical compliance risks43 are bribery and corruption, fraud, and conflicts of
interests. In marked contrast, third-party misconduct for “labor relations,
wage and hour, harassment, diversity and discrimination” ranked the least of
any risks. 44 The criticality of third-party compliance risk was similarly
confirmed in another study45 of company compliance personnel. Third-party
compliance risk management was their greatest compliance risk. Despite the
seriousness of this concern, the Kroll and Ethisphere study reported that, “at
best, 80 percent of respondents were only slightly confident in their ability to
catch third party issues, the leading risk identified in this year’s survey ( 55
percent are slightly confident; 25 percent are not confident).” 46
Regulators cite the need for effective management and oversight of third-party relationships. In health services, the Department of Health and Human
Services, Office of Inspector General issued the “Compliance Program
Guidance for Third-Party Medical Billing Companies” 47 that encourages the
voluntary adoption by third-parties of the requirements for effective
compliance and ethics defined in the FSGO.
In financial services, the Office of the Comptroller of the Currency (OCC)
expressed this concern in its bulletin on Third Party Relationships. 48 While
42. MILLER, supra note 23, at 9.
43. RANDY STEPHAN, 2015 ETHICS & COMPLIANCE THIRD PARTY RISK MANAGEMENT
BENCHMARKING REPORT (2015), http://www.navexglobal.com/en-us/file-download-
44. Id. at 6.
45. DELOITTE, IN FOCUS, 2015 COMPLIANCE TRENDS SURVEY (2015),
46. KROLL & ETHISPHERE, supra note 3, at 16.
47. Compliance Program Guidance for Third-Party Medical Billing Companies, 63 Fed.
Reg. 70138 (Dec. 18, 1998).
48. Risk Management Guidance, U.S. DEP’T TREASURY, OFF. COMPTROLLER CURRENCY
(Oct. 30, 2013), https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.