The textbook example of a Foreign Corrupt Practices Act (FCPA) violation involves a company employee directly giving a bribe to a foreign official. But in many, if not most, of the FCPA cases prosecuted today, a third-party intermediary such as an in-country agent or consultant is the party who made the improper payment. In these cases, the company that engaged the third party’s services cannot plead ignorance and escape FCPA liability: The statutory text makes clear that a company violates the Act if it gives a payment to a third party and is “aware” that the third party will, or is “substantially certain” to, use that payment to bribe a foreign official. Caution should therefore be the watchword for any company operating through an intermediary in a foreign country.

The recently-announced $108 million FCPA settlement between Hewlett-Packard (HP), the Justice Department, and the SEC was a timely reminder of the risks a company runs when it does business in a foreign jurisdiction through a third party. The government’s case against HP included charges that HP Mexico — an HP subsidiary — hired a third-party consultant with close ties to Pemex, the Mexican state-owned petroleum company, to help HP secure a $6 million contract through improper means. According to the Justice Department, HP used a “channel partner” to funnel a $1.41 million commission to the consultant, who then paid $125,000 of that money to a Pemex employee.

The HP prosecution highlights several key considerations for companies that work with foreign third parties. First, when dealing with a third party, a company must look for the “red flags” that the SEC and DOJ’s “Resource Guide” to the FCPA mentions as signs of illegal conduct. For example, the Guide warns of “excessive commissions” charged by agents or consultants, along with the use of third parties who are “closely associated” with a third party official; both of those warning signs seem to have been present in HP’s case. The Guide also counsels against relying on “vaguely described” consulting agreements that do not describe the services to be rendered in detail, whereas HP Mexico — which internally referred to the consultant payments as an “influencer fee” — appears to have allowed the scope of the parties’ relationship to remain ambiguous.

Other “red flags” to watch out for include a third party’s involvement in a deal at the specific behest of a foreign official, its refusal to allow an audit of its books, and its incorporation offshore or use of offshore accounts. When such signs of illegal conduct are present, companies should be particularly careful to perform intensive due diligence on their local business partners. A company that is notified of signs that a third party partner is paying bribes may well be sufficiently “aware” of illegal conduct to be liable under the FCPA for that third party’s acts.

The second lesson of the HP prosecution is that, in addition to thorough due diligence, avoiding FCPA liability also requires a company to have effective internal protocols for ensuring compliance. Even the best due diligence methods will not protect a company from risk if it does not conduct due diligence every time a third-party transaction raises red flags that indicate potential problems. According to the SEC, HP Mexico proceeded with the allegedly illicit consulting transaction despite the fact that the third-party consultant “was not an approved deal partner and had not been subjected to the due diligence required under company policy.” It only takes one such lapse for a company to get itself into hot water.

The final takeaway from HP’s case is that a company’s compliance efforts should not end once it has properly performed its due diligence on the third party with whom it is going to be working. The company should draft a contract with the third party that spells out in detail the services to be provided, and gives it the ability to monitor the third party’s activities. Throughout the ensuing business relationship, the company should keep a watchful eye on its business partner, and at the first sign of trouble, take immediate action to remedy the problem. Defining the scope of the relationship with a third party and arranging for continued monitoring can help a company avoid liability for problems that due diligence fails to uncover.

Working through intermediaries is often a necessary aspect of doing business in foreign countries, but the government’s track record of prosecuting FCPA cases involving third parties makes clear that third parties also introduce new risks into a company’s foreign operations that must be taken into account. As is always the case when it comes to the FCPA, planning ahead is the most effective way for a company to neutralize these risks and avoid potential problems.