Categories
31 Days to More Effective Compliance Programs Uncategorized

31 Days to a More Effective Compliance Program – Day 22 – Levels of Due Diligence

Due diligence is generally recognized in three levels: Level I, Level II, and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

The 2023 ECCP stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach with varying levels of due diligence is the appropriate analysis to take going forward.

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions of your program. The Level I, II, and III trichotomies appear to have the greatest favor and are ones that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags, you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Three key takeaways:

1. Level I due diligence should only be used when there is a low risk of corruption.

2. Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.

3. Level III due diligence is a deep-dive, boots-on-the-ground investigation.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Corruption, Crime and Compliance

Deep Dive into DOJ and SEC’s SAP FCPA Enforcement Action

Bribery is rampant in many countries around the world, and in this episode of Corruption, Crime, and Compliance, we take a look at a recent FCPA case involving SAP, a global software company. SAP’s violations spanned multiple countries, including South Africa and Indonesia, and resulted in prosecution and a hefty $220 million penalty. However, many people were baffled by the resolution of this case. The DOJ lacked aggressiveness and failed to impose an independent compliance monitor. Join the host, Michael Volkov, as he analyzes the intricacies of this case and the implications for FCPA enforcement in the coming years.

  • The SAP is a recidivist company, but DOJ’s enforcement action against them did not seem to take that into account when holding them accountable for instances of bribery that spanned the globe.
  • As the DOJ seemed to take a step back, the SEC made an aggressive push into holding companies accountable for violating internal controls, which is what happened in the SAP case.
  • SAP’s repeated failure to follow internal control requirements governing third parties serves as a cautionary tale for companies to ensure that their procedures are not only in place but also actively implemented and monitored.
  • Clear Channel’s former Chinese subsidiary, Clear Media, engaged in deceptive practices to fund illegal payments, including creating false invoices and tax records, but even after internal audits, Clear Channel failed to take aggressive remedial actions.
  • Clear Channel demonstrated a clear commitment to addressing the issues in the investigation that followed, highlighting the importance of cooperation as it can lead to more favorable outcomes and potentially mitigate the severity of penalties imposed.

KEY QUOTES:

“DOJ is turning its focus and pulling back on FCPA enforcement.” – Michael Volkov

“The SAP resolution, which totals only $220 million, was far below the amount that a recidivist should have paid for its global bribery operations stretching into multiple countries.” – Michael Volkov

“The SEC’s approach demonstrates a more aggressive application of internal control enforcement.” – Michael Volkov

“If a company is going to craft these internal controls, the company has to enforce those controls or face serious enforcement risks.” – Speaker: Michael Volkov

Resources:

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
Riskology

Riskology by Infortal Episode 18: Houthi Terrorism, The Red Sea and Global Shipping

When conflicts escalate around the world, supply chains are disrupted, and political power shifts, how can companies stay resilient and manage their risk? In this episode of the Riskology Podcast, Dr. Ian Oxnevad and Chris Mason explore the escalating conflict in the Red Sea and its implications for businesses operating in the region. With shipping routes severely impacted by attacks from the Houthi movement in Yemen, companies face significant disruptions and potential financial losses. Ian and Chris share their insights into how companies can navigate these risks, adapt their supply chains, and develop contingency plans to mitigate the impact of the Red Sea conflict.

Infortal Worldwide is a global risk management and investigation firm that specializes in helping businesses navigate complex risk landscapes. The company’s focus extends to various areas, including economics, politics, and geopolitical risk. By delving into these interconnected realms, Infortal Worldwide aims to provide clients with comprehensive insights that empower them to make informed decisions, especially in critical areas such as mergers and acquisitions, private equity investments, and other strategic moves.

You’ll hear Ian and Chris discuss:

  • The conflict in the Red Sea is severely impacting shipping and logistics operations. Attacks from the Houthi movement have led to disruptions in shipping routes, causing delays and increased costs for companies.
  • Companies have been forced to reroute their ships around Africa, which leads to significant delays and increased costs for companies. This not only adds financial strain but also creates congestion in alternative ports, further impacting logistics and supply chain operations.
  • European countries are hesitant to get involved in a coalition to protect international shipping due to their vulnerability to oil flow disruptions and the need to utilize their military strategically, and this lack of coordination poses additional risks for companies relying on the Red Sea route.
  • The impact of the conflict in the Red Sea extends beyond the Middle East, potentially disrupting global supply chains and causing inflationary pressures on consumer prices. With 98% of maritime shipping between Asia and Europe passing through this route, any disruptions can lead to significant delays, increased costs, and shortages of goods. 
  • Companies, especially those heavily reliant on the Red Sea route, need to develop contingency plans and alternative routes to mitigate the risks and disruptions caused by the conflict. Assessing supply chains, identifying alternative transportation options, and establishing partnerships with reliable logistics providers are crucial steps to ensuring business continuity. 
  • Startups and new players are emerging in the logistics industry to address the challenges posed by the conflict, offering alternative overland routes and solutions. These innovative approaches demonstrate the potential for agile and adaptive solutions in times of crisis.
  • Companies must prioritize intelligence gathering, due diligence, and boots-on-the-ground experience to navigate the complex geopolitical landscape and identify reliable partners in affected regions. Understanding the political dynamics, assessing risks, and conducting thorough background checks on potential collaborators are essential for mitigating risks and ensuring compliance with regulations.
  • While the conflict in the Red Sea poses significant challenges, it also opens up opportunities for innovative companies to fill gaps in the market. By embracing dynamic assessment, diversifying supply chains, and exploring new partnerships, businesses can position themselves for success in a rapidly changing global landscape.

Key Quotes:

“To be frank… this is a disaster for shipping.” – Ian

“Every risk is an opportunity. Companies need to start thinking with that mindset.” – Ian

“[This] has really been a great illustration of how quickly supply chains can break down and how important it is to be prepared.” – Chris

“You’re going to need intelligence and boots on the ground, due diligence, and knowing who you do business with.” – Ian

Resources:

Infortal Worldwide

Email

Dr. Ian Oxnevad on LinkedIn

Chris Mason on LinkedIn

Categories
Daily Compliance News

Daily Compliance News: January 22, 2024 – The China in Trouble Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • The fraud of belts and roads.  (WSJ)
  • ICBC was fined $32MM by DFS. (WSJ)
  • Why was Brexit doomed to fail? (FT)
  • Learn to play office politics or be its victim.  (FT)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Adventures in Compliance

The Return of Sherlock Holmes – Introduction to The Book ‘The Return of Sherlock Holmes’

Welcome to a review of all the Sherlock Holmes stories that are collected in the work “The Return of Sherlock Holmes.“. It is a collection of thirteen detective stories written by Sir Arthur Conan Doyle, marking the reappearance of the brilliant detective Sherlock Holmes after his apparent death in “The Final Problem.” The collection spans various intriguing cases and mysteries that Holmes and his loyal friend Dr. John Watson tackle.

From solving murders and thefts to uncovering complex deceptions and conspiracies, Holmes demonstrates his unmatched deductive skills and remarkable analytical mind. “The Return of Sherlock Holmes” not only showcases Holmes’s triumphant return but also delves into the depths of his character, illustrating his unwavering commitment to justice and his enduring friendship with Watson. The collection is a testament to Doyle’s storytelling prowess and the enduring appeal of the iconic detective, making it a must-read for fans of mystery and detective fiction. I will be exploring each story from the leadership and compliance angles, with some ethical lessons thrown in for good measure. Today we are celebrating the return of Sherlock Holmes after a three-year hiatus from his final confrontation with Professor Moriarty.

How did Holmes survive his final confrontation at Reichenbach Falls with Professor Moriarity? Where did Holmes travel during the great Hiatus? What of his friend, Dr. Watson? Has Holmes changed in the interim 3 years? Explore these questions and a host of others as Tom Fox begins a new season of the Adventures in Compliance podcast as he delves deeper into how the methods of Sherlock Holmes can be applied to uphold ethical standards and leadership principles in the world of compliance through stories from the book The Return of Sherlock Holmes.

Key Highlights:

  • The enigmatic survival of Sherlock Holmes
  • The Return of Sherlock Holmes
  • How did Doyle handle the hiatus?
  • What did Holmes do during the hiatus?

Resources:

The New Annotated Sherlock Holmes

Connect with Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Jay Rosen on SAP’s Road to FCPA Compliance

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Jay Rosen who discusses the recent FCPA enforcement action involving the software giant SAP.

Jay Rosen is a seasoned compliance professional with a deep understanding of the SAP FCPA enforcement case. His perspective on the topic of SAP’s FCPA enforcement case and the importance of cooperation and self-disclosure is shaped by his belief that self-disclosure is paramount in any FCPA investigation or enforcement action. He points out that SAP did not initially self-disclose, but began to cooperate only after investigative reports were made public in South Africa. Despite this, Rosen acknowledges SAP’s commendable efforts in providing regular, prompt, and detailed updates to the fraud section, producing relevant documents, and undertaking extensive remediation actions. He underscores the importance of conducting a root cause analysis, implementing data analytics, and enhancing compliance programs and internal controls, asserting that companies can recover if they follow these steps and use data-driven analytics to counterbalance any negative facts. Join Tom Fox and Jay Rosen as they delve deeper into this topic on this episode of the FCPA Compliance Report.

Key Highlights:

  • The facts and underlying bribery schemes
  • Lack of self-disclosure and what it means
  • Extensive cooperation
  • Extensive remediation
  • A superior result achieved

Resources:

Jay Rosen on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Levels of Due Diligence

Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward. Identifying key risk areas is essential to risk mitigation and the protection of your company’s reputation. Corporate and institutional investors need to know who they will be doing business with especially given heightening regulatory compliance actions by the US and other government agencies, and increasing geopolitical risk concerns.

The 2023 Evaluation of Corporate Compliance Programs (ECCP) stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed in Opinion Release 10-02, in which the DOJ discussed the due diligence that the requesting entity performed:

First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources … Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI [microfinance institution] to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.

This Opinion Release sets out a clear break that every compliance practitioner should use in considering an appropriate level of due diligence to engage with third-party risk management process or when considering the level of due diligence required on a potential business venture partner.

Further in October 2023 the DOJ announced the new Mergers and Acquisitions Safe Harbor Policy, which encourages companies to self-report corruption and criminal misconduct found during an acquisition. Companies that cooperate with federal regulators, investigate, and then remediate such misconduct may be eligible for criminal declination by the federal government. This process must be initiated within 6 months of the M&A transaction and is heavily dependent on effective due diligence.

Importantly, you can’t disclose what you don’t know. Understanding FCPA risks in foreign jurisdictions requires a deep level of due diligence based on local and regional intelligence.

Given the increasing sanctions and geopolitical risk environment it behooves a company to identify these risk factors. Due diligence investigations also help to identify national security risks ranging from corruption, and sanctions violations to terrorist financing. The stakes are increasingly serious for all companies working internationally and domestically within the US.

Due diligence investigations can reveal reputational risk, litigation issues, fraud and corruption risks, financial sanctions, criminal activity, supply chain risk, regulatory risk and environmental, social & governance (ESG) risks.

A very good description of the three levels of due diligence was presented by Candice Tal, Founder and CEO of Infortal Worldwide, in an article entitled, Deep Level Due Diligence: What You Need to Know.

Level I. First level due diligence typically consists of checking individual names and company names through over 1400 Global Watch lists comprised of AML, anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures—demonstrating a broad intent to actively comply with international regulatory requirements.

Level I should also consider beneficial ownership records when they are available, and company tax information to assess whether the third party is financially sound and in compliance with tax payments as required within its primary country of business, plus a check of perceived business risks in that country. Additionally, the third party’s website should also be reviewed; it is unusual for a company not to have a website and this can be a preliminary flag that there are issues. Tal recommends verifying that the company address also exists; a non-verifiable address should be considered a potential red flag that would indicate the need for a deeper-level due diligence investigation.

Level I will reveal some of the key information needed to make preliminary risk exposure ranking decisions, especially for larger corporations who may have several hundred thousand vendors in their supply chains. However, Level I is very basic in scope and will not identify the majority of corruption risks; it should therefore only be considered a first step.

Level II. Level II due diligence encompasses a broader public records search and supplementing Global Watch lists with a negative keyword screening of international media, typically major newspapers and periodicals from all countries, plus detailed internet searches. Negative keywords are not the same as deep media/ OSINT searches as these focus on a smaller selection of keywords only. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third-party’s key executives and associated parties.

Level II should also include everything found in Level I searches plus in-country database searches. Other types of information you should consider obtaining are country of domicile and international government records, use of in-country sources to provide assessments, a check for international derogatory electronic and physical media searches, which should be performed in both English and foreign-languages, in its country of domicile. Further, if you are in a specific industry, use technical specialists and obtain information from sector specific sources.

Level III. This level is a deep dive due diligence with a far more thorough investigation than the Level II scope, enabling a comprehensive assessment of corruption and business risks.

I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence plus a deep dive investigation of online records to identify known and more importantly unknown conditions. It will also require an in-country “boots-on-the-ground” investigation in the country involved. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.”    Further, Tal notes that:

Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points. These are security-based recommendations designed to highlight issues and themes of information found across different investigative avenues. Without this understanding companies may miss critical information necessary to make informed risk and compliance decisions.

Significantly, thorough Level III due diligence can provide an additional level of fiduciary duty of care for the company’s board.

Level III should include deep web, accessible dark web, and historical Internet searches, also known as Open-Source Intelligence Investigations (OSINT). Although AI can be used for some of this work, it should be noted that AI without investigative analysis will yield less adverse information. AI can ignore  critical information that it cannot identify as missing, also there may be indicators inferring an outcome which is likely to be missed by AI currently. Investigative analysis looks at hidden and undisclosed information and searches for information that should have been found but was not. It is an integrated approach incorporating “boots on the ground”, intelligence gathering, and due diligence investigations. Relying on basic Google searches is a certain mistake as hidden and undisclosed information are unlikely to be discovered.

But more than simply an investigation of the company, including a site visit and coupled with onsite interviews, Tal says that some other things you should investigate include:

An in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.

Tal believes that an in-depth background check should also look for such “Reputational information, undisclosed involvement in other businesses, direct or indirect involvement in other lawsuits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.”

Further, you may need to engage a foreign law firm to investigate the third-party in its home country to determine their compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third-party in the eye and get a firm idea of the third party’s cooperation and attitude towards compliance—as one of the most important inquiries is based on the response and cooperation of the third-party. More than simply trying to determine if the third party objected to any portion of the due diligence process or objected to the scope, coverage or purpose of the FCPA, you can use a Level III due diligence investigation to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party?

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.