Categories
Blog

Levels of Due Diligence

Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward. Identifying key risk areas is essential to risk mitigation and the protection of your company’s reputation. Corporate and institutional investors need to know who they will be doing business with especially given heightening regulatory compliance actions by the US and other government agencies, and increasing geopolitical risk concerns.

The 2023 Evaluation of Corporate Compliance Programs (ECCP) stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed in Opinion Release 10-02, in which the DOJ discussed the due diligence that the requesting entity performed:

First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources … Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI [microfinance institution] to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.

This Opinion Release sets out a clear break that every compliance practitioner should use in considering an appropriate level of due diligence to engage with third-party risk management process or when considering the level of due diligence required on a potential business venture partner.

Further in October 2023 the DOJ announced the new Mergers and Acquisitions Safe Harbor Policy, which encourages companies to self-report corruption and criminal misconduct found during an acquisition. Companies that cooperate with federal regulators, investigate, and then remediate such misconduct may be eligible for criminal declination by the federal government. This process must be initiated within 6 months of the M&A transaction and is heavily dependent on effective due diligence.

Importantly, you can’t disclose what you don’t know. Understanding FCPA risks in foreign jurisdictions requires a deep level of due diligence based on local and regional intelligence.

Given the increasing sanctions and geopolitical risk environment it behooves a company to identify these risk factors. Due diligence investigations also help to identify national security risks ranging from corruption, and sanctions violations to terrorist financing. The stakes are increasingly serious for all companies working internationally and domestically within the US.

Due diligence investigations can reveal reputational risk, litigation issues, fraud and corruption risks, financial sanctions, criminal activity, supply chain risk, regulatory risk and environmental, social & governance (ESG) risks.

A very good description of the three levels of due diligence was presented by Candice Tal, Founder and CEO of Infortal Worldwide, in an article entitled, Deep Level Due Diligence: What You Need to Know.

Level I. First level due diligence typically consists of checking individual names and company names through over 1400 Global Watch lists comprised of AML, anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures—demonstrating a broad intent to actively comply with international regulatory requirements.

Level I should also consider beneficial ownership records when they are available, and company tax information to assess whether the third party is financially sound and in compliance with tax payments as required within its primary country of business, plus a check of perceived business risks in that country. Additionally, the third party’s website should also be reviewed; it is unusual for a company not to have a website and this can be a preliminary flag that there are issues. Tal recommends verifying that the company address also exists; a non-verifiable address should be considered a potential red flag that would indicate the need for a deeper-level due diligence investigation.

Level I will reveal some of the key information needed to make preliminary risk exposure ranking decisions, especially for larger corporations who may have several hundred thousand vendors in their supply chains. However, Level I is very basic in scope and will not identify the majority of corruption risks; it should therefore only be considered a first step.

Level II. Level II due diligence encompasses a broader public records search and supplementing Global Watch lists with a negative keyword screening of international media, typically major newspapers and periodicals from all countries, plus detailed internet searches. Negative keywords are not the same as deep media/ OSINT searches as these focus on a smaller selection of keywords only. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third-party’s key executives and associated parties.

Level II should also include everything found in Level I searches plus in-country database searches. Other types of information you should consider obtaining are country of domicile and international government records, use of in-country sources to provide assessments, a check for international derogatory electronic and physical media searches, which should be performed in both English and foreign-languages, in its country of domicile. Further, if you are in a specific industry, use technical specialists and obtain information from sector specific sources.

Level III. This level is a deep dive due diligence with a far more thorough investigation than the Level II scope, enabling a comprehensive assessment of corruption and business risks.

I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence plus a deep dive investigation of online records to identify known and more importantly unknown conditions. It will also require an in-country “boots-on-the-ground” investigation in the country involved. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.”    Further, Tal notes that:

Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points. These are security-based recommendations designed to highlight issues and themes of information found across different investigative avenues. Without this understanding companies may miss critical information necessary to make informed risk and compliance decisions.

Significantly, thorough Level III due diligence can provide an additional level of fiduciary duty of care for the company’s board.

Level III should include deep web, accessible dark web, and historical Internet searches, also known as Open-Source Intelligence Investigations (OSINT). Although AI can be used for some of this work, it should be noted that AI without investigative analysis will yield less adverse information. AI can ignore  critical information that it cannot identify as missing, also there may be indicators inferring an outcome which is likely to be missed by AI currently. Investigative analysis looks at hidden and undisclosed information and searches for information that should have been found but was not. It is an integrated approach incorporating “boots on the ground”, intelligence gathering, and due diligence investigations. Relying on basic Google searches is a certain mistake as hidden and undisclosed information are unlikely to be discovered.

But more than simply an investigation of the company, including a site visit and coupled with onsite interviews, Tal says that some other things you should investigate include:

An in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.

Tal believes that an in-depth background check should also look for such “Reputational information, undisclosed involvement in other businesses, direct or indirect involvement in other lawsuits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.”

Further, you may need to engage a foreign law firm to investigate the third-party in its home country to determine their compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third-party in the eye and get a firm idea of the third party’s cooperation and attitude towards compliance—as one of the most important inquiries is based on the response and cooperation of the third-party. More than simply trying to determine if the third party objected to any portion of the due diligence process or objected to the scope, coverage or purpose of the FCPA, you can use a Level III due diligence investigation to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party?

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Categories
Riskology

Riskology by Infortal Episode 11: The New Normal – Geopolitical Risks Reshaping Global Business

In this inaugural episode of Riskology by Infortal, hosts Chris Mason, Candice Tal and Dr. Ian Oxnevad discuss their approach to the podcast, and share a glimpse into the diverse range of topics they will be delving into. Riskology blends business, geopolitics, and intelligence to demystify the 21st century economic world and explore how geopolitical risk directly impacts your bottom line. 

Infortal Worldwide is a global risk management and investigations firm that specializes in helping businesses navigate complex risk landscapes. The company’s focus extends to various areas, including economics, politics, and geopolitical risk. By delving into these interconnected realms, Infortal Worldwide aims to provide clients with comprehensive insights that empower them to make informed decisions, especially in critical areas such as mergers and acquisitions, private equity investments, and other strategic moves.

 

You’ll hear Candice, Chris and Ian discuss:

  • Infortal Worldwide is a global risk management and investigations firm with a strong 38-year track record. The firm operates in 160 countries around the world, serving a diverse range of industry sectors, with a primary focus on large companies, upper-middle-market entities, and large-cap corporations.
  • In addition to geopolitical risk, Infortal specializes in providing solutions to real-world problems faced by clients. Their expertise encompasses issues such as sanctions risk, potential violations of the Foreign Corrupt Practices Act (FCPA), identifying bad actors, and addressing reputational damage that can expose companies to significant risks.
  • Infortal helps companies mitigate global risk exposures, such as financial losses, reputational damage, and legal liability. They provide a comprehensive risk management solution with tools and services to identify, assess, and manage risks.
  • The risk environment encompasses micro risks at the individual and business level, as well as macro risks at the country and regional level. The focus is on understanding immediate risk exposure from individuals and businesses, up to broader country-level and regional risks.
  • Infortal recognized the significant challenges that companies face when engaging with international partners, suppliers, and stakeholders. The company aims to address the gap in discussions around geopolitical risk and provide education on the multifaceted challenges that businesses face today.
  • Larger companies often face challenges in disseminating key information about geopolitical risks effectively. Information tends to become siloed within risk teams, making it difficult for decision-makers to access and act upon relevant intelligence. To unlock the power of geopolitical risk analysis, it is necessary to break down information silos and ensure that critical insights reach key decision-makers.
  • Geopolitical risk analysis is more than just identifying potential problems and challenges. When information flows effectively within an organization, companies can use geopolitical risk analysis to uncover opportunities. This proactive approach allows organizations to strategically navigate the business landscape, positioning themselves advantageously against competitors in the event of unforeseen challenges.
  • The current geopolitical risk landscape indicates a change in the dynamics of globalization. While globalization is a real and ongoing phenomenon, the traditional framework and relationships that defined it in the past have been significantly disrupted. Key geopolitical players, such as Russia, China, India, and the European Union, are reshaping the global economic landscape, and this transformation presents both challenges and opportunities.
  • While globalization is currently facing challenges and uncertainties, it is also a critical juncture with many opportunities. Strategic countries such as India and Turkey, as well as those straddling various global dynamics, will play a pivotal role in shaping the future. The US, with its strong fundamentals and economic influence, remains a major player in determining the course of global developments.

 

KEY QUOTES

“The area that we specialize in, in addition to geopolitical risk, is finding solutions to real world problems that our clients face. And that could be anything from sanctions risk, to potential FCPA violations, to finding bad actors [and] con artists, to businesses that are operating with reputational damage and create exposures for the companies that they work with.” – Candice Tal 

 

“And that’s the issue or the challenge of key information getting siloed within organizations. … It’s sometimes hard for all of the right information to come from the risk teams and end up in the right circles within the organization so that the key decision makers can actually act on the information and the intelligence that’s there. In the case of geopolitical risk, what we’re finding is that information is not making its way to the right individuals within the organizations.” – Chris Mason

 

“If you look at the geopolitical risk landscape today, it can be really summed up as: globalization ain’t what it used to be. And what that really means is that if there’s geopolitical stability and stability within major countries, then the global economy is going to work very well. But because of a number of issues that have happened over the past few years, some of it relates to COVID, some of it relates to just the fact that it’s not a unipolar system anymore. But what that means is that this is not the Cold War, this is not the post Cold War era in which we had peace and prosperity and the spreading of liberal democracy. If you sum all that up, we’re actually going in reverse.” – Ian Oxnevad

 

Resources

Infortal Worldwide 

Candice Tal on LinkedIn | Twitter

Ian Oxnevad on LinkedIn

Chris Mason on LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Candice Tal on Due Diligence: Levels and Evaluation

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. Join Tom Fox, the host of FCPA Compliance Report, as he speaks with Candice Tal, founder and CEO of Infortal. Get ready to boost your compliance program in this exciting episode of FCPA Compliance Report. In this episode, Tom and Candice discuss the three levels of due diligence typically used to investigate joint venture partners and senior executives and the significance of conducting thorough due diligence. Level one is for low-risk situations, level two is for moderate-risk situations, and level three is for high-risk situations that require deep dark web searches. The key takeaways are to never skimp out on basic due diligence and to consider level three due diligence for high-risk areas or key executives. Don’t miss out on this informative episode of FCPA Compliance Report hosted by Tom Fox and featuring Candice Tal!

 Key Highlights

·      Introduction of Candice Tal

·      What are the 3 levels of due diligence.

·      What is deep dive due diligence.

·      Finding reputational issues.

·      Evaluating due diligence.

Notable Quotes

“Due diligence typically is sorted out into 3 general levels or tiers.”

“If you’re not doing deep dive due diligence, you’re not finding reputational issues.”

“You just can’t find reputational issues on database searches.”

Resources

Candice Tal on LinkedIn

Infortal

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Evaluation of Due Diligence With Candice Tal

An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. Not only must all red flags be cleared, but there must also be evidence of the decision-making process to show to a regulator if one comes knocking. Around third parties, consider what risks you face in both your sales and supply chain. Suppose there is a key player several tiers down the line which creates or builds a key component or delivers a critical service. In that case, you may want to put more management around that relationship from the compliance perspective.

For anything below tier 2, you may be able to manage your risks by having your direct tier one counterpart take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counterparty so that if the government comes knocking, you can show that you did not only contractually obligate your direct counterparty to do so but also provided them the tools and training to do so. Finally, you will need to be able to show that your direct counterpart did so.

Three key takeaways:

  1. There is no set formula for clearing red flags or the evaluation of due diligence.
  2. Know when to say enough has been done.
  3. You must “Document, Document, and Document” your evaluation of any red flags.
Categories
Blog

Levels of Due Diligence-Part II

In the conclusion of this blog post series on levels of due diligence, I am drawing from Candice Tal, Founder and CEO of Infortal Worldwide, in her seminal article entitled, Deep Level Due Diligence: What You Need to Know.

Level II. Level II due diligence encompasses supplementing Global Watch lists with a deeper screening of international media, typically major newspapers and periodicals from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company; the third-party’s key executives and associated parties. I believe that Level II should also include in-country database searches. Other types of information you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments; a check for international derogatory electronic and physical media searches, which should be performed both English and foreign-languages, in its country of domicile. Further, if you are in a specific industry, use technical specialists and obtain information from sector specific sources.

Level III. This level is a deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.” Further, “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

Level III should also include deep dark and historical Internet searches, also known as Open Source Intelligence Investigations (OSINT). Although AI can be used for some of this work, it should be noted that AI without investigative analysis will yield less adverse information. Investigative analysis looks at hidden and undisclosed information and searches for information that should have been found but was not. It is an integrated approach incorporating ‘boots on the ground’, intelligence gathering, and due diligence investigations. Relying on basic Google searches is a certain mistake as hidden and undisclosed information are unlikely to be discovered.

But more than simply an investigation of the company, including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other lawsuits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.”

Further, you may need to engage a foreign law firm to investigate the third-party in its home country to determine their compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third-party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third-party. More than simply trying to determine if the third-party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use a Level III to determine if the third-party is willing to stand up with you under the FCPA and are you willing to partner with the third-party?

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Categories
Blog

Levels of Due Diligence-Part 1

Due diligence will always be a basis of any best practices compliance program. Over the next couple of days, I will consider the levels of due diligence and detail how each category will help to inform your compliance program.

Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

The 2020 Update to the Evaluation of Corporate Compliance Programs stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed in Opinion Release 10-02, in which the DOJ discussed the due diligence that the requesting entity performed:

First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources … Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI [microfinance institution] to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.

This Opinion Release sets out a clear break which every compliance practitioner should use in considering an appropriate level of due diligence to engage with your third-party risk management process or when considering the level of due diligence required on a potential business venture partner. A very good description of the three levels of due diligence was presented by Candice Tal, Founder and CEO of Infortal Worldwide, in an article entitled, Deep Level Due Diligence: What You Need to Know.

Level I. First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of AML, anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level I should also consider beneficial ownership records where available, and company tax information to assess whether the third party is financially sound and in compliance with tax payments as required within its primary country of business, plus a check of perceived business risks in that country. Additionally, the third party’s website should also be reviewed; it is unusual for a company to not have a website and this can be a preliminary flag that there are issues. Tal recommends verifying that the company address also exists; a non-verifiable address should be considered a potential red flag which would indicate the need for a deeper level due diligence investigation.

Join us tomorrow as we explain Levels 2 & 3 of due diligence and conclude this blog post series.

Categories
This Week in FCPA

Episode 300 – the All Good Things edition


Welcome to the All Good Things edition of This Week in FCPA. This episode 300 is Tom and Jay’s final episode of this podcast. It has been a great run and we appreciate all our loyal fans and listeners over the past 6-year plus run. Today we close with some highlights from our most popular episode, our favorite episodes and some very special guests including Candice Tal, Lisa Beth Lentini, Joe Oringel and Tedra Foster.
Tom Fox is the Voice of Compliance and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.

Categories
Blog

Cookies, Chocolates and IP: The Stericycle FCPA Enforcement Action – Part IV

Last week, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) announced a Foreign Corrupt Practices Act (FCPA) enforcement action, involving the waste management company, Stericycle, Inc. (Stericycle). According to the Information and Deferred Prosecution Agreement (DPA), Stericycle entered into a three-year DPA. The company was charged with two counts of conspiracy to violate (1) the anti-bribery provision of the FCPA, and (2) the FCPA’s books and records provision. Under the DPA, Stericycle agreed to a criminal penalty of $52.5 million of which the DOJ agreed to credit up to one-third of the criminal penalty against fines the company pays to authorities in Brazil in related proceedings. According to the SEC Cease and Desist Order (Order), Stericycle violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA and agreed to pay approximately $28.2 million in disgorgement and prejudgment interest. The SEC Order also provided for an offset of up to approximately $4.2 million of any disgorgement paid to Brazilian authorities. Today we consider the lessons learned.
Rapid Expansion
Similar to what we saw in the WPP enforcement action, Stericycle engaged in rapid expansion in a series of foreign jurisdiction. In this case it was Latin America. Stericycle does not seem to have made the same mistakes as WPP in holding back part of the overall acquisition payout to the owners in the locales where they purchased entities and thereby incentivizing corruption to meet sales goals. Under Stericycle, there was nothing about this same type of incentive plan used by WPP. However, Stericycle did appear to keep the former owners on as the executives in these new foreign subsidiaries without taking into account how those former owners may have done business or the risk model it entailed.
Which brings us to pre-acquisition due diligence, which is not simply looking at the financial issues involved but also considering the potential purchase from the compliance perspective. How did the companies which were purchased to form the foreign subsidiaries in Latin America do business before they were purchased? Did Stericycle review those companies from the compliance standpoint?
Moreover, and as Candice Tal, founder of Infortal, continually reminds us, due diligence is more than simply a site investigation or a couple of interviews. It should include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other lawsuits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.” Clearly, Stericycle did not engage in this level of due diligence in either the acquisitions of the entities which became Stericycle subsidiaries in Latin America, nor in their key personnel. Employees up and down the chain of an organization do not simply wake up one day and decide to engage in bribery and corruption and create a full set of records so the effectiveness of your bribery-based business process can be evaluated. 
Impact of the FCPA Corporate Enforcement Policy
The Stericycle enforcement action once again demonstrates how the FCPA Corporate Enforcement Policy can benefit even the most corrupt organization and allow a significant reduction of the overall fine and penalty under the US Sentencing Guidelines. According to the DPA, Stericycle received a 25% discount off the bottom of the applicable Sentencing Guidelines fine range for its cooperation during the pendency of the investigation and the extensive remediation.
I have previously estimated Stericycle saved between $25 million to $30 million from their final criminal fine. That is certainly a significant amount and one every Chief Compliance Officer (CCO) needs to have ready to submit to your CEO to demonstrate the power of committing time and resources to both internal investigations and remediation during the pendency of the investigation.
Impact from the Lisa Monaco Doctrine
a. The Monitor
The is first FCPA enforcement action to show the full impact of the change in DOJ enforcement priorities after the Lisa Monaco speech of October 2021, in a variety of ways. The first is the imposition of a monitor. It was required under both the DPA and the Order. Interestingly, even though the company was long aware of its compliance and ethical failures and even though it had been investigating this matter since at least 2016; the company could not seem to get its collective act together enough to fully implement and test the new compliance regime set out in the DPA. The DPA stated, “despite its extensive remedial measures described above, the Company to date has not fully implemented or tested its enhanced compliance program, and thus the imposition of an independent compliance monitor for a term of two years, as described more fully below and in Attachment D, is necessary to prevent the recurrence of misconduct.” [Emphasis supplied] Clearly the DOJ (and SEC) did not trust that the company would follow through with its resolution documents obligations and was “necessary to prevent the recurrence of misconduct.”
b. Culture
One part of the Monaco speech which drew much criticism from the White-Collar defense bar and others were her remarks around culture and that the DOJ would start assessing corporate culture in the context of other fines, penalties and regulatory enforcement actions from outside the FCPA context. Many articulated fears that conduct completely unrelated to a FCPA enforcement action could form the basis of a FCPA enforcement action. Those fears were alleviated in the Stericycle DPA which stated, “the Company has some history of prior civil and regulatory settlements, but no prior criminal history”. At least at this point, no unrelated civil or regulatory actions were assessed in the context of a FCPA enforcement action.
There was and continues to be much to consider and learn from the Stericycle FCPA enforcement action. I am sure we will be revisiting it in the future.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Evaluation of Due Diligence With Candice Tal

An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. It is mandatory that not only must all red flags be cleared but there also be evidence of the decision-making process to show to a regulator if one comes knocking. Around third-parties, consider what risks you face in both your sales and supply chain. If there is a key player several tiers down the line who creates or builds a key component or delivers a critical service, you may want to put more management around that relationship from the compliance perspective.

For anything below a tier 2; you may be able to manage your risks through having your direct tier one counter-party take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counter-party so that if the government comes knocking you can show that not only did you contractually obligate your direct counter-party to do so but that you provided them the tools and training to do so. Finally, you will need to be able to show that your direct counter-party did so.

Three key takeaways:

  1. There is no set formula for clearing of red flags or the evaluation of due diligence.
  2. Know when to say enough has been done.
  3. You must “Document, Document, and Document” your evaluation of any red flags.