Tag: Due Diligence

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – The How Question in Due Diligence

What is satisfactory due diligence under the FCPA? That question seems more important after the story on Unaoil S.A.M. and the subsequent release of the Panama and Paradise Papers. However, both events largely focused on the “who” part of due diligence and the need to know with whom you are doing business in the future. However, another important question that does not come up as often in due diligence is how?

How does a third party perform its services with or for your company? How can a third party help you make sales if it is on the sales side? If a third party comes through the supply chain, how do their products or services meet the needs of your company? Suppose the third party has a closer business relationship, such as a JV, teaming agreement, or similar arrangement. In that case, you may need a much deeper understanding of how this third party does business because the relationship may become so close you will be intertwined with the party. It may mean more than how their product works, but how does this third party conduct themselves and their business?

 Three key takeaways:

1. The how question can be as critical as the who question.

2. The more integrated a third party is into your operations, the more important this question becomes.

3. Incorporate a how-to question into your due diligence and ongoing monitoring and auditing after the contract is signed.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Evaluation of Due Diligence With Candice Tal

An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. Not only must all red flags be cleared, but there must also be evidence of the decision-making process to show to a regulator if one comes knocking. Around third parties, consider what risks you face in both your sales and supply chain. Suppose there is a key player several tiers down the line which creates or builds a key component or delivers a critical service. In that case, you may want to put more management around that relationship from the compliance perspective.

For anything below tier 2, you may be able to manage your risks by having your direct tier one counterpart take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counterparty so that if the government comes knocking, you can show that you did not only contractually obligate your direct counterparty to do so but also provided them the tools and training to do so. Finally, you will need to be able to show that your direct counterpart did so.

Three key takeaways:

  1. There is no set formula for clearing red flags or the evaluation of due diligence.
  2. Know when to say enough has been done.
  3. You must “Document, Document, and Document” your evaluation of any red flags.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Due Diligence

Most companies fully understand the need to comply with the requirements around third parties, as they represent the greatest risks for bribery and corruption. However, most companies are not created out of new cloth but are ongoing enterprises with a fully up-and-running business. This means they may need to bring resources to bear while continuing to operate an ongoing business. This can be particularly true in performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigate third parties but have struggled with creating an inventory to define the basis of third-party risk and perform the requisite due diligence required.

It is stated in the 2023 ECCP that: “Risk-Based and Integrated ProcessesHow has the management of the company’s third-party process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?”

Getting your arms around due diligence can sometimes be bewildering for the compliance practitioner. The information you gathered in Steps 1-Business Justification and 2-Questionnaire of the third-party management process should provide the initial information to consider the level of due diligence needed. This leads to Step 3 of the third-party management process: due diligence. The 2020 Resource Guide stated, “As part of risk-based due diligence, companies should understand the qualifications and associations of their third-party partners, including its business reputation, and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.”

 Three key takeaways:

1. Risk rank your third parties and use this as a basis for adequate due diligence.

2. Any red flags which appear must be cleared, and there must be documented evidence of such clearance.

3. There must be documented evidence of a review of the due diligence.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for Business Ventures-Why Business Ventures are Different than 3rd Parties

Business ventures, whether JVs, partnerships, franchises, team agreements, strategic alliances or one of the myriad types of business relationships a U.S. company can form outside the U.S., are different than the usual risk presented by third-parties under compliance requirements such as those mandated by the FCPA. The problems for companies is that they tend to treat business venture risk the same as third-party risk. They are different and must be managed differently.

The bottom line is that may compliance practitioners have not thought through the specific risks of business ventures such as JVs, franchises, strategic alliances, teaming partner or others as opposed to sales agents or representatives on the sales side of the business. I hope that this will help facilitate a discussion that maybe people will begin to think about more of the issues, more of the risk parameters and perhaps put a better risk management strategy in place.
Three key takeaways:

  1. Business ventures bring different FCPA risks from third-parties.
  2. JVs have both external compliance risks and corporate governance risks.
  3. Use your full compliance tool kit for business ventures in managing the FCPA risk for franchises.
Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Questionnaire and Due Diligence

Are you considering a third-party questionnaire for your organization? With so much debate around what should be asked, and how detailed you should be, it can be hard to know where to start. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the third-party questionnaire and I am joined by Stephanie Font, the director of the Operations Optimization Group at Diligent as we discuss third party questionnaires and due diligence investigations.

With so much debate around what should be asked in your questionnaire and how detailed your questionnaire should be, it can be hard to know where to start. It is important that every compliance professional understand your risk profile to all crafting of the right due diligence process to ensure compliance. Here are the steps you need to follow to also get compliance and  risk.:

  1. Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.
  2. Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.
  3. Documenting: Keeping records of the due diligence investigations to be used in the future.

Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.

The first step to managing third parties is to create a questionnaire to gather basic information about the third party and what regulations need to be complied with. When creating the questionnaire, it is important to understand the organization’s risk model and what it is trying to achieve. The questionnaire should be tailored to the specific risk factors the organization is trying to address, as well as the regulations that need to be complied with. Questions should include items such as the size of the company, where they do business, and the type of relationship they have. Additionally, the questionnaire should ask questions that will alert to any potential risk factors, such as if they do business in a highly sanctioned country. Once the questionnaire is sent and responses are received, the answers can be used to inform the next step of the due diligence process. Your third-party risk management system should automate some of the process by flagging risk factors and indicating what level of investigation is needed. Lastly, it is important to document the process and create an audit trail that can be used for various reasons, such as compliance and internal review.

Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.

The second step of third-party due diligence is the due diligence investigation. This step involves investigating the third party based on their answers to the questionnaire and other risk factors. The best approach to this investigation is to first understand the company’s risk and what it is trying to accomplish. This allows the company to create a risk model and tailor the questionnaire to fit their needs. The questionnaire should include questions about the size of the company, where it does business, and other risk factors that may arise. After the questionnaire is complete, the next step is to assess the risk factors and determine the appropriate level of investigation needed. This could range from a baseline screening for sanctions list and other global databases to an enhanced due diligence investigation which involves boots on the ground to ask questions about the company’s reputation and verify a manufacturing site. Additionally, it is important to document the process to create an audit trail for internal stakeholders and regulators. This process should be tracked in a third-party risk management system to ensure everything is done correctly.

Documenting: Keeping records of the due diligence investigations to be used in the future.

Documenting is an important step in the due diligence process, as it helps to create an audit trail of the activities and decisions that were taken. When it comes to due diligence, it is important to keep records of all investigations that were conducted, as these records can be used in the future to defend any decisions that were taken. This allows for all the necessary information to be stored in a secure location and can even track any changes or updates to the investigations over time. Additionally, the system can be used to flag any potential risks that come up in the investigations, and it can also automate the process of deciding which type of investigation is necessary based on the risk model. Finally, it is important to keep all documents related to the due diligence process, such as the questionnaire, investigation reports, and any other relevant documents, to create an audit trail and ensure that all compliance regulations are met.

Third party due diligence is a crucial part of any compliance program. A thorough questionnaire and a detailed due diligence investigation can help organizations to mitigate risk and ensure compliance with applicable regulations. Additionally, it is important to document the process, as this creates an audit trail that can be used in the future. With the right tools and processes in place, organizations of any size can successfully manage third party risk and create a robust compliance program. With the right information and guidance, you too can create a successful third-party due diligence process for your organization.

For more information, on Diligent’s Third Party Risk Management solution, click here.

Listen to Stephanie Font on the podcast series here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for business – Pre-acquisition Due Diligence in Mergers and Acquisitions

A company that does not perform adequate due diligence before a merger or acquisition may face legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation and potential civil and criminal liability. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the FCPA Resource Guide, 2nd edition, focused many compliance practitioners on the need to engage in robust pre-acquisition due diligence.

The 2020 Update made the need for a robust compliance presence in the pre-acquisition phase even more apparent. It stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing harm to a business’s profitability and reputation and risking civil and criminal liability.”

Multiple red flags could be raised in this process, which might warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breaches of policies and procedures. A target that is in financial difficulty would bear closer scrutiny. Structurally, this could present issues if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors’ level. From the CCO perspective, if the position did not have Board or CEO access or had no regular reports, it could present an issue for compliance. Conversely, if there were frequent requests to waive policies, management override of compliance controls, or no consistent consequence management for violations, it could present clear red flags for further investigation.

Three key takeaways: 

  1. Your pre-acquisition due diligence results will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – JV Due Diligence

When you bring two entities together to operate jointly, there are several difficult issues to analyze. For the U.S. company operating under the FCPA, there must be an adequate business justification for a JV with a specific partner, all in writing and approved by an appropriate level of the organization. This is where the due diligence process comes into play. The due diligence process should be built on principles similar to those involving third parties. The procedure should be robust, documented, and address all potential risks. A company should use its due diligence review of the JV partner to properly assess and uncover corruption risks. Using this due diligence and its evaluation, you can move to contractual clauses, certifications, representations, and warranties from a JV partner or insist on other remedial measures to minimize risk exposure.

A U.S. business looking to engage a JV partner must consider the people who make up its JV partner. As you will have to mesh what may be two very different cultures and understandings of compliance, it is important to assess how your potential JV partner will take these obligations before rather than after you ink the JV agreement.

Three key takeaways:

  1. JV’s due diligence must focus on the unique risks.
  2. Ask for a detailed list of information from your potential JV partner.
  3. Be sure to do the onsite investigation of your potential JV partner.
Categories
FCPA Compliance Report

FTX and Risk: Part 2 – Risk Management and Due Diligence

Welcome to the award-winning FCPA Compliance Report, the most senior podcast in compliance. In this episode, I conclude a 2-part series on FTX and risk. I am joined by Gilbert Paiz and Andrew Gay, principals in the Texas Hill Country Advisors. In our previous Part 1, we considered risk and risk management through the lens of US-domiciled financial institutions and how their risk management protocols help assess risk and manage it throughout the life cycle of a banking-customer relationship. In this Part 2, we consider individual risk in investing and what type of background information, questions, and due diligence individuals should engage in and how these questions and background investigations apply equally to larger investments made by sophisticated investors, hedge funds, and institutional investors; who should have made them before investing in FTX but they all failed to do so.

Some of the highlights include:

·      What due diligence should an individual perform?

·      What should an individual look for in a financial statement?

·      Why is the physical location of businesses and where it might be incorporated such an important piece of information?

·      What are backstops, guarantees, or other mechanisms to retrieve investments?

·      What Due Diligence mistakes did you see in FTX?

·      What are related party transactions, and why are they problematic?

·      Why are audited financials critical?

 Resources

Texas Hill Country Advisors

Categories
Daily Compliance News

December 2, 2022 the Huge Management Failure Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you four compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Stories we are following in today’s edition of Daily Compliance News:

  • More FCPA cases are on the horizon. (WSJ)
  • SBF says it was a ‘huge management failure.’ (NYT)
  • Does anyone perform due diligence anymore? (FT)
  • SA President urged to step down due to corruption allegations. (Aljazeera)
Categories
Blog

Lafarge Part 3: Final Thoughts

We conclude our exploration of one of the most public cases of corporate moral bankruptcy where Lafarge SA and its Syria unit Lafarge Cement Syria, or LCS, each pled guilty to a count of conspiring to provide material support to foreign terrorist organizations and will pay a total of $777.78 million.  According to the Plea Agreement, this amount consisted of a total criminal fine of approximately $91 million and forfeiture of $687 million. As previously noted, this is not a Foreign Corrupt Practices Act (FCPA) enforcement action, but an enforcement action based on USC §2339B for one count of conspiracy to provide material support to one or more foreign terrorist organizations. While this is not a FCPA enforcement action, the mechanisms by which Lafarge paid bribes or otherwise funded the terrorist organizations ISIS and ANF are instructive for the anti-corruption compliance professional. These strategies were laid out in the Statement of Facts and considered in Part 2 of this series.

The Costs of Corruption

One clear message from this matter is the cost of moral bankruptcy and corruption. As noted in the Statement of Facts, “From August 2013 through October 2014, Lafarge and LCS paid ISIS and ANF, through intermediaries, the equivalent of approximately $5.92 million.” For that amount of corruption, through the funding of terrorist and terrorism, Lafarge will pay a total fine of $777.78 million. About the only FCPA matter which comes close to this disparity in the amount of the bribe and penalty was the Avon FCPA enforcement action where bribes totaling $8 million led to led to a reported total penalty of $135 million. By the time of the resolution, Avon also had reported over $300 million in investigative costs.

At the times of the incidents in questions, 2012 to 2014, Lafarge had annual sales in the range of $2 billion plus and annual revenues in the range of $400 to $435 million. Very clearly the bribes paid by Lafarge were not material in the financial accounting sense. That may have been why no one seemed to be looking at the company. However, it drives home the point that a relatively small amount of corporate outgo can generate huge costs in the form of a $777.78 million fine. We have not begun to discuss the pre-resolution costs but in FCPA cases they are in the range of two to six times the final fine. Even if the pre-resolution costs were 1X the fine, that would still drive the all-in cost over $1.5 billion.

Monitoring Non-Standard Communications

One of the areas that bears consideration by the compliance professional is that of internal communications, as, “Many of the Lafarge and LCS executives involved in the scheme used personal email addresses, rather than their corporate email addresses, to carry out of the conspiracy.” In September, the Securities and Exchange Commission (SEC) announced “charges against 15 broker-dealers and one affiliated investment adviser for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications. The firms admitted the facts set forth in their respective SEC orders, acknowledged that their conduct violated recordkeeping provisions of the federal securities laws, agreed to pay combined penalties of more than $1.1 billion, and have begun implementing improvements to their compliance policies and procedures to settle these matters.”

In a recent speech (Miller speech), Principal Associate Deputy Attorney General Marshall Miller said, after the announcement of the Monaco Doctrine, in a section entitled “Meeting the Compliance Challenges of Communications Technology”, “Now let me turn to an area that we recognize is a big challenge for all organizations — employees’ use of personal devices and third-party messaging platforms for work-related communications… particularly as to detecting their use for misconduct. However a company chooses to address their use for business communications, the end result must be the same: companies need to prevent circumvention of compliance protocols through off-system activity, preserve all key data and communications and have the capability to promptly produce that information for government investigations.”

Now consider that whopping fine and enforcement action in the context of the fraud of Lafarge executives. The Miller speech focused on both messaging apps and other forms of corporate communications. In the Lafarge matter, the communications were very basic, on company computers using non-company emails through channels like AOL or Gmail. The Lafarge executives were using these outside of standard communication channels to facilitate their crimes with ISIS and ANF. This part of the enforcement action has not received much scrutiny but is something every compliance professional needs to consider – are your employees (or execs) using non-company emails or other forms of communication tools outside of standard company communication methods? The compliance function needs to work with their corporate IT folks to make sure no executives or employees are using such channels for communications and to monitor them if they are.

Failures in M&A Due Diligence

The final area for consideration is that of Mergers and Acquisitions (M&A). The Statement of Facts noted, “LAFARGE and certain of its executives, in fact, failed to disclose LCS’s dealings with ISIS and ANF to Holcim throughout discussions of the transaction and after completion of the deal. LCS had ceased producing cement in Syria by the time the transaction with Holcim was completed, and in the approximately seven months between the completion of the acquisition and the emergence of public allegations regarding the misconduct in Syria, Holcim did not conduct post-acquisition due diligence about LCS’s operations in Syria.”

Not only did the Lafarge executives not disclose this corruption to Holcim, but they also actively discussed continuing the corruption payment so as not to derail the transaction. Moreover, Holcim apparently did not conduct due diligence into LCS or any of these matters. Perhaps the non-material nature of the payments was a factor. Whatever the excuse for this pre-acquisition due diligence failure, it cost Holcim dearly. Even if Holcim was not assessed the fine, they were the entity which bore the administrative and emotional costs of the investigation leading up to the resolution. Dan Chapman once told me that in an all-encompassing investigation, it could take up to 25% of senior executives time. Given the number of investigations across the globe on this matter, that figure might be lower. All of these factors bear witness to the extraordinary costs for the failure of an acquiring company to perform compliance due diligence prior to closing.

We are now at the end of this short blog series. The Lafarge case is perhaps the first corporate matter since the oil-for-food cases where complete corporate moral bankruptcy has played such a factor. We can only hope that it will be that long until we see the next such example.