In today’s edition of Daily Compliance News:
- Mandated Due Diligence for PEPs. (WSJ)
- Reset the corruption clock in Illinois. (ChicagoTribune)
- E-commerce bets paying off. (WSJ)
- Jerry Falwell, Jr. resigns (or not). (WaPo)
Tag: Due Diligence
Most companies fully understand the need to comply with the requirements around third-parties as they represent the greatest risks for bribery and corruption. However, most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. This means they may need to bring resources to bear to do so while continuing operating an ongoing business. This can be particularly true in the area of performing due diligence on third-parties. Many companies understand the need for a robust due diligence program to investigate third-parties but have struggled with how to create an inventory to define the basis of third-party risk and, thereby, perform the requisite due diligence required.
Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. The information that you gathered in Steps 1-Business Justification and 2-Questionnaire of the third-party management process should provide you with the initial information to consider the level of due diligence needed. This leads to Step 3 of the third-party management process: due diligence. The 2020 Resource Guide stated, “as part of risk-based due diligence, companies should understand the qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.”
Three key takeaways:
- Risk rank your third-parties and use this as a basis to begin with an adequate level of due diligence.
- Any red flags which appear must be cleared and there must be documented evidence of such clearance.
- There must be documented evidence of review of the due diligence.
In this special podcast series, I visit with lawyers from Azevedo Sette in Sao Paulo. The lawyers and topics include: Isabel Franco on a CarWash changed a culture, Lucas Bianchinni on environmental regulation in Brazil, Glaucia Ferreira on the Clean Companies Act, Luiz Salles on recent Brazilian corruption enforcement actions and Ingrid Santos & Guiliana Boniha on the hottest topic in Brazil: Me Too and sexual/moral harassment. In today’s episode, I visit with Glaucia Ferreira on background investigations in Brazil.
- What are some of the challenges in performing background investigations in Brazil under the Clean Companies Act?
- Why are financial check and security investigation so critical in Brazil?
- What some of the challenges unique to performing background investigations in Brazil?
- Why is the human element so important in background investigations?
- Where can listeners go for more information?
This podcast is sponsored by the law firm of Azevdo Sette. To learn more about this firm, visit its website, for resources, expert guidance and support.
An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. It is mandatory that not only must all red flags be cleared but there also be evidence of the decision-making process to show to a regulator if one comes knocking. Around third-parties, consider what risks you face in both your sales and supply chain. If there is a key player several tiers down the line who creates or builds a key component or delivers a critical service, you may want to put more management around that relationship from the compliance perspective.
For anything below a tier 2; you may be able to manage your risks through having your direct tier one counter-party take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counter-party so that if the government comes knocking you can show that not only did you contractually obligate your direct counter-party to do so but that you provided them the tools and training to do so. Finally, you will need to be able to show that your direct counter-party did so.
Three key takeaways:
- There is no set formula for clearing of red flags or the evaluation of due diligence.
- Know when to say enough has been done.
- You must “Document, Document, and Document” your evaluation of any red flags.
Candice Tal is the founder and Chief Executive Officer (CEO) of Infortal Worldwide, and one of the top experts around on due diligence. In an interview, I asked Tal about the use of AI in investigative due diligence and specifically how AI has led innovation in investigative due diligence. Tal believes that AI will be a “game changer” in compliance. Massive data sets require some type of AI to sort through and analyze the information. This is particularly important for internal controls and accounting books and records provisions to identify massive fraud. This is yet another area which is still developing. Tal stated, “I’ll frame that by saying at least in the next few years, there will still be a need for the traditional investigative approach that the boots on the ground, one where an investigator goes out and physically checks on facilities. Artificial intelligence is going to have limited ability to do that.” While drones may become part of an investigators tool kit, Tal believes that AI will be used “in a similar way to most data aggregators today. They find about 80% of the information. Yet there will always be the remaining 20% which they cannot find and you will need human intervention on the investigative side.”
Looking down the road to the veiled land of the future, Tal sees continued innovation facilitating investigative due diligence. While AI is more than simply on the horizon, she said it “is a tried and tested methodology that has existed for many years, in terms of how you look for and locate shell companies.” It is also true about finding information about people who are trying to deliberately hide information. The bottom line is some of these investigative techniques involve old-fashioned shoe leather or simply hard diligent investigative work and “that’s not new”. Yet AI and other technological tools can make investigations more efficient and more cost effective, while giving better results. At the end of the day, AI can be used to sharpen and hone the due diligence process.
Three key takeaways:
- AI can help change the face of due diligence.
- AI will facilitate data aggregation in due diligence investigations.
- Always remember the human element.
Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward. The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.
A three-step approach was discussed in Opinion Release 10-02, in which the DOJ discussed the due diligence that the requesting entity performed. This Opinion Release sets out a clear break which every compliance practitioner should use in considering an appropriate level of due diligence to engage with your third-party risk management process or when considering the level of due diligence required on a potential business venture partner. A very good description of the three levels of due diligence was presented by Candice Tal, Founder and CEO of Infortal Worldwide, in an article entitled “Deep Level Due Diligence: What You Need to Know”
Three key takeaways:
- A Level I due diligence should only be used where there is a low risk of corruption.
- A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.
- Level III due diligence is deep dive, boots on the ground investigation.
A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners of the need to engage in robust pre-acquisition due diligence.
This was expanded again in the 2017 Evaluation but the 2019 Guidance made even more clear the need for a robust compliance presence in the pre-acquisition phase. It stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets. Pre-M&A due diligence enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete due diligence can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.
Three key takeaways:
- The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
- Periodically review your M&A due diligence protocol.
- If red flags appear in pre-acquisition due diligence, they should be cleared.
Welcome to the Day 2 of a five-day podcast series Jay Rosen and I are producing in honor of the latest Star Wars movie The Last Jedi. Each day over this week, Jay and I will review a Star Wars movie and discuss it from the compliance perspective. Today, we consider Episode V, The Empire Strikes Back and due diligence.
This movie is my personal favorite of the initial trilogy. During the climactic battle between Luke Skywalker and Darth Vader, there is the BIG REVEAL where Vadar utters the immortal line, “I AM YOUR FATHER”. In the context of knowing who you are doing business with under the Foreign Corrupt Practices Act or UK Bribery Act. I once heard a company President say he did not need to perform due diligence because he looked a man in the eyes and that was enough to know if he was honest. (I should add, this company President also evaluated the strength of a handshake as an additional level of due diligence.) Hopefully we have moved past this level of sophistication for due diligence and its evaluation thereof.
There are three levels of due diligence and you must make a determination which is appropriate for the entity or person you are investigating. If a red flag appears it must be cleared or a risk management strategy articulated to allow moving forward.
Level I
First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. Level I due diligence addresses such basic issues as whether the third party actually exists, the identities of management, officers, directors and shareholders and whether such persons are on regulators’ watch lists. It can also provide some basic information on whether there are politically exposed persons (PEPs) involved in the third party. Finally, if there are any media reports linking the company to corruption.
Level II
Level II due diligence encompasses supplementing Level I due diligence with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed Internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third party’s key executives and associated parties. Level II can give you information on adverse litigation, any bankruptcy proceedings, overt signs of financial difficulty. More generally it will also provide local online information such as corporate filings, regulatory filings, lawsuits and locally archived materials. You also be able to determine if there were any in-country investigations or sanctions from regulatory entities.
Level III
This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation and is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.
Now imagine if Luke had performed a more robust level of due diligence on Darth Vadar? Would he have been able to find out Darth Vadar was his father? Perhaps not but then again, we might not have heard that seminal line “I AM YOUR FATHER”.
Join us tomorrow where we consider Return of the Jedi and effective training.
Welcome to Episode 6 of Compliance Man Chooses the Target with Tim Khasanov-Batirov. Our goal is to highlight matters that should be on agenda of practitioners that deploy compliance programs in industries or countries of active FCPA enforcement. In this episode, we will target three specific matters that you might like to address in the course of implementation of your compliance program. Today we will focus on Due Diligence in high risk markets.
Join me for the next episode of Compliance Man Chooses the Target with Tim Khasanov-Batirov.
Learn more compliance tips from Tim Khasanov-Batirov at: http://complianceinpostussr.com/ & http://complianceinpostussr.com/blog/
As Opening Day near and the Astros are predicted to unseat Jay’s Red Sox to win the 2019 World Series, both lads are eternally hopeful for their hometown heroes. While debating this issue, they also take a look at some of this week’s top compliance and ethics stories which caught their collective eyes this week.
- Former Hong Kong official sentenced for FCPA violations. Harry Cassin reports in the FCPA Blog. Matthew Goldstein reports on how to reduce your FCPA sentence in the New York Times.
- SEC awards two whistleblowers $50MM. Kristin Broughton in the WSJ Risk and Compliance Journal. Matt Kelly takes a deep dive in Radical Compliance. Doug Cornelius gets snarky in Compliance Building. Jonathan Marks weighs in on Board and Fraud.
- Jonathan Ruschand William Weaver debate whether corruption can be measured. Both on the FCPA Blog.
- Was it fraud or was it incompetency? The HP v. Autonomy civil trial begins in London. The BBC
- What is the difference in whistleblowing and extortion? Joe Mont explains in Compliance Week. (sub req’d)
- What are your supply chain risks? Russ Berland explores in Part 1 of a two-part blog post series on Corporate Compliance Insights.
- Looking at enforcement of financial market crimes in Canada and UK. Anita Anand reports in NYU’s Compliance and Enforcement Blog.
- What steps can you take to reduce whistleblower retaliation? Matt Kelly opines in Navex Global’s Ethics and Compliance Matters
- OECD slams Canadian government for interfering in SNC-Lavalin corruption investigation. Jonathan Rausch reports in Dipping Through Geometries.
- Join Tom and AMI’s Jesse Caplan for a 5-part exploration of emerging issues in healthcare compliance and monitoring. Check out the following: Part 1-Opioid Crisis-Legal issue; Part 2– Opioid Crisis-compliance solution; Part 3– the regulators; Part 4-the monitoring healthcare organizations; and Part 5-proactive monitoring. The podcast is available on multiple sites: the FCPA Compliance Report, iTunes, JDSupra, Panoplyand YouTube. The Compliance Podcast Network is now also on Spotifyand Corporate Compliance Insights.
- In Houston on April 11? Join the Greater Houston Business and Ethics Roundtable for a presentation for one year look back on GDPR. Registration and information are here.
- Check out the latest edition of Great Women in Compliance where Mary Shirley visits with Marianne Ibrahim.
Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.
