Categories
31 Days to More Effective Compliance Programs Uncategorized

31 Days to a More Effective Compliance Program – Day 22 – Levels of Due Diligence

Due diligence is generally recognized in three levels: Level I, Level II, and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

The 2023 ECCP stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach with varying levels of due diligence is the appropriate analysis to take going forward.

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions of your program. The Level I, II, and III trichotomies appear to have the greatest favor and are ones that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags, you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Three key takeaways:

1. Level I due diligence should only be used when there is a low risk of corruption.

2. Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.

3. Level III due diligence is a deep-dive, boots-on-the-ground investigation.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Levels of Due Diligence-Part 1

Due diligence will always be a basis of any best practices compliance program. Over the next couple of days, I will consider the levels of due diligence and detail how each category will help to inform your compliance program.

Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

The 2020 Update to the Evaluation of Corporate Compliance Programs stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed in Opinion Release 10-02, in which the DOJ discussed the due diligence that the requesting entity performed:

First, it [the requestor] conducted an initial screening of six potential grant recipients by obtaining publicly available information and information from third-party sources … Second, the Eurasian Subsidiary undertook further due diligence on the remaining three potential grant recipients. This due diligence was designed to learn about each organization’s ownership, management structure and operations; it involved requesting and reviewing key operating and assessment documents for each organization, as well as conducting interviews with representatives of each MFI [microfinance institution] to ask questions about each organization’s relationships with the government and to elicit information about potential corruption risk. As a third round of due diligence, the Eurasian Subsidiary undertook targeted due diligence on the remaining potential grant recipient, the Local MFI. This diligence was designed to identify any ties to specific government officials, determine whether the organization had faced any criminal prosecutions or investigations, and assess the organization’s reputation for integrity.

This Opinion Release sets out a clear break which every compliance practitioner should use in considering an appropriate level of due diligence to engage with your third-party risk management process or when considering the level of due diligence required on a potential business venture partner. A very good description of the three levels of due diligence was presented by Candice Tal, Founder and CEO of Infortal Worldwide, in an article entitled, Deep Level Due Diligence: What You Need to Know.

Level I. First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of AML, anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level I should also consider beneficial ownership records where available, and company tax information to assess whether the third party is financially sound and in compliance with tax payments as required within its primary country of business, plus a check of perceived business risks in that country. Additionally, the third party’s website should also be reviewed; it is unusual for a company to not have a website and this can be a preliminary flag that there are issues. Tal recommends verifying that the company address also exists; a non-verifiable address should be considered a potential red flag which would indicate the need for a deeper level due diligence investigation.

Join us tomorrow as we explain Levels 2 & 3 of due diligence and conclude this blog post series.