Europe at War: Cybersecurity Threat

Cybersecurity Threats

In 2022, Europe was overrun by war for the first time since World War II due to Russia’s invasion of Ukraine. Though Russia’s onslaught has featured all the trappings of conventional warfare, like heavy artillery, ballistic missiles, and the mobilization of troops, it has also revolutionized the role of the cyber realm in armed conflict. 

In the time since it invaded Ukraine --and, according to cybersecurity reports, the time shortly before the invasion-- Russia has become the poster child for what NATO has dubbed “hybrid warfare.” 

Hybrid Warfare

Hybrid warfare employs traditional and unconventional methods, including cyber warfare, to subdue and subvert power, complicating the familiar zero-sum structure of military conflict. Russia’s invasion of Ukraine has showcased its mastery of the concept, skillfully utilizing cyberattacks and disinformation campaigns with typical military strategies. 

Russia’s extensive cyber presence and commitment to the dissemination of disinformation is present in all corners of the world, especially as it focuses on shoring up support in Latin America, Africa, and Southeast Asia. Still, the most significant cyber threats from Russia about the war in Ukraine remain its cyberattacks on European institutions and its aggressive campaign of disinformation in the Baltic region. 

Cyberattacks and the EU

To combat the onslaught of Russian cyberattacks and disinformation campaigns on the European continent, the EU has recently taken significant measures to bolster its security measures against malicious cyber actors. 

According to a report from the European Commission, cybercrime--specifically ransomware--accounts for nearly ten terabytes of stolen data each month, which costs almost 5.5 trillion euros yearly and has only increased since 2020. 

The Commission further identified distributed denial of service attacks, malware, social engineering threats, data and internet threats, misinformation and disinformation, and supply chain threats as its major concerns for cybersecurity. 

The European Commission indicated that in 2022, up to 60 percent of impacted organizations may have paid ransom demands, and upwards of 15 percent of Ukraine’s internet infrastructure was damaged in some form or another by Russia or hackers affiliated with Russia. In response to this jarring data, the EU has quickly adopted new policies and created new agencies to deal with the new cybersecurity demands. 

As of June 2023, the EU has adopted a certification framework that involves standardized rules, security requirements, technologies, and evaluation, and it has created a new cybersecurity agency, the European Union Agency for Network and Information Security (ENISA), to effectively stay ahead of increasing cyber threats. 

The adoption of these increased security measures could not have come sooner, considering that in 2023 alone, the Center for Strategic and International Studies (CSIS) has identified upwards of 30 major cyberattacks on the US and European continent independently. 

Hallmarks of Russian Disinformation 

In addition to the destructive malware and ransomware that characterize Russia’s malicious cyberattacks, according to the Cybersecurity and Infrastructure Security Agency, Russia also employs a sophisticated approach to spreading disinformation worldwide. This approach relies on various mediums to spread overlapping stories, which allows for plausible deniability for the Russian state and a media multiplier effect-- increasing the reach of the disinformation being distributed across platforms. 

During the time leading up to and after the Russian invasion of Ukraine, sources with ties to Russia were disseminating wild propaganda across social media, news outlets, and other channels. These false narratives are particularly damaging in the Baltic region, which historically has close ties to Russia and Russian-based media outlets. 

In addition, the U.S. Department of State has identified five pillars of the Russian disinformation and propaganda ecosystem that can be used to help identify and classify the various methods of dissemination: 

  1. Official government communications:
  1. State-funded global messaging:
  1. Cultivation of proxy sources:
  1. Weaponization of social media:
  1. Cyber-enabled disinformation:

When these pillars work in conjunction with one another, it allows Russia to send out nuanced and subtle propaganda in addition to the less elegant hacking that can prove challenging to recognize for states, corporations, and individuals alike. 

Implications for US Businesses

Companies operating in the region must update cybersecurity policies and procedures to protect the firm’s assets and avoid the Russian threat. 

According to the European Council, nearly 82 percent of data breaches involved a human element. This means that training for your firm's team is necessary to ensure team members can recognize cyber threats and misinformation.

Importantly, Russian disinformation campaigns and cyberattacks can and do take place in the United States as well. This means that domestic cybersecurity policies and procedures should also be considered in the context of the Russian cybersecurity threat.    

To learn more about risk management and how Infortal can help you identify, assess, and mitigate risks, reach out today. 

Demystifying Risk Management

Risk Management

In today's interconnected world, the global landscape is constantly evolving and presenting new challenges. These challenges arise from various factors, including economic fluctuations, social dynamics, and regional conflicts. Understanding and navigating these dynamic landscapes is crucial for businesses and decision-makers. It allows them to anticipate and adapt to changes, mitigate risks, and seize opportunities. By analyzing the complex interplay of factors that shape our world, organizations can gain insights into how different regions and markets are interconnected, identify potential risks and opportunities, and develop strategies to effectively operate in diverse environments.

Implementing a robust risk management process is crucial for protecting your company's reputation and financial stability. Failing to address environmental and cybersecurity risks can have detrimental effects on your ESG score and customer loyalty. To successfully implement risk management, conducting thorough research, assessing potential damages, and developing mitigation and contingency plans are essential.

Defining Risks

Before we define risk management, we need to take a look at what constitutes a risk. There are many risks in business. Some people would say starting up a company is a risk, maybe even the biggest risk of all. But beyond that, risks typically come up when growing a business.

The International Organization for Standardization defines risks as anything that can have an “effect of uncertainty” on your business. This is fairly broad and can include hiring the wrong people, acquiring the wrong businesses, or moving into the wrong countries. Other risks are associated with the environment, your company’s reputation, or the materials you purchase. While you may share some risks with other businesses, you may also face some risks unique to your industry, location, or even your specific situation.

The first step in risk management is to list and define your geopolitical threats and risks. You should list all major and even some minor risks if you believe they could eventually have a large impact on your company. Then you want to define the scope of the risk and its potential outcomes. These outcomes may be fairly broad. For example, the risk of partnering with a vendor in another country could vary from “cultural miscommunications” to “the vendor engages in fraud, blackmail, bribery, and child labor.” With the former, the risk may be nothing more than a misunderstanding that can be discussed and cleared up. With the latter, however, you’re looking at facing potential sanctions and serious damage to your reputation.

What Does Risk Management Involve?

Now that you have a better understanding of what risks you face, let’s look at how you manage those risks. Risk management is the process of identifying risks, evaluating their danger to you, and prioritizing which risks you need to mitigate. For example, you may identify two risks with a potential merger: the business may have questionable financials and it may have been involved in several court cases. With some research from Infortal, you learn that the business was only tangentially involved in the court cases and wasn’t the primary defendant. You may determine that there’s not much risk there. The questionable financial issues, on the other hand, may be much more serious.

It's important to note here that the goal of risk management is not to eliminate every potential risk. That’s simply not possible. There will always be risks involved in your decisions. Instead of trying to accomplish the impossible, risk management focuses on mitigating serious risks and bringing to light those risks that are so severe they should be avoided. For example, if you do your due diligence and uncover that a potential C-suite candidate has embezzled from previous jobs, you may not be able to mitigate the reputation fallout from hiring them. Instead, you avoid that risk by passing on the candidate. On the other hand, acquiring a business that uses manufacturing processes that damage the environment is a risk that could be mitigated by immediately replacing those processes.

One of the things you’ll need to decide is what your risk limit is. This limit, sometimes referred to as risk appetite, is how much risk you’re willing to take to accomplish your goals. Businesses that try to avoid all risks typically grow slower, but they’re also typically safer. Those that take on a lot of risks may reach their milestones faster or reap large rewards, but they also could quickly fall if they gamble on a risk and lose. Most companies settle somewhere in the middle, taking small risks that they find are worth the reward.

Risks Come in Two Types

Risks can be broadly classified into two different categories. There are risks associated with an action, such as hiring a new executive or partnering with a new vendor. These risks are often somewhat limited in that you both know the risks you’re facing and what you need to do to mitigate or avoid them. While there are some cases where this isn’t true, such as finding out about a new executive’s criminal past years after hiring them, in most cases, you do have a rough idea of these risks. With a deep due diligence report from Infortal, you’ll be able to make an informed decision on the various risks you face.

The other type of risk can be categorized more as the risk of doing business. These are risks that all or nearly all businesses face, and they’re ongoing. For example, every business that collects data is at risk of a cyberattack. Even with the best cybersecurity, you could still be hacked and have to deal with the fallout. Another type of ongoing risk is that of a natural disaster. Injury is another risk you can attempt to mitigate through safety regulations but can’t completely avoid.

Fortunately, for these risks, you can often mitigate the financial damage with insurance. Insurance can be seen as one of the earliest forms of risk management in that it helps you mitigate the cost of accidents. That said, you will still want to have disaster recovery plans for these ongoing risks as well as look at how you can reduce the damage they can cause.

The Financial Dangers of Risks

Why is risk management so important? It all comes back to money. If you take risks without mitigating them or preparing for the fallout, the result can cost you millions. Your business may even have to declare bankruptcy. These risks don’t just come from hiring someone who might embezzle funds or commit other types of financial fraud. If you decide to partner with a vendor that operates in countries that the U.S. has sanctions against, you can end up fined. For example, 3M agreed to pay nearly $10 million dollars in September 2023 after being found to be in violation of U.S. sanctions on Iran. This fine came after it was found that a 3M subsidiary sold a product through a German reseller to a company under the control of Iran’s law enforcement. While 3M is large enough to absorb this fine, smaller companies wouldn’t have been.

While some risks directly impact your finances, others do so indirectly by negatively impacting your reputation. Partnering with a company that is actively damaging the environment to cheaply produce materials is going to negatively affect your ESG (environmental, social, and governance) score. Customers who are proponents of green production methods may boycott your company. You may also find that companies that focus on the environment no longer want to partner with you. Likewise, failing to take cybersecurity seriously can result in a data breach, which in turn may result in customers abandoning you for competitors that are more focused on protecting data.

Even when you do manage your risk correctly, you may still face some financial consequences as a result of your actions. However, the fallout is typically much less. In fact, the 3M sanctions violation speaks directly to this. The original amount of the fine was over $27 million dollars. However, because the company made use of a risk-based compliance program and voluntarily self-reported, the fine was greatly reduced.

How Do You Implement Risk Management?

To implement a risk management process, you first need to do some research. You need to be able to identify the risks you’re facing and know how to properly assess the damage they may cause. You also need to be familiar with risk mitigation and contingency plans.

For a business that isn’t familiar with risk management, this may seem overwhelming. With the right partner, however, it’s a very manageable task. Infortal can provide you with everything you need to begin risk management. We have the resources necessary to perform global risk forecasts and do deep due diligence into individuals, companies, countries, and regions of the world. With the information we gain from this due diligence, we’re able to brief our clients on the largest risks they face and what the potential outcomes of those risks are.

To learn more about risk management and how Infortal can help you identify, assess, and mitigate risks, reach out today. 

Cryptocurrency –Regulatory Crackdowns and Inflation Risks

We’ve taken a look at what cryptocurrency is and how it can be a risk for you and your business, but there’s more to it than that. While understanding the risks of crypto is certainly important, it’s also important to see the benefits. Cryptocurrency can be useful, but you must be careful about who you deal with. You also must understand the regulations surrounding it. While it’s true that there were few, if any, regulations for cryptocurrency not that long ago, today various governments and regulatory bodies have realized that this form of currency isn’t going away. They’ve stepped in to regulate it and eliminate some of the risks, prevent fraud, and stop money laundering. However, if you don’t understand those regulations, you may end up facing stiff regulatory fines.

 

Let’s take a look at how cryptocurrency can affect your company, including its investors, and what regulations are in place that you will need to follow to avoid penalties. As always, Infortal is here to help you with understanding the risks to your business and mitigating them.

 

Increased Regulation: SEC Enforcement on Crypto Markets

 

The U.S. Securities and Exchange Commission has attempted to put into place restrictions and regulations to reduce risks and legitimize the use of cryptocurrencies. However, due to the fact that crypto is decentralized and global, it’s very difficult to fully regulate cryptocurrencies. Another question that has held back regulations concerns how cryptocurrencies should be classified. If it’s a security like a bond or stock, then it falls under the SEC. However, if crypto is determined to be a commodity or some other classification, then it would fall under the CFTC or a different agency. So far, the SEC has taken the lead in regulating cryptocurrencies based on a Supreme Court case that created criteria for securities.

 

Following the November 2022 collapse of FTX, one of the top cryptocurrency exchange markets, the SEC has increased their attempts to minimize the amount of illegal crypto activity in the U.S. However, because crypto is decentralized, the agency is limited in how effective it can be in combating bribery, fraud, and other illegal activities funded by crypto. The SEC has also received pushback on some of their regulations. Some have said these regulations are simply pushing more crypto exchanges and platforms to other countries, while others have said that the SEC’s rules are too vague and need to be clearly defined.

 

That hasn’t stopped the SEC and other organizations from taking action against companies and exchange platforms. For example, the SEC has sued both Binance and Coinbase, both exchange platforms, for violating regulations. These lawsuits stated that the platforms committed various securities law violations, but in response, Coinbase pushed the SEC to determine if digital tokens are actually securities or not. This question and others continue to make it difficult to regulate cryptocurrencies in the U.S.

 

Even celebrities haven’t remained immune from the SEC. Kim Kardashian, for example, was fined $1.26 million by the SEC for her promotion of EthereumMax, a type of cryptocurrency. She had failed to disclose that she had been paid for her endorsement. Other celebrities who have faced crypto-related fines include Lindsay Lohan, DJ Khaled, and sports figure Paul Pierce. This means that if you, your executives, or your company as a whole endorse, or appear to endorse, a cryptocurrency, you could find yourself under investigation, especially if you fail to report any payments received for that endorsement. This will likely lead to reputation damage plus fines and penalties.

 

Inflation: A Major Risk from Cryptocurrencies

 

Some people believe cryptocurrencies are like gold: they’re inflation-proof. However, that’s not true. Prices can fluctuate, even with gold. While it’s the case that neither gold nor cryptocurrencies can easily be printed like money, thus making it more difficult for inflation to occur, there is still the risk of losing a lot of money. In fact, many experts have started to call into question how inflation-proof crypto is, especially after the past few years and the roller coaster changes various digital currencies have seen.

 

In fact, inflation does have a direct impact on cryptocurrencies. One example of this occurred in  2022 when the Federal Reserve began increasing the interest rate in order to slow inflation. The result was that cryptocurrencies such as Bitcoin dropped dramatically in value. Bitcoin lost almost two-thirds of its value, going from a high of $65,000 per Bitcoin to around $18,000. 

 

This leads directly to the biggest risks of cryptocurrencies: how quickly they can go from being worth thousands to being worth pennies. Bitcoin’s rapid changes are not the exception: many digital tokens or currencies change by ten percent or more on a regular basis, which puts them in the volatile category for many investors. Without more consistency, it’s hard to see why investing in crypto is a better move than investing in other options. Even those who carefully watch the market in order to buy low and sell high can be caught unaware. 

 

A lack of data doesn’t help

Gold is often considered inflation-proof when you look at it in terms of decades, even though its value can change within a year or even a month. However, we don’t know if cryptocurrencies will show the same resilience over time. They could be a type of dam against inflation, as some investors believe. However, without more data, we simply don’t know how cryptocurrency will act in the long term. It’s possible that it truly will be a great investment, but it’s also possible that it will decline until there are few, if any, digital currencies. This is especially true if crypto continues to be used illegally for fraud and bribery or if agencies such as the SEC place very heavy regulations on trading. 

 

There are simply too many unknowns to really predict how cryptocurrency will fair in the future. It could, as some believe, lead to major changes. It could also be a passing fad that will eventually settle into a shadow of what it once was. Currently, it’s a risk that you will want to carefully research before investing.

 

One Potential Future: Crypto as a National Currency

 

While no one can accurately predict where cryptocurrencies are going, there is one interesting possibility: cryptocurrencies could become national currencies. While Bitcoin isn’t going to replace the dollar anytime soon, even the White House has released a document theorizing about a digital dollar. This memo discusses the possible creation of a U.S. central bank digital currency (CBDC), a type of cryptocurrency that would be accepted across the country. 

 

While the U.S. hasn’t moved forward with a CBDC as of June 2023, other countries have experimented with a digital currency. The Bahamas created a digital currency in 2020. The Sand Dollar, as it is called, is valued the same as the Bahamian dollar. However, adoption has been slow, partially due to the collapse of FTX. Another issue is that the Sand Dollar, as a CBDC, isn’t quite the same as Bitcoin or other cryptocurrencies. However, many people don’t fully understand the difference, making them hesitate to move to a digital currency. 

 

China also created a CBDC in 2020 after spending years of research and development. The digital yuan was released for early testing in 2020, and all other private cryptocurrency transactions were banned in the country the year after. However, again, few people were quick to change over from paper currency. China hoped the 2022 Winter Olympics in Beijing would boost the use of the currency, but due to the global pandemic, they did not see the results they wanted. That said, the country is still eagerly moving forward with the digital yuan and hopes to make it an international currency in the future.

 

Balancing Risks and the Future of Cryptocurrency

 

There are certainly risks to using cryptocurrencies. New regulations are being put into place, while other regulations are being amended or changed. If you don’t keep up with these rules, you could easily find yourself the subject of an investigation by the SEC or another agency. It’s possible cryptocurrencies could even be reclassified as something other than a security, which could lead to a major rewrite of all the regulations surrounding them. 

 

However, at least for the immediate future, cryptocurrencies are not going anywhere. In fact, it’s likely to become easier and more secure to make transactions, especially in digital currencies such as those used by the Bahamas and China. Despite that, there is also no question that the crypto market will continue to be fairly volatile and used for money laundering, bribery, fraud, and other illegal activities. The decision on whether to make use of cryptocurrency or to avoid it for now is one that many businesses and individuals will struggle with over the next few years. 

 

This is where working with Infortal can help you. Our team has years of experience in understanding regulations and business risks, including the risks carried by cryptocurrencies. We can help you examine potential mergers and acquisitions, agreements, and other transactions so that you fully understand the business risks you’re assuming and what you can do to mitigate those risks. Whether it’s with cryptocurrency or a more traditional financial transaction, you want to make certain you’re making the right decision. Reach out today to learn more about what Infortal offers and how we can help you. 

How to Conduct a Business Risk Assessment to Avoid the Consequences of Money Laundering

When preparing to acquire another company, hire an executive, form a partnership, or even hire a third party vendor, you need to conduct a full risk assessment so you know what potential dangers your company faces. This allows you to make an informed decision about whether the rewards are worth the risks. Most companies do conduct legal and financial due diligence before an M&A transaction, however only smart companies check there are no skeletons in the closet for the people and businesses they acquire through investigative due diligence.

 

Make no mistake: as many as 20% of executives hired or acquired in M&A transactions have serious issues in their history, and 35% of businesses globally have corruption related issues. These issues pose risks for your business and may cause reputation damage, large regulatory fines, and possibly loss of business and future customers if the damage is serious.

 

A legitimately operating US company may inadvertently acquire a company thinking they have good results from the legal due diligence conducted, but not know about hidden or undisclosed issues because they did not conduct investigative due diligence on the people they have acquired. Of the most common ways corrupt companies make their money is through bribery to obtain large contracts, fraud, drug or alcohol trafficking, weapon sales, and even human trafficking. The people and companies involved keep this part of their income and business relationships hidden behind what appears to be a legitimate business. They may use various money laundering operations to make the funds gained via illegal activity appear to come from legal sources. 

 

It is well known that 90% of third party companies (manufacturers, suppliers, vendors, and agents) in global supply chains are responsible for Foreign Corrupt Practices Act (FCPA) violations that may cost well over $100m average in regulatory fines.

 

How can you learn whether or not someone you’re considering for an executive position or a company you want to acquire has participated in money laundering schemes? The best way is to conduct a risk assessment that includes doing enhanced or deep dive due diligence. Infortal’s methods of due diligence do more than just basic public records searches—we do a deep dive of open source intelligence records, information from other states and countries, in addition to the database searches and global watchlist checking that are commonly done. With this more detailed information, you’ll be better able to assess the potential risks and decide if you should move forward, and what level of risk your company may be facing. 

 

Let’s take a further look at what money laundering is, how risk assessment can help protect you from its consequences, and what can be done to assist you.

 

What is Money Laundering?

 

According to Investopedia money laundering is the illegal process of making large amounts of money generated by criminal activity, such as drug trafficking or terrorist funding, appear to have come from a legitimate source. The money from the criminal activity is considered dirty, and the process “launders” it to make it look clean. 

While the definition of money laundering gives you a good idea of what it is, it may be difficult for companies to identify these issues before an acquisition or business partnership is entered into; this is because illegal activities are often well hidden. In theory, money laundering is fairly basic: money gained from criminal activity is passed off as legitimate funds earned legally. In practice, however, money laundering operations are often a little more complex. Money may be run through multiple shell companies and businesses, and may even have sponsorship by other governments and state-owned enterprises. 

 

Online banking and third-party money transfer options such as PayPal made money laundering easier, as has the recent growth of cryptocurrency. It's also become easier to transfer money between countries and into other currencies. This makes getting money out of countries where bribery and other crimes are commonplace fairly simple. Individuals, companies, or even entire countries that have been sanctioned and cannot easily do business with the U.S. now have even more ways of filtering the flow of money between countries and business enterprises. 

 

Most money laundering operations work in three ways. First, the money gained from criminal activities, called “dirty money,” is quietly and carefully injected into a legitimate business. Second, that money is moved through various companies and individuals via financial transactions and careful records manipulation. This is the “laundering” process in which the dirty money is made to appear to be clean, much like dirty laundry becomes clean after washing it. Finally, the cash is placed in a legitimate account where the criminals are able to use it however they want without worrying about being caught. 

 

Sometimes this process does involve businesses, but other times, it involves buying and selling real estate, using casinos, passing money through bank accounts, and more. Basic money laundering operations may only use one of these options, but complex money laundering often involves several layers. The criminal “bad actors” may invest their money in real estate, then sell the properties and convert the money into another currency before using it at a casino or to buy other goods and sell those elsewhere for legitimate cash. This type of layering makes it much harder to track down the origin of the dirty money. 

 

How Risk Assessment Protects Against Money Laundering

 

When we discuss anti-money laundering methods, we’re typically talking about risk assessment and due diligence. Unfortunately, there are businesses that don’t take the time to do proper due diligence into the history of the company or its executives. They only do a basic background check on executives or only check a business against a global watch lists, rather than doing a deeper look into their background and business activities. This reveals only a small part of what the business has done or the executive has been involved in. 

 

Typically, these quick and cheap searches global watchlist searches only reveal what’s happened that has already been on a country or financial institutions’ radar in the past and may not reflect what is happening currently. There may be numerous red flags that are missed by using this very limited approach. They also don’t identify other names the executive or company has used, consider what business partnerships they have, or really dig into where their funding comes from. 

 

Here are a few of the ways risk assessment highlights money laundering issues or uncovers hidden corruption.

 

We look into aliases, DBAs, shell companies, and subsidiaries

Executives could have used aliases when doing business with illegitimate businesses, while companies may use a DBA (Doing Business As), a shell company, or a subsidiary to funnel dirty money through other companies. Infortal will dig deep into any other name or subsidiary an executive or business used to find information about what they have done under that name. Shell companies are often used to move money around from state to state or country to country, while aliases can be used to avoid disclosing conflicts of interest or bribery. You need to know about any other name someone is using so you can fully vet them. Do they have a hidden criminal history or litigious behaviors? Do they have class action lawsuits brought by customers or employee groups?  Of greater concern: have they defrauded other clients through hidden personal or business information where identifying this would prevent you from similar harm? Does the company you are considering acquiring also have a subsidiary that is involved in fraud, bribery or corruption?

 

We pay special attention to offshore companies

Because they’re based in other countries, offshore companies are often used for hiding assets and laundering money. In this case, “offshore” simply means the company is located in another country and is subject to that country’s laws rather than U.S. law. Many people use offshore banks located in the Bahamas, Switzerland, or other locations, for example. The famed Swiss bank accounts, for example, originally didn’t even have names attached to them. This made it very easy to hide money in the country.  

 

In addition to offshore bank accounts, some criminals invest money in offshore companies or other countries as a way of supporting terrorists. For example, the island nation of Nauru was known as a money laundering hotspot during the 80s. Russian criminals made use of the country’s incredibly tight privacy laws to move money to the terrorist organization al-Qaida. 

 

Where is the company’s headquarters?

It’s not always easy to determine where a company’s headquarters is, especially if they have various subsidiaries and shell companies. You may believe you’re working with a U.S. company only to find out that the company is owned by another company that’s owned by a large corporation based in China. Doing basic due diligence may not be enough to discover this, which is why you need to do a deep dive or enhanced due diligence investigation. Don’t trust what you find on sources such as a company website or other online sources. Some companies don’t even have a website, so doing very basic research on them isn’t reliable, however information does exist and can be obtained.

 

We consider established relationships

Sometimes money laundering is done by hiding relationships between individuals or companies. Funds gained illegally through a cartel or known mobster could be passed through a company owned by a cousin who has a different name. In some countries family members are often involved in businesses together which could represent similar types of issue; these situations can often be identified and explored to determine whether a real problem exists. The two groups may be very careful about never being seen together or being linked in any way. In these situations, without looking into a person’s family and their connections, this link could be missed. 

 

Free resources are just a start

While resources such as Transparency International’s Corruption Perceptions Index (CPI) do provide information about money laundering and companies that have been involved in corruption in countries, it is only a basic datapoint and they don’t constitute effective due diligence. Yes, you can see that specific countries are ranked as high corruption risks, but how do you know that the business you’re considering working with doesn’t do business there? You can’t without doing your due diligence. Free resources and even low-cost paid resources typically don’t provide enough information to make a truly informed decision. Similarly the global watch lists used by major financial institutions for Anti Money Laundering and Know Your Customer (AML/KYC) only provide a brief snapshot of known issues, and may explain why there are often major fails in due diligence if only these items have been checked..

 

Risks of Working with a Company that Launders Money

 

Working with any company that’s engaged in illegal activity, whether it’s money laundering, bribery, trafficking, or anything else, always poses a serious risk. With money laundering, it’s possible any company you partner with could funnel dirty money through your legitimate corporation. This could make you an accomplice, especially if you didn’t do any or insufficient due diligence. Certainly the federal regulators (DoJ and SEC) are well aware of what sufficient due diligence really includes today.  If you merge or acquire any type of business partnership that involves co-mingling funds or signing off on contracts which were based on bribery and corruption or other types of fraud, you may find that you’re laundering money and inadvertently approved of the whole thing.


Even if you aren’t merging with a company, hiring an executive in any sort of financial role can lead to a similar outcome. They may approve a contract with a company they know has transacted business illegally or brought in dirty money and use your company to move that money into or out of U.S. banks. Once this information comes to light, your entire company is likely to be investigated. Even if you can prove that the executive was the only one involved, it’s still going to damage your reputation and likely result in fines and other penalties. For example, FTX founder has been recently indicted for fraud, money laundering, and campaign finance offenses.

 

If you’re in the financial sector, being embroiled in a money laundering scandal can end your business. Without a strong reputation, many of your customers may abandon you. There are many cases where banks and other financial companies had to close following money laundering charges. For instance, the Miami based financial advisor pleaded guilty to conspiring to launder money relating to FCPA and other offenses in 2019. Another example is Goldman Sachs, which was caught in a money laundering scandal as shown in this video.

Contact Infortal Today to Learn More About Anti-Money Laundering and Risk Assessment

 

Infortal uses open source intelligence, court records, financial information, dark web information, and more to dive into the executive or company in question. Our goal is to triangulate data we find in order to highlight anything—real estate investments, subsidiaries, aliases, etc.—that could indicate corruption such as money laundering. Without this information, you can’t truly know what kind of risk you’re taking. Contact us today to learn more.

What Every Executive Team Must Know About Sanctions and Supply Chain Due Diligence

One of the key parts of any business is its supply chain. A supply chain is made up of various vendors that supply raw materials and transport completed products to warehouses or directly to the customer. Supply chains typically include a variety of different vendors. Even companies that only offer services, such as medical offices, will have a supply chain that provides them with everything from basic office supplies to specialized products. Some large manufacturers may have several hundred thousand vendors in their supply chain.

 

Unfortunately, with so many vendors in a supply chain, it can be difficult to do due diligence on each of them. It becomes even more of a task when a supply chain vendor has a supply chain of their own, with second and third tier vendors. You may purchase finished materials from a vendor, but that vendor has to obtain the various raw materials and equipment needed to create those finished items from their own supply chain. While you may vet the vendor you work directly with, you may not vet their supply chain. 

 

There are a number of risks you assume by not fully vetting vendors. One of these risks is that you may end up working with vendors that operate in sanctioned countries. This can lead to government fines and oversight as well as serious damage to your reputation. Let’s take a look at what sanctions involve, how to do supply chain due diligence, and how Infortal can help you avoid penalties for violating sanctions.

 

What Are Sanctions?

 

Economic sanctions are a set of rules imposed by one country on another as a form of consequence for some action that country took. One recent example of economic sanctions occurred when Russia invaded Ukraine in 2022. The U.S. and many other countries quickly imposed economic sanctions that were quite extensive. These sanctions included limits on debt payments to U.S. banks, a ban on oil and gas imports from Russia, and sanctions against individual oligarchs and Russian businesses. 

 

The goal of imposing sanctions is to hurt the country economically, reducing its available cash flow as a means to force them to change policies or, as in the case of Russia, stop fighting with other countries. 

 

Sanctions have been put in place against many countries over the years, including Iraq, China, Iran, Syria, North Korea, and more. As of the end of 2022, the U.S. had sanctions in place against six countries: Cuba, Iran, North Korea, Russia, Syria, and Venezuela. Some have been in place for decades—the sanctions on North Korea were introduced in 1950 due to human rights violations, nuclear weapons research, among other issues. 

 

In addition to sanctions against another country, the U.S. can also issue sanctions against specific companies or individuals. Many Russian oligarchs operating outside of Russia have been sanctioned in the past year, for example. 

 

While the President and Congress decide what countries are under the effects of sanctions, the U.S. Department of the Treasury is in charge of implementing and enforcing them. In order to do so, the Office of Foreign Assets Control was created. This is the agency that also investigates and, if necessary, penalizes companies that break sanctions. 

 

Sanctions and the Supply Chain

 

Sanctions do play a very important role in your supply chain because of how they impact imports, exports, and other forms of trading. In countries that have very tight sanctions, it can be almost impossible for a U.S. company to do business with anyone in those countries. You may not be able to import products or materials, and you may be blocked from paying companies in those countries. Breaking these sanctions will result in fines and other penalties.

 

It may be fairly simple to avoid contracting with a vendor in a sanctioned company, but what if one of those vendors worked with someone in a sanctioned country? You’re indirectly working with a vendor in a sanctioned country now, and that can still lead to being penalized. This means you’re going to have to vet your vendors and their vendors carefully. It takes time, but it’s worth it.

 

If your direct vendors are in the US, they likely won’t be dealing with any sanctioned companies or they risk penalties. However, there are some countries that the U.S. has sanctioned that other countries have not. For example, the U.S. currently has sanctions against Cuba, but the EU lifted its sanctions in 2008. This means the vendor you have in Spain could hire a vendor in Cuba without any problems, but that could lead to trouble for you. You need to know what your entire supply chain looks like, including what countries they’re operating out of or doing business in.

 

The Risks of Operating in a Sanctioned Country

 

The penalties for violating sanctions typically start with a fine. These fines can be quite substantial. For example, in October of 2022, Bittrex, Inc., a company based out of Washington, was found to be in violation of 116,421 sanctions by allowing individuals in Iran, Syria, Sudan, Cuba, and the Crimea region of Ukraine to use its online currency exchange services between 2014 and 2017. The company ended up paying over $24,000,000 in penalties. This is one of the higher fines issued in 2022, but it wasn’t the only one to total over a million dollars. Those paying stiff fines include Danfoss A/S (over $4 million), Toll Holdings Limited (over $6 million), and Sojitz Limited (over $5 million).

 

Some penalties do not result in a fine. In July of 2022, MidFirst Bank was issued a Finding of Violation instead of a fine for doing business with sanctioned individuals. The company maintained accounts for these individuals and processed 34 payments before determining that they were sanctioned. Because the problem came from an issue in how MidFirst screened names added to the Specially Designed Nationals and Blocked Persons list and took steps to address those issues, they received a warning instead of a fine. However, the Finding of Violation is public information, which means it may have an impact on MidFirst’s reputation. They may lose customers or business partners as a result. 

 

One of the harshest penalties the Treasury can enforce on a business is monitorship. Monitorship means the Department places an independent monitor with the company. This individual will monitor all of the company’s financial decisions to ensure that they are not breaking any sanctions. They have the authority to report any misconduct back to the Office of Foreign Assets Control or to the Department of Justice. The company is typically required to pay for the monitor, which can be very costly. In cases where the violations result in both a fine and a monitorship, the impact on the company’s finances can be severe. 

 

Sanction violations from the supply chain occur very often. In fact, approximately 90 percent of all violations of the Foreign Corrupt Practices Act are related to supply chain vendor misconduct. While you may still face penalties, self-disclosing that one of the vendors in your supply chain is breaking sanctions can help reduce the penalties. 

 

How Do You Determine if Your Vendors Work in Sanctioned Countries?

 

Vendors who are knowingly operating in sanctioned countries are not likely to disclose it. Some may not have done any due diligence on their own vendors, either, so they don’t know if some of those companies are breaking sanctions. 

 

In order to determine if a vendor or one of their vendors is operating in a sanctioned country or with sanctioned companies or individuals, you need to do deep dive due diligence. It’s not enough to simply check the lists available via the Department of Justice, although that’s certainly a good place to start. However, even looking at this list, you’re still not going to find everything. That’s because all you have is a list of sanctioned entities. You have no way of knowing who vendors and their vendors are working with. 

 

That’s where Infortal comes in. We will do due diligence on these vendors, checking them against the 1700+ global watch lists we have. We will dig deep into each vendor’s history, including what countries they have operated in, who they’ve worked with, and more. Our goal is to find any sign of misconduct, whether it’s violating sanctions, taking bribes, engaging in human, drug, or weapons trafficking, or any other illegal activity. These are activities that won’t be found with basic searches, especially if they’re actions that haven’t been investigated or turned over to the government. 

 

We bring our years of experience in due diligence to bear on your vendors, looking through their past operations across the U.S. and the world. You have to do more than simply look at where the company is located or where they have offices. Some companies do business under other names, so it’s important to find that information and check those other names to see if they’re trying to hide their operations in sanctioned countries. By digging deep into the company’s past and present activities, we can provide you with the information you need to determine if you should still have a relationship with that company.

 

Contact Infortal to Learn More About Supply Chain Due Diligence

 

If you’re preparing to work with a new vendor, you need to do your due diligence to make certain you’re not unknowingly violating sanctions. To do that, you have to do a deep dive into their activities, and that takes the right tools and experience. Infortal has both and is ready to help. Contact us today to learn more. 

How to Conduct a Risk Assessment to Avoid the Consequences of Money Laundering

When preparing to hire an executive, form a partnership, acquire another company, or even hire a vendor, you need to do a full risk assessment so you know what potential dangers your company faces. This allows you to make an informed decision about whether the rewards are worth the risks. Make no mistake: while some deals may appear to be risk-free, very few actually are. In most cases, there are some risks, but they’re negligible. However, just because many executives, vendors, and partner companies are legit and pose little risk, that doesn’t mean there aren’t people out there who engage in criminal behaviors to make more money. 

 

One of the most common ways these companies make their money is through illegal methods such as bribery, forgery, drug sales, weapon sales, and even human trafficking. Many of the people and companies involved keep this part of their income hidden behind what appears to be a legitimate business. They use various money laundering operations to make the funds gained via illegal activity appear to come from legal sources. 

 

How can you learn whether or not someone you’re considering for an executive position or a company you want to acquire has participated in money laundering schemes? The best way is to conduct a risk assessment analysis that includes doing deep dive due diligence. Infortal’s methods of due diligence do more than just basic public records searches—we do a deep dive of open source intelligence records, information from other states and countries, and much more. With this information on hand, you’ll be better able to assess the potential risks and decide if you should move forward. 

 

Let’s take a further look at what money laundering is, how risk assessment can help protect you from its consequences, and what Infortal can do to assist you.

 

What is Money Laundering?

 

While the above definition of money laundering gives you a good idea of what it is, it’s also fairly basic. In theory, money laundering is fairly basic: money gained from criminal activity is passed off as legitimate funds earned legally. In practice, however, money laundering operations are often a little more complex. Money may be run through multiple shell companies and businesses. Online banking and third-party money transfer options such as PayPal made money laundering easier, as has the recent growth of cryptocurrency. 

 

It's also become easier to transfer money between countries and into other currencies. This makes getting money out of countries where bribery and other crimes are commonplace fairly simple. Individuals, companies, or even entire countries that have been sanctioned and cannot easily do business with the U.S. now have even more ways of filtering money in and out due to how easily money can be moved and converted. 

 

Most money laundering operations work in three ways. First, the money gained from criminal activities, called “dirty money,” is quietly and carefully injected into a legitimate business. Second, that money is moved through various companies and individuals via financial transactions and careful records manipulation. This is the “laundering” process in which the dirty money is made to appear to be clean, much like dirty laundry becomes clean after washing it. Finally, the cash is placed in a legitimate account where the criminals are able to use it however they want without worrying about being caught. 

 

Sometimes this process does involve businesses, but other times, it involves buying and selling real estate, using casinos, passing money through bank accounts, and more. Simple laundering operations may only use one of these options, but complex money laundering often has several layers. The criminals may invest their money in real estate, then sell the properties and convert the money into another currency before using it at a casino. This type of layering makes it much harder to track down the origin of the dirty money. 

 

How Risk Assessment Protects Against Money Laundering

 

When we discuss anti-money laundering methods, we’re typically talking about risk assessment and due diligence. Unfortunately, there are businesses that don’t take the time to do so. They only do a basic background check on executives or only check a business against a global watch list rather than doing a deep dive into their background and business activities. This reveals such a small part of what the business has done or the executive has been involved in. Typically, these quick and cheap searches only reveal what’s happened in the state in the past seven years. They don’t look at other names the executive or company has used, consider what business partnerships they have, or really dig into where their funding comes from.

 

Here are a few of the ways risk assessment highlights money laundering issues or uncovers hidden corruption.

 

We look into aliases, DBAs, shell companies, and subsidiaries

Executives could have used aliases when doing business with illegitimate businesses, while companies may use a DBA (Doing Business As), a shell company, or a subsidiary to funnel dirty money through other companies. Infortal will dig deep into any other name or subsidiary an executive or business used to find information about what they have done under that name. Shell companies are often used to move money around from state to state or country to country, while aliases can be used to avoid disclosing conflicts of interest or bribery. You need to know about any other name someone is using so you can fully vet them.

 

We consider established relationships

Sometimes money laundering is done by hiding relationships between individuals or companies. Funds gained illegally through a known mobster could be passed through a company owned by a cousin who has a different name. The two may be very careful about never being seen together or being linked in any way. Without looking into a person’s family and their connections, this link could be missed. 

 

We pay special attention to offshore companies

Because they’re based in other countries, offshore companies are often used for hiding assets and laundering money. In this case, “offshore” simply means the company is located in another country and is subject to that country’s laws rather than U.S. law. Many people use offshore banks located in the Bahamas, Switzerland, or other locations, for example. The famed Swiss bank accounts, for example, originally didn’t even have names attached to them. This made it very easy to hide money in the country.  

 

In addition to offshore bank accounts, some criminals invest money in offshore companies or other countries as a way of supporting terrorists. For example, the island nation of Nauru was known as a money laundering hotspot during the 80s. Russian criminals made use of the country’s incredibly tight privacy laws to move money to the terrorist organization al-Qaida. 

 

Where is the company’s headquarters?

It’s not always easy to determine where a company’s headquarters is, especially if they have various subsidiaries and shell companies. You may believe you’re working with a U.S. company only to find out that the company is owned by another company that’s owned by a large corporation based in China. Doing basic due diligence may not be enough to discover this, which is why you need to do a deep dive. Don’t trust what you find on sources such as a company website or other online sources. Some companies don’t even have a website, so doing research on them isn’t that easy.

 

Free resources are just a start

While resources such as Transparency International do provide information about money laundering and companies that have been involved in corruption, they don’t provide deep due diligence. Yes, you can see that specific countries are ranked as high corruption risks, but how do you know that the business you’re considering working with doesn’t do business there? You can’t without doing your due diligence. Free resources and even low-cost paid resources typically don’t provide enough information to make a truly informed decision. 

 

See how infortal helps protect our clients

 

Risks of Working with a Company that Launders Money

 

Working with any company that’s engaged in illegal activity, whether it’s money laundering, bribery, trafficking, or anything else, always poses a serious risk. With money laundering, it’s possible any company you partner with could funnel dirty money through you. This could make you an accomplice, especially if you didn’t do any due diligence. If you merge or form any type of partnership that involves co-mingling funds or signing off on contracts, you may find that you’re laundering money and approved of the whole thing. 

 

Even if you aren’t merging with a company, hiring an executive in any sort of financial role can lead to the same outcome. They may approve a contract with a company they know has brought in dirty money and use your company to move that money into or out of the U.S. Once this information comes to light, your entire company is likely to be investigated. Even if you can prove that the executive was the only one involved, it’s still going to damage your reputation and likely result in fines and other penalties. The Benex scandal in the late 1990s involved several executives at Benex International and Becs International and resulted in fines and jail time.

 

If you’re in the financial sector, being embroiled in a money laundering scandal can end your business. Without a strong reputation, many of your customers may abandon you. There are many cases where banks and other financial companies had to close following money laundering charges. The Bank of Credit and Commerce International, for example, was invested in 1990 for falsifying transactions and hiding deposits. By 1991, the Bank of England determined that there was so much fraud and corruption that BCCI couldn’t be salvaged. 

 

Contact Infortal Today to Learn More About Anti-Money Laundering and Risk Assessment

 

Infortal uses open source intelligence, court records, financial information, dark web information, and more to dive into the executive or company in question. Our goal is to triangulate data we find in order to highlight anything—real estate investments, subsidiaries, aliases, etc.—that could indicate corruption such as money laundering. Without this information, you can’t truly know what kind of risk you’re taking. Contact us today to learn more.

What is the Difference Between Basic and Deep Dive Due Diligence?

Imagine hiring a new executive only to find out that they were involved in a serious crime, have a major conflict of interest, or have a history of suing the companies they work for. Once the ink is dry on their contract, it’s too late to easily change your mind without some type of cost to your company.

Moderna’s board of directors found this out the hard way in May of 2022 when they hired Jorge Gomez to serve as their new chief financial officer. While they did some due diligence into his background, they didn’t look much beyond the basics. After publicly announcing Gomez was joining their team, Moderna make a shocking discovery: his former employer was under investigation for financial misconduct. Gomez served a single day as Moderna’s CFO before being released from his contract in exchange for $700,000, the costs and time involved in the hiring process, and a hit to their reputation.

This is just one example of why you must do more than basic due diligence when hiring an executive. A deep dive into Gomez’s history would have revealed the investigation and his role in it before he was hired, allowing Moderna to avoid the embarrassment of hiring a CFO with a checkered past.

What is Due Diligence?

Many people think due diligence is the same as a background check, but it’s much more detailed than that. Background checks are done when hiring anyone, regardless of their level in the company. This provides a very basic snapshot of someone’s criminal and financial past in that they will tell you if someone has been convicted of a felony or declared bankruptcy. However, they won’t tell you more than that.

True due diligence is typically only done when hiring executives, especially C-suite level leaders, and when acquiring or merging with another company. The goal of due diligence is to bring to light any risks that could result in a loss of reputation, income, or clients. This includes much more than felonies and the occasional bankruptcy. Due diligence should also look into items such as a criminal past in other countries, online activity, conflicts of interest, financial irregularities, civil suits, and more.

With this in mind, let’s take a look at how basic and deep dive due diligence are different, how a deep dive into a candidate’s past can help protect a company, and how Infortal Worldwide is here to assist you with these deep dives.

When is Deep Dive Due Diligence Necessary?

Basic due diligence is more than a background check, but it doesn’t really dive into someone’s background. It’s enough to shed light on whether a potential hire has committed felonies, embezzlement, or is extremely litigious. However, it only checks around 30 different databases of information. That’s not going to find everything. It might find some basic risks to hiring the person, but it typically only highlights about one percent of potential issues.

Even moving up to a second level of due diligence, which would include making use of open source intelligence tools to gather and analyze all publicly available information may not be enough. While this will pull in media reports, social media, court filings, public trading information, and more, it’s still only going to reveal around five percent of the information you truly need when hiring an executive. It’s better, but it’s just not enough.

That’s where deep dive due diligence comes into play. This level dives into all of the open source intelligence information plus scans international watch lists, dark web activity, connections to other businesses, and much more. It will look at aliases and connections to other people that could lead to conflicts of interest.

Whether than asking specific questions such as “did this person work at this company? Did they live in this area during this specific time period?” that background checks do, deep due diligence casts a very wide net. It looks at connections the potential hire has and how they could use those connections instead of simply verifying data. This is absolutely necessary when hiring a company executive. Because it’s so extensive, one of these searches can take up to 30 hours of work, but it will reveal much more than other levels of due diligence.

See how infortal helps protect our clients

Key Ways Deep Dive Due Diligence Protects Your Company

Deep dive due diligence will help your board of directors, hiring committee members, and others by providing information that would simply not be found without it. While using open source intelligence, watch lists, and other databases will bring up a variety of information on a potential hire, here are a few key ways deep dive due diligence in particular is necessary to make a fully informed hiring decision.

Learn Candidate Aliases and Other Names

Some candidates have used other names in the past. While some of these names will come up on basic searches, there’s always the chance that one or two will not. This is especially true if the candidate took pains to hide those aliases or use different names in other states or countries.

A deep dive also sifts through candidates with very common names to find information about them. Someone with a very common name like Joe Smith may not be easily searchable online because there are thousands of people with that name. A deep dive will use other factors such as addresses, birthdate, employment history, and other data to determine when information is about a candidate and when it is about someone with a very similar name.

Get the Full International Picture

Some companies only look at information in local, state, or federal U.S. databases. While this will usually reveal if the individual was tried or convicted in the United States, it will not reveal anything about any international civil or criminal cases. Executives, especially those who have worked with large multinational corporations in the past, are likely to be involved in business in other countries.

Knowing if they have been accused of fraud or were named in a malpractice lawsuit in another country can quickly make it clear that a candidate is not a good fit. This type of due diligence will also reveal whether the candidate is an investor or owner in any business based in another country. This could highlight potential conflicts of interest that would not come to light otherwise.

There’s also always the chance that a candidate left their home country to avoid being arrested or charged with crimes. This may seem like something out of a movie, but it does happen. Even if the person left for legitimate reasons, companies should still review their criminal history and business activities done before they moved to the U.S.

A Basic Search May Not Reveal All Conflicts of Interest

A conflict of interest can lead to misconduct. An executive who has a connection to another company may work to get that company better prices or to move contracts or partnerships to that business. While these partnerships aren’t always bad for either business, they do typically result in the executive getting a cut from both sides. That’s a serious conflict of interest that should never occur.

Unfortunately, basic due diligence may not necessarily uncover this, especially if the executive has gone out of their way to disguise or hide their connection to the other business. There are a number of ways this can be done, but it’s a conflict of interest regardless of what methods they use.

A deep dive due diligence will reveal these connections. Company leaders will be made aware of what other businesses the candidate has a connection to, allowing them to avoid any partnerships or relationships. Even if the business is in a different industry that the company would never interact with, knowing that the candidate was not forthcoming is good information. It’s a red flag, and it may indicate that they have been less than truthful about other things as well.

Basic Due Diligence Does Not Search the Dark Web

The dark web contains information that few people ever see. This information, however, can be vital when making hiring decisions. If the candidate has any sort of presence on the dark web, it’s almost always a red flag. Even if they did nothing wrong, there may be information about them out there that could be used to blackmail or coerce them. This could affect the company, especially if the candidate could be blackmailed for money or favors. Companies may want to make candidates aware that their personal information has been published on the dark web, even if they decline to continue the hiring process.

Why is it Important to do Deep Due Diligence?

As highlighted with the Moderna example, executive, C-level, and other highly visible leadership positions can quickly damage a company’s reputation at best and result in severe losses at worst. Hiring a CEO with a very checkered past can lead to a loss of respect and trust in the brand if their past becomes public. Bringing on a CFO who was the subject of a criminal investigation in another country or a CTO who has been a part of multiple SEC violations can be embarrassing, and it can result in business partners and investors cutting ties with the company.

If you’re lucky, you simply have to pay out a year or more worth of salary and take a small dip your stock price. Moderna was especially lucky in that they did bounce back fairly quickly as far as revenue goes. However, the embarrassment has greatly damaged their reputation, and that may haunt them for years. Not every company experiences such minor damage from a poor hiring decision. Some go years without finding out that their CEO, CFO, or other executive has a dark past or often engages in illegal activity. These individuals could even use company assets to line their own pockets, putting the entire business at risk.

See how infortal helps protect our clients

Infortal Provides Deep Dive Due Diligence to Alleviate Risks

Many companies understand how to do basic due diligence and do regularly check at least the criminal backgrounds of those they hire. However, few companies fully understand how to do a deep dive into a candidate’s background. They do not have the tools or the experience to find some of this information. Others simply do not have the time.

Infortal has the skills, tools, and time to do these deep dives. If you’re preparing to hire an executive, you need to have a full picture of who you’re about to invite to join your company. To learn more about how we can help, contact Infortal today.

The Importance of Due Diligence in Executive Search

When an executive leaves a company, it creates a vacuum. Often, an entire division of the company is left without executive leadership. The CEO or board has lost a trusted expert to provide advice and guide the company’s operations, finances, HR, technology, or other area. However, the company should never rush the search for a new executive. These individuals do more than just serve in a leadership capacity—they also often serve as ambassadors of the company and its brand. What they do reflects on the brand, and if they have a sordid past, criminal convictions, financial misconduct, or conflicts of interest, it can negatively impact the brand.

Any company or board that is seeking a new executive needs to perform their due diligence. However, the due diligence for someone at the C-suite level needs to do more than check their work history and criminal background. You need to know if they have a criminal history overseas, if they’re highly litigious, or if they have any unreported conflicts of interest. In short, you need to do a deep dive into any candidate who makes the shortlist for the position. 

Let’s take a look at what such a deep dive entails, why it is important, and how partnering with Infortal Worldwide is the best way of protecting your company from hiring an executive who may put your brand at risk.

What Is Executive Due Diligence?

Executive due diligence goes beyond simply looking at someone’s employment history, credit history, and criminal background. Those are basic records that should be reviewed for almost any hire. With an executive, however, more information is needed. The last thing a company wants to do is hire a highly visible C-level employee only to find that they have ties to unsavory organizations, have made statements in the past that are counter to the company’s mission and vision, or have a criminal past in another country.

Due diligence includes these basic background searches, of course, but it goes far beyond that. First, all public records, including those from other states and other countries, are searched for the provided name and any aliases. Someone who has conducted business in another country may not necessarily disclose that information, and a background search in the U.S. may not reveal it, either. This is also true if the individual was involved in litigation or other court cases in other countries. Limiting a background search to the United States only often fails to provide the full picture.

Second, many companies simply do not have the time or skills needed to look into someone’s background without asking specific questions. It’s fairly easy to verify information, but it’s not as easy to see if anyone is a con artist, fraudster, or engaging with hate groups online or has family connections to criminal organizations. These types of searches often reveal that a candidate may be, at best, a PR risk, and at worst a criminal themselves. 

Infortal’s deep dive executive due diligence includes searching public records, global watch lists, domestic US and overseas criminal (where available) and civil court records, corporate board conflicts, financial pressures, behavioral concerns, and more. In the end, we provide our clients with a full picture of the candidate that includes any criminal history, court issues, concerning online activity, conflicts of interest, and other indications of risks they could bring to the business.

Infortal can help protect you from bad actors with our due diligence services

Why Due Diligence is Important in an Executive Search

When it comes to an executive, there are a number of reasons why doing deep dive executive due diligence is important. Here are a few of the risks a company faces if they fail to do their proper due diligence.

Standard background checks aren’t enough

While a standard background check can be fine for many employees, for executives, it simply doesn’t contain all of the information a company needs to make a well-informed hiring decision. Our research shows that one out of every five executive-level candidates have concerning information in their history that a standard background, credit, or criminal check will not reveal. This includes information from other states and even other countries. 

Even a basic due diligence search will only bring to light around one percent of these issues. A deep dive, however, will allow you to make a much more informed decision by providing you with a fuller picture of the potential hire.

Proper executive due diligence provides context

A background check may reveal that a candidate was named in a lawsuit, but it may not reveal the context of that lawsuit. It’s up to the company to dig into the legal documents and determine what the candidate’s involvement was. Infortal will provide that context so companies know if the candidate tends to be litigious or if they were simply named along with other company leaders or individuals. A highly litigious individual could plan to bring suit against your company by carefully creating a series of events that make them appear to be the victim. A wide variety of civil litigation disputes may underscore a history of litigious behaviors which may later cause unwanted impacts and reputation damage to your organization. 

Further, if the executive involved is an investor, or posing as an investor, they may have breach of contract and fraud claims brought by other companies seeking investment offerings which were not found because the executive was involved with other companies which had not been identified during legal and financial due diligence.  

Business connections and involvement in other companies is an important part of investigative due diligence that are frequently overlooked, but which may pose reputational harm and in many cases conflicts of interest which should be explored.

Conflicts of interest often aren’t revealed

Finding certain conflicts of interest is not always simple. For example a valued long term key executive may work directly for your rival competitor, or may even own that company as we have found in one situation. Or an individual could be a part-owner or investor in a company that has a controlling interest in other companies or could have invested under an alias that a routine background check could not find. These individuals could use their connections with the other company to falsify information, run a kick-back scheme, or influence important business decisions. The executive could be double-dipping at another employer, and even words may have been planted by a competitor to sabotage your company from within or steal intellectual property or trade secret information. Infortal has encountered all of these situations at real companies, yet most companies think this “could never happen to them”.

Background checks may not flag forged degrees or other falsified information

According to one study, only slightly over half (53%) of employers actually even verify a candidate’s degree. This means that it can be quite easy to slip falsified education through the hiring process, especially for executive candidates who have years of work experience. 

It’s easy for a hiring committee to assume a candidate who has a resume featuring well-known Fortune 500 companies and other successful businesses has earned the degrees they say they have. The case could be made that with years of experience, education no longer really matters. However, there’s another important question that a falsified degree or other credentials should raise: if a candidate has lied about this, what else have they been less than truthful about? Finding a forged degree should certainly be a red flag.  Yahoo’s reputation was damaged some years ago by a CEO, Scott Thompson, who claimed a degree he did not have, this resulted in both a stock drop and years of reputational damage. Marilee Jones Jones, dean of admissions at Massachusetts Institute of Technology, claimed she had three degrees, even though she had none. 

David Edmondson, CEO of Radio Shack resigned after falsely claiming he had two degrees when he had no degrees. In Infortal’s experience, at least 15% of employees lie or misrepresent their degrees. 

The damage from a bad hire can be substantial and long-lasting

Finally, and perhaps most importantly, failing to do due diligence for an executive can result in substantial, long-lasting damage to the company. Hiring a candidate who has a number of risks associated with them can cost the company a substantial amount of money. Companies may have to pay out on a large severance agreement, even if the executive only worked for the company for a short period of time. They could be sued by shareholders, face stiff regulatory fines, or have to pay out millions of dollars to correct improper actions taken by the executive. 

The damage done to your company’s brand can result in the loss of clients, strategic partners, government contracts, and more. Stock prices can drop, investors can sue or pull out altogether (another PR issue), , and other executives or employees could decide to seek employment elsewhere. This can take years to recover from. 

In some cases, the damage could be so great that the company has to fold. Finding out that the CEO has moneylaundering, bribery and corruption, or even murder charges against them in another country which could easily destroy the company’s reputation. A CFO with a hidden past involving financial misconduct could bleed the company dry before anyone realizes what’s happening. 

It’s very easy for one unscrupulous individual in the right position to destroy a company. There are many examples of this in recent times including Bernie Madoff’s $64 billion ponzi scheme, Jeffrey Skilling CEO’s fraud at Enron, and Elizabeth Holmes’ fraud involving fake blood testing equipment at Theranos.

Infortal can help protect you from bad actors with our due diligence services

Protect Your Business

In the end, it comes down to trust. How much trust can be put in a candidate for an executive position? A company must protect itself from risk, and that includes the risk of hiring an individual who brings with them liabilities. Putting trust in someone without doing executive due diligence is a risk that could greatly damage the company, its reputation, and its profits. Infortal aims to reduce that risk with our deep dive executive due diligence investigations on executives and other key personnel. 

We understand that a company’s first duty is to protect themselves from potential damage. While many candidates for executive positions will be honest about their past, there are approximately 20% who may not. There are even a few candidates who may not disclose something because they do not see it as a risk or as something that could potentially be a red flag for employment. While they were not maliciously hiding information, it still means the company does not have a full picture of who they may be hiring and the hidden risks they may pose. 

Infortal has over 35 years of experience in executive due diligence. We work closely with our clients to find all relevant information about a candidate so they can make informed decisions after fully evaluating the risk the candidate may represent. With our assistance, you can confidently hire into your C-suite, or your board of directors, without bringing undue liability to the company. 

To learn more about how Infortal can help you, contact us today.

Identifying the Three Main Levels of Due Diligence

On May 9, 2022, Jorge Gomez joined Moderna, maker of the COVID-19 vaccine, as their new CFO. Gomez was fired just one day later when it was found out that he was the subject of an internal investigation by his prior employer Dentsply Sirona. Gomez’ brief stint at Moderna cost $700,000 in severance pay to Gomez, unless Gomez is found to have been involved in misconduct at Dentsply Sirona, as outlined in a claw back agreement. Gomez will forfeit his signing bonus, bonus eligibility and eligibility for new hire equity awards, Moderna said in a securities filing.

According to Endpoint News, the probe was initiated in March in 2022. Moderna told them “that it had been unaware of the Dentsply’s investigation involving Gomez until it was publicly disclosed on May 10th,” the day of Gomez’ resignation. Endpoint further reported that “despite the end result, Moderna defended its decision to hire Gomez and its swift action to let him go.” Moderna’s spokesperson said:

“The May 11, 2022 announcement and departure of Jorge Gomez from Moderna strongly reflects the seriousness with which Moderna takes corporate governance. We are confident that Moderna conducted all appropriate due diligence on this matter prior to the hiring of Mr. Gomez, based on available information.”

The spokesperson was not the only Moderna employee to defend their hiring. Financial Times reported that Noubar Afeyan, Moderna’s co-founder and board chairman told them legal constraints prevented the company from learning about Dentsply’s internal investigation earlier. Afeyan further said: “Both the process of recruiting and vetting, and the process with which we reacted to the new facts that came out, were completely appropriate. I can’t think of a different approach that we could have used under those circumstances.”

How Can Companies Protect Themselves?

The elephants in the room here are “How is the company confident that they “conducted all appropriate due diligence” prior to hiring Mr. Gomez?” and what exactly do they believe to be “appropriate due diligence?” Many C-suite executives, board members, and even investors, often “can’t think of a different approach” than the one’s Moderna most likely followed.

Many companies conduct a basic background check and conduct reference interviews on new executive hires and think this is a sufficient level of due diligence, however, this is insufficient due diligence for executive hires. Federal regulators know the difference if an issue occurs that requires demonstrating the levels of executive due diligence conducted. Thorough levels of executive due diligence can provide an extra layer of fiduciary protection for the board.

It is important for executives and board members to be able to understand and identify the three main levels of due diligence, especially in regard to corporate hires to mitigate risk and prevent a company from encountering a situation similar to Moderna’s hiring of Mr. Gomez.

See how infortal helps protect our clients

Understanding Background Checks Versus Due Diligence Investigations

Most companies default to standard background checks. These checks, sometimes called routine background checks, are initiated internally by the company’s human resources department or through an executive search firm that a business is relying on to not only locate potential executive hires, but to vet them for potential issues. These default standard background checks reveal less than 1% of serious issues compared to the 20% revealed through due diligence investigations. Why is there such a big difference in the results found?

When hiring executives and board members, executive background checks, a deep-dive executive due diligence investigation, should always be conducted.

Standard background checks typically look at only 5 components. They usually verify employment history, criminal records, degree or education verification, social security validation and address verification, and sometimes credit history. These are the same basic background checks performed on any level of employee. Companies mistakenly believe that if they have their executive recruiters conduct a routine background check plus reference interviews that they will find any negative information on executive hires.

Background checks only provide a small window into a potential hire’s public information and fail to capture substantial amounts of detail, particularly hidden or undisclosed information. Standard background checks are a starting point, but are entirely insufficient when assessing a new executive hire or board member. These backgrounds are unsuccessful at taking a comprehensive look into an individual’s reputation, litigious history, behavioral issues, fraudulent behavior, SEC violations, undisclosed work history, and conflicts of interest to name only a few issues of concern at this level.

Due diligence investigations are designed to detect hidden and undisclosed information that is not readily available in standard background checks. Open Source Intelligence (OSINT) investigations are an important source of information in addition to publicly available records as this part of the investigation examines deep, dark and historical information on the world wide web (far beyond simple Google searches). Due diligence investigations evaluate criminal history, financial and legal issues, civil litigation issues, relationships with other companies and entities, reputation issues, relationships of executives to foreign officials, shell company involvement, evidence of fraud, signs of money laundering, financial impropriety, conflicts of interest, drug, alcohol and human trafficking, anti-competitive behaviors and numerous other serious issues.

The information gathered in deep due diligence investigations is invaluable and can save a company monetarily, reputationally, regulatory fines and penalties, and even legally. Executive due diligence is very thorough and provides additional substantiation in fiduciary duty of care. A high-quality executive due diligence investigation can uncover essential information that a routine background check could never find.

Due Diligence Investigations, Tier I

A Tier I due diligence investigations is the most basic level. It incorporates the elements of a standard background check, but expands on this. Tier 1 due diligence checks both federal and county level criminal records and civil litigation history, professional licenses, bankruptcy filings, along with other public records. It also looks at anti-terrorist lists, anti-money laundering (AML), politically exposed persons (PEPs), OFAC and sanctions on over 1,700 global watch lists, and similar government listings from law enforcement and government agencies around the world. This level is suitable for mid-level executives.

Due Diligence Investigations, Tier II

Tier II incorporates everything in a Tier I due diligence, but takes a deeper dive into every aspect of public records information plus a negative keyword search of 40 million online digital articles, news media and other publications. Typically, this includes a basic 20 to 30 keywords search among other relevant data. It sits squarely in the middle of due diligence investigations and is far more suitable for senior executives than a background check. Tier II provides more than basic executive due diligence results but is not comprehensive due diligence.

How Can Companies Protect Themselves?

Tier III due diligence investigation, or deep dive due diligence investigation, includes everything in the prior levels, but is more robust and takes a comprehensive search regarding executive’s activities, and business history. At this level, it not only helps to reveal bad individuals or find bad actors, but can identify behavioral patterns which may indicate an inclination for sidestepping internal controls, or skating to close to ethical lines that leave a company open to future legal or reputational issues, should the individual’s behavior continue after they come aboard. These issues can vary dramatically and include: conflicts of interest either business or personal, breach of contract matters, litigious behavior, sexual harassment, anger-related issues, such as bullying or violence, to even being a fraudster. Or for example serious financial pressures, numerous collection accounts, or high tax liens, may indicate a drug habit or a history of gambling, tax avoidance, or mismanagement of monies. An undisclosed history may yield information on SEC type violations (in the USA or another country), time served in prison, fraud committed at a prior undisclosed company, undisclosed board involvement, ongoing civil litigation, or even involvement in other companies where serious crimes were committed. Some situations may be rationalized; others are red flags. When compounded with other issues, serious financial pressures can occasion unusual behaviors, even at the executive level. Would you be concerned if you were not aware of something like this that may have later repercussions to your company, or that you inherited when acquiring a company?

Some surprising findings uncovered by deep dive due diligence investigations include: money laundering and bribery, hidden aliases, undisclosed board involvement, SEC violations, IP theft, interstate bankruptcies, signs of malfeasance, misconduct (with or without criminal conviction), concealed criminal activity, media negatives, social media negatives, sexual harassment, class action lawsuits, murder and manslaughter, historical issues, undisclosed business ownership, money-laundering, embezzlement, bribery and racketeering, signs of malfeasance and/or misconduct, identification of fraudsters, and con-artists, and litigious or negative behaviors.

This enhanced due diligence, includes a deep search of online media that includes periodicals, newspapers, digital media, and other publications can uncover a great deal in regards to past behaviors and affiliations. It also searches the accessible portion of the dark web. In the case of an individual who has an international footprint, there may be in-country information that can only be found through local language and in-country searches.

The majority of this information can be found through a combination of publicly available records and skilled investigative analysis. 20% of information not found in routine background checks can put a company at risk in terms of identifying serious issues, for corporate compliance, good governance, and in keeping compromised individuals or bad actors from being onboarded.

An expert investigative firm will customize a deep due diligence investigation to your company, industry, and needs, to provide not only the results of the investigation, but recommended actionable steps, especially when there are issues that warrant further consideration such as involvement in other companies and other potential conflicts of interest.

See how infortal helps protect our clients

Tier III Addition: Deep Dive Due Diligence-Enhanced Country-Specific

When conducting business in a foreign locality, having global subsidiaries, undergoing Mergers and Acquisitions (M&A) in another country, or hiring or acquiring through M&A an overseas executive, a Tier III investigation should be supplemented with a country specific deep dive due diligence. These investigations should be conducted by professional investigators who can provide site visits, speak local languages, have local contacts, are familiar with the culture, and have the experience and expertise to seek information in these locations.

On a more basic level, what is socially, and sometimes legally, acceptable in one location, may in fact, be a legal issue in another.

In-country due diligence may be needed in some situations to gain “on the ground” business intelligence. When operating in a foreign domain, a business is still accountable for adhering to the FCPA and other applicable laws if they have management or financial activity providing a business or banking nexus through the USA.

Conclusion

The different approach Moderna could have used would have been to conduct a Tier III due diligence investigation into Jorge Gomez before bringing him onboard. A Tier III due diligence investigation would have uncovered his prior employer Dentsply Sirona’s issues and recent change of management at the very least raising questions.

The Most Significant Consequences of Insufficient Executive Due Diligence

According to common practice, a strong compliance program focuses on policies, employee training, books and records and internal controls, onboarding questionnaires and risk ranking of third parties, with a little investigative due diligence at the end. Company compliance programs are primarily driven by paperwork and training programs. Overall, the emphasis is on financial controls with due diligence coming in a distant second. It shouldn’t, but it does. This is because most due diligence programs apply legal due diligence on the front end and financial due diligence on the process side of things. Risk management due diligence, or human due diligence, and human intelligence, are often an afterthought if even that. In reality, human due diligence, or due diligence investigations are the main preventative tools in mitigating risk and evaluating the human side of the risk equation.

Due diligence investigations, including business and executive due diligence, is how a business can prevent many future problems, by vetting and screening executives and prospective or existing business partners, up front. The sooner this vetting is performed, the fewer problems a company will have with its internal controls. It’s one of the most important components that is often overlooked. Most companies today think of investigative due diligence or third party due diligence as a check the box exercise, which it shouldn’t be.

Insufficient, subpar, or neglect of due diligence can lead to substantial problems for a company. The simplest way to protect your company is by preventing fraudsters and con artists from gaining entrance to your business to begin with, rather than trying to find bad actors and rogue

players once they come aboard. To accomplish this, first a company needs to know what a proper due diligence investigation looks like and second, what are the significant consequences of insufficient due diligence. It is well known that 90% of FCPA violations occur because of third party issues, often involving bribery and corruption.

Infortal-due-diligence

What a (Tier III) Due Diligence Investigation Is

Due diligence investigations are designed to detect hidden and undisclosed information that is not readily available in standard background checks. These deep dive due diligence investigations (a Tier III investigation) evaluate, among other markers: relationships of executives to foreign officials and other companies and entities, reputation issues, financial misconduct, legal issues, civil litigation issues, criminal history, political influence, conflicts of interest, shell company involvement, evidence of fraud, signs of money laundering, financial impropriety, behavioral issues, anti-competitive behaviors, and other serious matters.

A Tier III due diligence investigation or executive due diligence background check should be conducted by corporations on new executive hires and board members, or when an executive promotion occurs. Deep dive due diligence investigations are also critical when bringing aboard new entities through Mergers and Acquisitions (M&A); these can be conducted on the business entity itself, as well as the acquired key executive team. Executives will be in the highest positions of trust, a basic background check does not include any of these important searches, and therefore will not reveal these types of issues, however, effective executive due diligence investigations enable this information to be discovered, thus protecting the board and shareholders from unnecessary risk exposure.

This Tier III level due diligence investigation not only incorporates technology, such as incorporating Open Source Intelligence (OSINT), but is conducted by expert investigators who are skilled at triangulating complex and disjointed information, searching for hidden connections, and investigative analysis during which behavioral issues can come to light. The behavioral history of an individual can disclose observable patterns with type and frequency of issues such as, civil lawsuits, sexual harassment, class action lawsuits, fraud, and breach of contract matters.

These due diligence investigations become even more critical when doing business globally. Due diligence investigations when involving foreign entities need to be looked at relative to culture, along with location of executives and organizations. What can be considered socially or even legally acceptable in one nation, may be unacceptable and illegal in another. The Securities and Exchange Commission (SEC) and Department of Justice (DOJ) have joint enforcement authority of the Foreign Corrupt Practice Act (FCPA) to fight corruption. Many US-based multinational companies struggle to have employees understand how common business practices such as gift-giving and small facilitation payments may be considered corruption in the USA.

Significant Consequences of Insufficient Due Diligence

The consequences of not giving as much weight to due diligence investigations in a corporate compliance program can be grave.

Insufficient due diligence can lead to reputational damage, affect the bottom line, cause financial damages, or even lead to criminal convictions, incarceration of executives, and stiff regulatory fines and penalties.

Reputation Damage

Scandals can ravage brands, destroy careers, tank stock prices, and ruin lives. Insufficient executive due diligence allows individuals with harmful proclivities and histories an easier chance to be hired or work within your company where their external bad actions or their internal bad or illegal ones can do serious harm.

Just recently, the fashion house Balenciaga has come under fire for a holiday ad campaign with toddlers holding teddy bears in bondage gear. Backlash came immediately, the hashtag #boycottBalenciaga and #cancelBalenciaga trending on social media from TikTok to Twitter. Balenciaga and its creative director Denma have been accused of condoning child exploitation and pedophilia. Balenciaga has since pulled the ads, said they would hold internal and external investigations, and while the company did apologize, took no responsibility. Instead, they filed a $25M lawsuit blaming the third-party agency and set designer, whose representative stated her client is “being used as a scapegoat” and that “Everyone from Balenciaga was on the shoot and was present on every shot and worked on the edit of every image in post-production.” Business of Fashion withdrew its 2022 Global Voices Award to Denma. The Balenciaga store in Hollywood was graffitied. People are posting videos cutting up and tossing out their Balenciaga items. Adding fuel to the fire, a Spring 2023 ad by Balenciaga has been noted to have what appears to be a page from a court document of a Supreme Court case that “ruled on federal laws regarding child pornography.” Balenciaga’s current controversy showcases what can go wrong when scandal strikes.

Even when a company has no issues, if their board of directors, employees, executives, or partners are caught in a scandal, their customers, the media, and investors may treat with disfavor a business for having hired them in the first place and question their facility to manage their internal affairs and protect theirs.

Scandals can also affect company stock price. There may also be shareholder lawsuits, particularly if it has a negative impact on company valuation. Enron, the former energy company, whose stock shares reached a high of $90.75, fell to 26 cents around the time the company declared bankruptcy in 2001. Shareholders lost close to $75 billion.

Infortal-due-diligence

Some recent corporate and individual bad actors that serve as warnings include: Elizabeth Holmes, Martin Shkreli, Harry Weinstein, Volkswagen’s emissions scandal, Stericycle, and Enron, to name a few.

Due diligence investigations (and the decision to act on them) could have made all the difference in every one of these cases.

Affects Bottomline

Culture starts top down in companies. The executives set the tone. When fraudsters and con artists, or unethical people are hired, it can have a highly negative impact on productivity, fairness, teamwork, core business, customers, and the bottom line. Executives and other individuals may have impressive names on their CV or resume, but if they have poor work ethics, showcase litigious behavior, bullying, harassment, gambling or drug and alcohol problems, or other behavioral issues, the morale, trust, and outlook of employees and customers may be negatively impacted. Integrity and good work ethic should be critical for every executive hire. A Tier III due diligence investigation can help assess this and reveal hidden or undisclosed issues.

Corporate Fines

The Foreign Corrupt Practice Act (FCPA) contains both anti-bribery and accounting provisions. FCPA violations have increased over the last few years, with some COVID-19 related slow down. In 2019, FCPA enforcements rose to $2.65 billion in penalties, an all-time high. 2020 FCPA enforcements rose again to $2.78 billion. That same year also saw the largest singular FCPA fine against a company at $1.6 billion.

Financial damages can be punitive and personal. Additional penalties include: injunctions, forfeiture of associated profits, forfeiture of assets, and suspension (or in some instances banning) from doing business with the government.

As of September 2022, FCPA enforcements for just three companies Stericycle, Inc., South Korea’s KT Corporation, and Tenaris the Luxembourg totaled about $189.3 million and there are over 100 open and on-going FCPA investigations.

Jailtime

For almost twenty years, Bernie Madoff ran a Ponzi scheme defrauding investment clients of billions of dollars. He was convicted of 11 federal crimes and sentenced to 150 years in prison and restitution of $170 billion.

This year, Elizabeth Holmes, whose company Theranos was once valued at over $9 billion was convicted on 4 counts of fraud in a federal court and was sentenced to 11 years and three months in prison. Her one-time romantic partner and Theranos executive Ramesh “Sunny” Balwani was convicted on 12 counts of fraud and awaits sentencing. All of these executives had prior issues that could have been evaluated by investors had they conducted executive due diligence investigations. Smart investors did conduct legal, financial, and investigative due diligence and were able to steer clear of the disasters left in the wake of these fraudulent executives.

Due Diligence Investigations Mitigate Corporate Risk

Due diligence investigations are vital in aiding companies in foreseeing and mitigating risk and minimizing corporate liability exposure. Rather than being tacked on at the end of a compliance program, it should be a serious part of all regulatory compliance efforts.

Companies should not rely on executive recruiting firms to conduct due diligence investigations. Most only conduct only basic background checks and reference interviews which is insufficient due diligence. Today federal regulators at the DoJ and SEC are well aware of the differences.

Tier III due diligence safeguards the interests of the company, board, employees, and stakeholders. Due diligence investigations, also benefit corporate governance programs, FCPA compliance, Sarbanes Oxley (SOX) compliance and minimizes liability exposures from possible future inappropriate activities and crime. These human due diligence investigations add fiduciary protections for corporate board of directors, especially for publicly traded companies

Preventing bad actors and unethical individuals from entering your business to begin with, safeguards your company from the start, so there will be fewer control issues later. Due diligence investigations should stop being an afterthought in corporate compliance programs, but rather, something you lead with.

The Psychology of the Con

Underscoring the Need for Enhanced Due Diligence Investigations

Cassie Chadwick the “Queen of Ohio” in 1897 started an audacious, highly lucrative, and extremely successful con. At a time when women could neither vote, nor take out a bank loan, she led banking institutions to believe she was the daughter and heir of steel-magnate Andrew Carnegie, obtaining fraudulent loans totaling 10 to 20 million dollars. In the 2000’s, Elizabeth Holmes, touted as the “next Steve Jobs,” convinced numerous venture capitalists, C-suite executives, government officials, and various other notables to invest millions into her company Theranos, which at one point was valued at over $9 billion dollars. Her board of directors was called "the most illustrious board in U.S. corporate history." Holmes was going to revolutionize the medical industry with a bio-technology that could purportedly test blood with a single finger prick. The only problem was that the technology did not work. Holmes was faking it. It may seem incredible that a host of sophisticated industry experts could be taken in by Chadwick, but this scenario illustrates a simple truth: everyone is a potential victim.

One’s sense of surety that they can never fall for a con, is the very reason they do. Humans need to believe. This is why one of the basic ways companies can protect themselves from “bad actors” is by leveraging the expertise of external due diligence investigative firms with worldwide reach.

Infortal-due-diligence

The “confidence game—the con—is an exercise in soft skills. Trust, sympathy, persuasion,” writes Maria Konnikova in her New York Times bestseller The Confidence Game, Why We Fall for It…Every Time. One of the Theranos board members was former Secretary of State, George Shultz. His grandson Tyler worked at the company. Tyler, who had a degree in biology from Stanford, was a research engineer there. He, along with co-worker Erika Cheung discovered that outliers were being removed from Theranos’ data, causing inaccurate results. They also discovered that blood samples were being run in a secret lab on commercially available machines instead of the Theranos Edison Machine as investors and patients had been told. When Tyer brought this to Holmes attention, it was not well met. In response, Tyler quit and spoke with his grandfather George Shultz, but he sided with Holmes rather than believe his grandson. John Carreyrou, in his book Bad Blood, quotes George saying to Tyler, “They’re trying to convince me that you’re stupid. They can’t convince me that you’re stupid. They can, however, convince me that you’re wrong and in this case, I do believe that you’re wrong.” Holmes’ relationship with Shultz was one she “carefully cultivate[d].” Schultz, was not the only one taken in by Holmes, but the example is clear.

People wanted to believe Holmes. She was going to make people’s lives better, save lives even. It was an appeal to people’s charitable instincts and of course, she tailored her behavior on a personal level to convince people of what they already wanted to believe. People want to trust. As Konnikova notes in her book: “The irony is inescapable. The same thing that can underlie success can also make you all the more vulnerable to the grifter’s wares…those who trust more do better. And those who trust more become…the perfect mark.”

“The easiest thing of all is to deceive one’s self. For what a man wishes, he generally believes to be true.” – Demosthenes

An over-reliance on technology adds to the dangerous waters which businesses and individuals tread. Frank Abagnale, the subject of the film “Catch Me if You Can,” famed for years of conning people with a variety of personas and careers, was asked if today’s technological advances and “ever-growing sophistication” would make it harder to accomplish what he had done. Konnikova reports his reply as, “What I did fifty years ago, as a teenage boy is four thousand times easier to do today because of the technology. Technology breeds crime. It always has and always will.”

Many companies depend on standard background checks when they hire executives. These are typically insufficient to protect a company from “bad actors.” The first line of defense is to conduct deeper screening than can be accomplished by a simple background check. The best way to mitigate risk is by partnering with an investigative firm with deep experience in enhanced due diligence that is able to conduct open source intelligence investigations and enhanced due diligence to capture a larger picture of the individual and their background. But not all investigative firms are equal. USIS, the contractor that at one time supplied around two-thirds of security clearances for the intelligence community was discovered in 2014 to have had a culture that allowed malfeasance to flourish. Konnikova notes that the according to the Department of Justice (DOJ), USIS had “faked well over half a million background checks between 2008 and 2012—or 40 percent.” Integrity starts from the top, and allowing individuals with a questionable moral compass, can lead to the company being riddled with problems. Following these issues, USIS was dissolved as a company.

Many individuals think they can spot a liar. They think certain facial clues or body language can reveal discomfort, but studies show something different. Paul Ekman, who studies the ability of people to discern a lie found that “the success rate at identifying honesty has been approximately 55 percent,” the nature of the lie notwithstanding. And con artists are craftsmen; their objective is to gain your complete trust so that you won’t bother to check them out.

Age also isn’t a factor in who can be conned. The only difference tends to be the type of con or the approach of the “bad actor.”

Because it is so easy for individuals to be deceived, because of our own psychology and the varying skill of bad-willed individuals, due diligence investigations are vital when implementing executive screening, or as part of a robust compliance program. A skilled investigation firm not only provides the research, but helps to interpret this research and make suggestions as how to apply it to your unique business and industry, and in accordance with your business risk tolerance. These firms will have highly trained investigators who can search both data and also are aware of what may be missing that should be found, plus they will have a global reach.

Cassie Chadwick was eventually arrested and tried for her crimes in a trial witnessed by Andrew Carnegie himself. In 1905, a Cleveland court sentenced Chadwick for conspiracy to bankrupt Citizen’s National Bank and conspiracy against the federal government with a $70,000 fine and a 14-year prison sentence. Elizabeth Holmes was found guilty on four counts of defrauding investors in January of this year. Holmes is now bidding for a new trial casting aspirations on one of the primary witnesses Dr. Adam Rosendorff, who was former lab director at Theranos. Rosendorff stands by his testimony and wellness during the trial. More than $144 million was lost by investors in Theranos. Had due diligence investigations been completed on both of these individuals, things could have turned out very differently for those taken in. The word con man comes from the term confidence man. It was coined in the 1849 in reference to William Thomas who would approach marks asking “Do you have the confidence to trust me with your watch until tomorrow?” Surprisingly, many people fell for it and off he departed, never returning the watch. The trust that made these individuals successful elsewhere, led them to trust the wrong people here. It underlines the need to determine trust based on facts found in thorough due diligence investigations; don’t leave it to your “gut feel”.  After all, why take the risk?

Protecting the Board

Board Risks and How to Mitigate Them

The board of directors play a critical role in a company. They represent the company and have a fiduciary duty to its shareholders and assets. While they do not participate in the day-to-day activities and decisions of a business, they do oversee strategic planning and company operations, set overall policy, exercise an oversight role, and review the actions taken by the company’s officers and executives. This puts the board of directors in the unique position of being accountable at the top-most level for a company’s success, but also at a distance that can impact what is happening at ground level. This can cause a set of unique risks to the board, and by extension to the company and employees at all levels. A number of headlines over the last few years, showcase the damage that can happen when a board, and by extension the entire company, is left unprotected.

Not aware of the potential dangers to the board, and hence the company at large, many businesses fail to have the proper safeguards in place to mitigate potential hazards. Risks include damage to finances, reputation, employee morale, incurring government oversight and fines, and even complete collapse. Fortunately, once aware of these risks and what measures to put in place, companies can easily establish proper protective measures.

Learning from Others

Elizabeth Holmes, founder and CEO of Theranos, a medical technology startup, had promised to revolutionize blood testing with the ability of her company’s product to test blood with only a few drops. This device would make testing easy, quick, and convenient, and would one day be available in people’s own homes.  It was even claimed that this blood testing equipment would be able to identify 200 health conditions. The problem was, it didn’t work. In February 2022, Elizabeth Holmes was convicted of four of eleven charges of fraud brought by Department of Justice (DOJ), and her company, once valued at over $9 billion, dissolved in 2018.

The boards of directors of Walgreens, Safeway, and even Theranos’ own board all fell prey to the allure of Elizabeth Holmes and her imaginary technology. Some board members had years of experience and numerous accolades, so how could things have gone so wrong, and what could have been done to protect these boards and their corporate wards.

Theranos

Fortune called the Theranos’ board “the most illustrious board in U.S. corporate history.” It included big names, such as James Mattis, a retired US Marine Corp general, former Secretary of State Henry Kissinger, William Perry the former US secretary of defense, former US Senator Sam Nunn, retired US Navy Admiral Gary Roughead, former US secretary of defense William Perry, Richard Kovacevich the former CEO of Wells Fargo, former director of the Centers for Disease Control and Prevention William H. Foege, heart and lung transplant surgeon and former US Senator William Frist, and the chairman of the board for the Bechtel Group Inc. Riley P. Bechtel.

All seem to have been taken in by the sincerity and confidence of the oddly charismatic Holmes and her promise to save lives. When interviewed about what he thought about Holmes, Mattis replied “integrity” and “competence” – “both technical and scientific but also focused on human rights in the most classical sense of what human rights are about.” The promise of a righteous cause can often lead people down the wrong path without vetting either the cause or the source.

Boards need to ask tough questions and press the issue if the forthcoming answers are evasive or tenuous. One board member, Avie Tevanian, lifelong friend of Steve Jobs and former Apple chief software technology officer did just that. In return, he was asked to leave the board under specious litigation threats. Holmes brooked no opposition and wielded the threat of lawsuits against anyone she deemed a threat.

In March 2008, two employees approached the board chair. They had evidence that Holmes deceived the board about the efficacy of both Theranos’ blood testing technology and its projected revenue. The board decided to replace Holmes as CEO, but when they went to give her the news, she changed their minds. Homes, less than two weeks later, fired both employees who had spoken up. No one on the board looked into the firings, if they were even aware of them.

Directors are fiduciaries and are responsible for the oversight of a company’s compliance function, ensuring the activities of the business comply with the applicable industry, legal, and regulatory frameworks. The United States Sentencing Commission (USSC) sets out the requirements for an effective compliance program in the Federal Sentencing Guidelines. §8B2.1 of the guidelines reads:

“The organization's governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”

Clearly, the board had little to no oversight program in place, which is something that is particularly prevalent in startup environments and emerging businesses. No-one conducted any due diligence on the principals of the company even when investing millions of dollars at early stages. For Theranos, there was no monitoring system in place for compliance with medical and laboratory regulations. Holmes consistently flouted regulatory issues and directly lied about the efficacy of her product. Her blood tests were unable to run the analysis she touted them as being able to, going so far as to hack commercial blood analyzers to clandestinely run tests on them instead of her own product.

If the sudden firing of the whistleblowing employees was not a red flag, the departure of CFO Henry Mosley in 2006 should have come under more scrutiny. Mosley was fired by Holmes when he questioned the “reliability and integrity” of the Theranos’ blood testing systems and equipment.

There were numerous other egregious actions by Elizabeth Holmes that the board appeared to be unaware of. One example took place in 2015, when Centers for Medicare and Medicaid Services (“CMS”) conducted a surprise lab inspection. They found unqualified lab staff, mishandled blood samples, and expired testing reagents. CMS also required that the company void up to a million tests results ran on the Theranos equipment and in 2016 banned them from running a blood testing laboratory. The board was unaware of this as well.

Safeguarding the Board

The Theranos’ Board wanted to do good. Unfortunately, goodwill and a powerful cause is not enough. In this case, the board needed protection even from itself. Why is protecting the board important and what can be learned from Theranos and similar cases?

Protecting the board is important, because the board plays a critical role in a company and can be a tremendous amount to a company, its employees, and shareholders.

What Can be Learned

Take Away

A Board of Directors plays a critical role in any corporation and safeguards should be established to guarantee that they steer the best course for the company.  Theranos provides a substantive lesson in how many things can go wrong in a company. The lives, finances, investments, and jobs of many people were negatively impacted by the unethical acts perpetrated by Elizbeth Holmes and Ramesh “Sunny” Balwani. The board was taken in by Holmes, as were many others outside of Theranos.

This does not mean, however, that other companies are free from malfeasance or are safe from bad actors. Just because board members or some executives and employees have integrity, does not mean all do, and without establishing an ethos of integrity and accountability with proper safeguards and measures in place, a company has no way of protecting or mitigating risk. This starts from the top down.

Protecting the board, is establishing measures to safeguard the whole company from investors and shareholders to employees to clients and partnerships. Fortunately, setting up the proper oversight, due diligence, compliance, risk management, accountability, and culture of integrity can safeguard their success and indeed the future of the corporation.