I recently had the honor of speaking about various aspects of due diligence investigations with Tom Fox, The Compliance Evangelist. We explore issues ranging from deal volatility, succession liability and reputational damage in M&A transactions, to due diligence nightmares and how to prevent them. Unlocking hidden and undisclosed information that may sink the deal, cause volatility, or damage the buyer’s reputation is key. Episode 4 addresses innovation and continuity in international due diligence investigations and improving results for regulatory compliance.
There are typically three levels of due diligence. The three levels are typically Level I, the basic level which typically looks only at a global watch lists for sanctions, politically exposed persons (PEPs), anti-terrorist lists, anti-money laundering (AML) and similar government produced lists. Level I generally provides a summary of the beneficial owners of a company, its corporate structure, perhaps some financial information and the Global Watch lists. Many companies use that as their primary tool for risk ranking. A Level II due diligence investigation is an intermediate between Level I and Level III. Level II takes a deeper dive looking at every aspect of public records information in addition to areas that are not necessarily in the public record. It encompasses items like a deeper dive of executive backgrounds.
The final level, Level III, is also called a deep dive due diligence investigation. This level works to not to identify bad people or bad actors but also patterns of behavior which might tend to indicate a propensity for circumvention of internal controls or stepping over or even getting too close to the ethical line that indicates behavior that may turn criminal or turn in a direction that would hurt your business reputation going forward. There are behavioral issues that can be discovered through Level III due diligence. It can be through the online searching of media including newspapers, publications and digital media. A wide variety of information can come up in behavioral assessments in terms of what is the background of the executive or how they may have behaved in the past. Additionally there may be information available in a country that may not reach the rest of the press. So you may find that there are local issues that are well documented. Sometimes you can only find that information through local language searches online, other times Tal indicates you need to do in-country research.
Unfortunately most CCOs are working with limited information from their due diligence programs or due diligence providers. This means they do not have enough information to input into their risk assessment. As we previously explored, if a company is performing or having performed for them only a Level I due diligence, they may well only be uncovering up to 1% of the adverse information or raising the appropriate red flags. In a high-risk jurisdiction, Tal believes that if a company is not receiving up to 35% of the required information, they are really operating behind the 8-ball.
Moreover, relying on computer searches raises an amount of concern for other reasons. These include both shell companies and front offices. There are still situations that without a physical drive by of the third parties facilitates, the address may simply be a local postal box. The problem of shell companies still exists far beyond the initial dump of information past the Panama Papers and Paradise Papers. Even with a real physical address, if your third-party shares an address of a flat in London that also houses some 1,500 additional corporations, this is a serious red flag that you are dealing with a shell company. That in and of itself is a red flag which, if not cleared, could lead to a serious legal violation and a significant reputational hit to your organization.
The vast majority of FCPA enforcement actions over the past 10 years have involved some form of inadequate, insufficient or even a total lack of due diligence. We began by exploring how a company can perform sufficient due diligence without breaking the bank. Candice Tal noted that most companies perform Level I due diligence, which of course provides limited information. Typically in Level I, companies find less than 1% of the issues that are out there. When you couple that with the realization that 90% of FCPA enforcement actions are against companies who engaged third parties and third-party vendors, it leads Now if you add due diligence in the Supply Chain component where there can be 5,000 or even 10,000 companies, you can begin to see the daunting nature of getting your arms around these risks.
Another key feature of almost all FCPA enforcement actions is that companies that sustained enforcement actions most usually had ‘check-the-box’ compliance programs. We considered this implication in the context of due diligence. To increase the percent of information about the troubling 1% figure Tal noted above, she said companies need to “start looking at incorporating deep media searches, into their due diligence.” Deep media typically looks at aggregated data from companies that amass millions and millions of digitized records, journals, newspapers, articles, periodicals or other similar information. Now overlay global watch lists, with some basic corporate financial information, and you might be able to move from finding only 1% to up to 5% of the corruption and bribery related issues that exist amongst the parties. However, when you further expand that and do a deeper level search on online, beyond simply adverse keyword searches, it can move your discovery rate up to as much as 35% of the corruption and bribery related information.
Tal believes that AI will be a “game changer” in compliance. Massive data sets require some type of AI to sort through and analyze the information. This is particularly important for internal controls and accounting books and records provisions to identify massive fraud. This is yet another area which is still developing. Tal stated, “I’ll frame that by saying at least in the next few years, there will still be a need for the traditional investigative approach that the boots on the ground, one where an investigator goes out and physically checks on facilities. Artificial intelligence is going to have limited ability to do that.” While drones may become part of an investigators tool kit, Tal believes that AI will be used “in a similar way to most data aggregators today. They find about 80% of the information. Yet there will always be the remaining 20% which they cannot find and you will need human intervention on the investigative side.”
Looking down the road to the veiled land of the future, Tal sees continued innovation facilitating investigative due diligence. While AI is more than simply on the horizon, she said it “is a tried and tested methodology that has existed for many years, in terms of how do you look for and locate shell companies.” It is also true about finding information about people who are trying to deliberately hide information. The bottom line is some of these investigative techniques involve old-fashioned shoe leather or simply hard diligent investigative work and “that’s not new”. Yet AI and other technological tools can make investigations more efficient and more cost effective, while giving better results. At the end of the day, AI can be used to sharpen and hone the due diligence process.
I know you will find this podcast series useful. A new episode will release daily on the FCPA Compliance Report. All episodes will also be released daily on JDSupra. If you want to binge listen they have all been released YouTube, iTunes, or on the new hosting platform of the Compliance Podcast Network, Panoply.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.