This white paper will consider investigative due diligence investigations in a variety of contexts. I consider what is third party due diligence, recent Foreign Corrupt Practices Act (FCPA) enforcement actions where the lack of or failure of due diligence was a key takeaway and finally the investigative due diligence function in the mergers and acquisition context.
Most companies fully understand the need to comply with the FCPA requirements around third parties as they represent the greatest risks for an FCPA violation. However, most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. This means they may need to bring resources to bear to comply with the FCPA while continuing operating an ongoing business. This can be particularly true in the area of performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigation of third parties, but have struggled with how to create an inventory to define the basis of third party risk and thereby perform the requisite due diligence required under the FCPA.
Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. Jay Martin, CCO at BakerHughes, a GE company often emphasizes that a company needs to evaluate and address its risks regarding third parties. This means that an appropriate level of due diligence, which may vary depending on the risks arising from the relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.
Our British compliance cousins of course are subject to the UK Bribery Act. In its Principle IV of an Adequate Procedures compliance program, the UK Ministry of Justice (MOJ) stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of Principle IV is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The MOJ said that
due diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”
Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.
First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering, anti-bribery, sanctions lists and similar government produced lists, coupled with other financial corruption & criminal databases. Level I generally provides a summary of the beneficial owners of a company, its corporate structure, perhaps some financial information and the Global Watch lists. Many companies use that as their primary tool for risk ranking. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. This basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.
Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company; the third party’s key executives and associated parties. Level II should also include an in-country data base search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.
This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. According to Candice Tal, CEO of Infortal, Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.” Further the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English. Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”
But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment- type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publicly.”
This level works to not to simply identify bad people or bad actors but also patterns of behavior which might tend to indicate a propensity for circumvention of internal controls or stepping over or even getting too close to the ethical line that indicates behavior that may turn criminal or turn in a direction that would hurt your business reputation going forward. Tal said there are behavioral issues that can be discovered through Level III due diligence. It can be through the online searching of media including newspapers, publications and digital media. A wide variety of information can come up in behavioral assessments in terms of what is the background of the executive or how they may have behaved in the past. Additionally, there may be information available in a country that may not reach the rest of the press. So you may find that there are local issues that are well documented. Sometimes you can only find that information through local language searches online, other times Tal indicates you need to do in-country research.
It is a process that is labor intensive; whether that is shoe leather getting out and walking around talking to people, conducting face-to-face interviews or taking a very deep Internet dive. It is the spade work of digging into many different sources of information to come up with a much fuller picture of whoever you are looking at, whether it be an individual or through a third party. Tal encapsulated it in what she called the “80-20 rule”. In investigations, you do find about 80 percent of information online about companies and individuals. Therefore, if you conduct a Level II search that incorporates a deep media search and switch, you can find 80% of the information fairly readily.
However, there is another 20% out there that is generally not available on the Internet. Level I searches never get to that information. One reason is because many companies do not disclose all their information and you may not find that information readily in those basic types of searches, Tal emphasized that it does, however, exist and investigators can find about 20% of that information. It is this final 20% of information or rather not finding out about it that often trips companies up in terms of corporate compliance programs.
Lastly and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the FCPA; you can use a Level III to determine if the third party willing to stand up with under the FCPA and are you willing to partner with the third party.
There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document Document Document all your due diligence. Unfortunately, a great deal of hidden and undisclosed information is found through deep internet searches. This means a Level I, or even Level II search may be only looking at adverse keywords; which usually consists of only 20 or 30 keywords. If a person or company has a history of bribery, corruption or perceived types of bribing of local officials, that information could be uncovered but it may well not be found unless you look in the right places for it.
We next consider some recent FCPA enforcement actions wherein insufficient due diligence was a key takeaway. The vast majority of FCPA enforcement actions over the past 10 years have involved some form of inadequate, insufficient or even a total lack of due diligence. We began by exploring how a company can perform sufficient due diligence without breaking the bank. Tal noted that most companies perform Level I due diligence, which of course provides limited information. Typically in Level I, companies find less than 1% of the issues that are out there. When you couple that with the realization that 90% of FCPA enforcement actions are against companies who engaged third parties and third-party vendors, you begin to see the problem. Now if you add due diligence in the Supply Chain component where there can be 5,000 or even 100,000+ companies, you see the daunting nature of getting your arms around these risks.
Another key feature of almost all FCPA enforcement actions is that companies that sustained enforcement actions most usually had ‘check-the-box’ compliance programs. To increase the percent of information about the troubling 1% figure Tal said companies need to “start looking at incorporating deep media searches, into their due diligence.” Deep media typically looks at aggregated data from companies that amass millions and millions of digitized records, journals, newspapers, articles, periodicals or other similar information. Now overlay global watch lists, with some basic corporate financial information, and you might be able to move from finding only 1% to up to 5% of the corruption and bribery related issues that exist amongst the parties. However, when you further expand that and do a deeper level search on online, beyond simply adverse keyword searches, it can move your discovery rate up to as much as 35% of the corruption and bribery related information.
We next turned to key executive searches for senior management and even Board members. Tal notes that most information suggests that between 10 to 20% of all such persons have adverse information in their backgrounds, which is often not reported and not uncovered. This means that if you have 100 senior managers and Board members, you can reliably estimate that 10 to 20% of that group has a red flag in their background which should be cleared before hiring or even promotion. If you have 1,000 such people in your organization, simply do the math. You may well have hundreds of senior executives with bribery related issues or issues in their backgrounds that you would not want to be responsible for causing nightmares for an organization down the road.
The regulators have made clear a check-the-box approach to due diligence is insufficient because it will not provide sufficient information as required by them. A company must rank its third parties based on a variety of factors such as where they are doing business, who they are doing business with, how they are doing business, financial strength and even political risks. The recent Vantage Drilling Co. FCPA enforcement actions drove home this need.
The company’s largest supplier was a drilling ship supplier who was so important to the organization that he was not only put on the Board of Directors but was also granted so much stock he became the largest single shareholder in the organization.
The problem was this supplier, Board of Director and shareholder, had lied to the company about his ability to deliver as he had no assets. A deep dive due diligence investigation was certainly in order for any of the roles he held during his relationship with the company. It would have revealed that he actually had no assets to provide to Vantage Drilling.
Further, it would have also indicated a propensity to skirt ethical niceties such as not paying bribes in violation of the FCPA. The company paid a very high price for its due diligence failures.
In the first decade of this century, the FCPA landscape was littered with companies who bought or obtained businesses that were engaging in bribery and corruption. Due to the acquirers lack of investigative due diligence, they paid a heavy price both in regulatory fines and penalties but also suffered loss of business value.
Three key early M&A cases which set the parameters of liability under the FCPA for lack of pre- acquisition due diligence were Syncor International Corporation, in 2002; Titan Corporation in 2005 and Latin Node in 2009. In Syncor, parent liability was established through the foreign subsidiary’s books and records and employees of a state-owned entity are instrumentalities of the government. This case also demonstrated how a government investigation can slow the closing of an acquisition as the acquisition by Cardinal Health was delayed until the investigation was concluded and agreements were struck with the DOJ and SEC, with the acquirer purchasing Syncor for a lower price than originally negotiated.
In Titan, some of the basic tenets of a compliance program were laid out in this enforcement action. They included: a company must conduct meaningful due diligence with respect to foreign agents and consultants and must ensure that the services alleged to be performed are provided. Internal controls must be designed to detect “red flags,” such as offshore payments and inconsistent invoices. Ultimately and most importantly from the business perspective, the merger failed when Titan was unable to meet contractual agreement to settle with the US government by a certain time.
In Latin Node, This was the first FCPA enforcement action based entirely on pre-acquisition conduct that was unknown to the buyer when the transaction closed. The purchaser’s entire
$22+ million investment in Latin Node was wiped out due to the inflated acquisition price of a corrupt company and investigation costs.
All of this demonstrated the need for rigorous pre-acquisition due diligence in addition to the post-acquisition integration. It also exposed individuals to the real possibility of jail time for their actions.
There have been several M&A cases since these three but they set the model for the DOJ’s prosecution going forward. Every compliance practitioner should be aware of these cases and communicate to management that one of the most well settled areas of FCPA enforcement is around M&A. Simply put if you do not engage in appropriate pre-acquisition due diligence and there continues to be ongoing bribery and corruption after you acquire an entity, your company will bear the brunt of any prosecution.
These early cases led the DOJ to articulate the safe harbor exclusion in the 2012 FCPA Guidance. This safe harbor exclusion was incorporated formally in 2018 with the incorporation of the safe harbor into the FCPA Corporate Enforcement Policy. Now, if you follow the strictures of the safe harbor exclusion by performing pre-acquisition due diligence and the requisite post- acquisition integration, audit and remediation steps, with notice to the government if violations are present; there will be a presumption of a declination granted if a FCPA violation is found to have occurred by the target company before the acquisition. This has only made your pre- acquisition due diligence more important.
The compliance component of your mergers and acquisition (M&A) regime should begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.
The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.
Next you should lay out your process on how to plan and execute a strategy to perform pre- acquisition due diligence in the M&A context.
Review high-risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.
Lastly, you need to know how everything is distributed and what the enforcement mechanisms for compliance policies are. Additionally, you need to validate, with Human Resources (HR), if there have been terminations or disciplines relating to compliance.
informal. You should ask questions, such as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for its intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels, for example is the compliance training delivered live, online, or through video?
Finally, assess whether the company has updated their training based on changing of laws. You will need to interview the acquisition target company personnel responsible for its compliance program to garner a full understanding of how they view their program. Some of the discussions that you may wish to engage in include visiting with the target company’s General Counsel (GC), its Vice President (VP) of sales and head of internal audit regarding all corruption risks. You should also delve into the target’s compliance efforts, and any other corruption-related issues that may have surfaced.
You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high-risk countries which your company does business.
Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto? Further, you may be required to self-disclose any FCPA violations that you discover. There may be other reporting issues in the M&A context such as any statutory
obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer?
Tal noted that compliance due diligence in M&A is more than simply looking at numbers; it is a much deeper dive. Due diligence investigations are an overriding term for a number of different aspects or applications of due diligence. There could be agent and distributor due diligence, vendor due diligence together with looking at the company and its operations, its financial information, its executives, its Board of Directors and senior management. She cautioned that in the past, many companies really do not look at the executives of a target company, which can lead to multiple problems later on, in terms of FCPA violations and also shareholder losses, market losses and volatility at all levels.
Tal said that rarely do the purchasers look closely at the target’s Board of Directors but that it can be an important inquiry from the compliance perspective. For instance, if the Board has any issues that the acquirer should be aware of which would impact or even dictate tone at the top; this could be critical information. It might not even be untoward information which could be uncovered in the deep dive due diligence on the Board. It could uncover potential conflicts of interest which are currently in place or could occur should the merger occur. Finally, such a due diligence on the target’s Board could give the acquirer information on both the target’s culture and what needs to be in the remediation plan after closing.
Certainly a deep dive due diligence should be performed on the target’s CEO and senior management to see if there is anything in their past which could turn around and bite the acquirer after closing and integration. Tal has noted, approximately 20% have significant issues in their background that were not known. Obviously, this can present serious problems to an acquirer if the risks manifest after the closing.
Tal turned to another topic she has developed through her years of work in this field, which she called “the investigative hunch.” She said, “you expect to find certain pieces of information and yet you don’t find it anywhere. The question is: what does that mean? Does it mean anything or is it something that’s being covered up and potentially serious?”
This example shines a light that there are many different aspects to investigative due diligence, particularly in M&A. Transactional due diligence is one part of compliance due diligence in the M&A context but it is only one part. Through a more robust, deeper dive due diligence you can begin to uncover both hidden and undisclosed information that can be found through both deep media and historical Internet searches. She concluded with “it’s a much, much greater type of investigative analysis than simply Level I due diligence.”
Unfortunately most CCOs are working with limited information from their due diligence programs or due diligence providers. This means they do not have enough information to input into their risk assessment. As we previously explored, if a company is performing or having performed for them only a Level I due diligence, they may well only be uncovering up to 1% of the adverse information or raising the appropriate red flags. In a high-risk jurisdiction, Tal believes that if a company is not receiving up to 35% of the required information, they are really operating behind the 8-ball.
Moreover, relying on computer searches raises an amount of concern for other reasons. These include both shell companies and front offices. There are still situations that without a physical drive by of the third parties facilitates, the address may simply be a local postal box. The problem of shell companies still exists far beyond the initial dump of information past the Panama Papers and Paradise Papers. Even with a real physical address, if your third-party shares an address of a flat in London that also houses some 1,500 additional corporations, this is a serious red flag that you are dealing with a shell company. That in and of itself is a red flag which, if not cleared, could lead to a serious legal violation and a significant reputational hit to your organization.
Tal pointed to another area which is often missed which is the extended relationships between people in emerging growth areas such as Latin America, where you can see a lot of family run enterprises. Tal stated, “A Level I due diligence will not pick up on this where one company is a family which may run multiple businesses. Some other business may be corrupt and the question becomes how does that impact the primary relationship? This can be a very important red flag that is being missed as the US Company may not even know who the real owners are going forward.”
She added that if you do not have good information to begin with on the basics, such as a company name, you cannot research a matter correctly. A wrong company name can lead to a false negative. Due diligence might come back with no information about the company or it could come back with information on a different company, “so that’s another type of issue for some Chief Compliance Officers to be concerned about.” Of course the physical issue of whether a company actually exists or actually have employees working there can still be a problem as well.
What should be your investment in due diligence? Tal said, “a very good strategy would be to do the Level I due diligence but consider adding to it by building in deep dives on media and the Internet.” With such deeper dives a compliance professional can increase their due diligence yield to up to 35% more information than Level I can provide. This approach also allows for a quicker and more expeditious uncovering of red flags that might warrant more focused investigations. It can then allow a quicker clearing of red flags to move forward.
With a more long-term focus a CCO needs to perform due diligence on an ongoing basis. Even if a company has done a basic due diligence investigation, feel they have a solid compliance program around their third parties, internal controls and accounting provisions, recent enforcement actions mandate more due diligence and a review of your third parties more than
every two to three years. The Panasonic Avionics enforcement action made clear that due diligence should be viewed as an ongoing process.
Additionally, there has been and will continue to be political instability in various areas of the world. This political upheaval can mean you find yourself in a country now having to do business in a completely different manner. South Africa, Brazil and Malaysia have had peaceful regime changes impacting whom you may have done business with and with whom you are doing business, therefore ongoing monitoring is really vital to a solid compliance program.
Infortal Worldwide www.infortal.com.
Toll Free: 1 (800) 736‐4999
Office: (408) 298‐9700