We hear a lot about due diligence and its importance to effective anti-corruption controls. It amazes me that people who universally recognize the need to do it well still do it so badly.
I read Mike Volkov’s article on his blog yesterday about due diligence programs. First, a quick digression: make sure you go over to Mike’s blog and tell him “keep blogging.” I got worried for a minute when he stopped. He’s back now, and we need to keep him writing.
This is the point where I usually say something complimentary while setting up the fact that I totally disagree. Sorry to disappoint. OK, I don’t completely agree with everything Mike has to say. But reasonable people can disagree. Let’s go through his points one by one. I’ll add my own flavoring along the way.
Mike’s introductory point is 100% correct: the Department of Justice will not prosecute a company that takes its due diligence responsibilities seriously, makes a good-faith effort at conducting diligence and analyzing the results, yet blows a call. An error in judgment in the course of a real program isn’t a criminal violation.
There are three steps to a due diligence program:
- Intelligence analysis
- Putting the analysis to work
Here’s truth #1: If you don’t have all three steps, you don’t have a reasonable program. People make a big deal of #1, often to the detriment of #2 & #3. Don’t make that mistake.
Number 3 is the hardest. By far, the hardest.
I disagree with Mike (see, you know you were waiting for that), that the third party agreement should be reviewed by a senior person. Maybe not “disagree,” but I definitely think he’s solving the wrong problem. First, the contract is not part of the diligence process; it is a result of the diligence process. Talking about contract rights in the middle of due diligence is like talking about training: it’s important, but it’s two different things. Tackle one at a time. I’d rather have a strong diligence process and a weak contract than vice versa. (I’m not a fan of spending too much time on contracts anyway, but that’s another story).
Fact finding, in my opinion, must be local. There are four sources of information: a questionnaire, references, the internet, and “other.” “Other” can be any number of things. It can be a locally required government controlled list of corporate officers. It can be a registry of corporations. The “other” will be known to the local folks, and probably not to you. That’s why fact-finding must be local. The fact finding shouldn’t be a gathering, it should be a hunt. You’re looking for specific information. The question I hear most often is “what’s the minimum?” My first reaction, frankly, is that if you’re asking that question, you’re not serious about getting a program in place. You want the appearance of diligence, without the cost. Because make no mistake, a real diligence program is expensive. I wrote on diligence once, saying that no case has been brought alleging insufficient diligence, only no diligence. A savvy reader commented that Alcatel Lucent was an “insufficient diligence” case. Not so. The ICE petitions have made clear that Alcatel had the illusion of a program, but nothing real. Don’t fall into that trap.
I believe that you need something from all four sources. Having said that I don’t like “minimum” question, let me try to answer it anyway. These aren’t questions to ask, they’re things your questions need to discover.
- Is there any senior employee of the TPA (Third Party Agent) who is related to a relevant government official? (By “relevant,” I mean someone who has some sway over any aspect of your business).
- Is the TPA on any list? OFAC, UN Sanctions, local sanctions, debarred?
- Does the TPA have the resources to do what you’re hiring them to do (I really like site visits)
- Has there been any negative news? By the way, I think it’s a best practice to maintain an open line of communication with your TPAs so that when a new case comes out which names a particularly crooked intermediary, you can reach out to your highest risk TPAs and ask if they’ve done business with the now-famous wrongdoer. (Jeffrey Tesler, anyone?)
- Check references.
- Are the optics in place? By “optics” I mean, does the company have a real web site? A working telephone; landline, not mobile? A working email that’s not @yahoo.com? Is the company a company? Meaning, is it incorporated? Are its corporate filings up to date? Does the company have an office? Employees?
Strangely enough, for all the time and resources spent on fact-finding, it’s the easiest of the three.
It’s much, much more difficult to analyze everything that’s coming in. Remember, the more you collect, the more you need to analyze. And believe you me, everything you bring in, you need to do something with. It’s a balancing act: it’s great to collect more information, but you run a risk if your processes can’t deal with the volume of information. Generally, you can deal with it, but you have to arrange things at the beginning when you’re setting things up. Intelligence analysis means that you have to know why you’re asking every question you’re asking. Every answer you get matters. There’s little worse than a lot of intelligence you have about a TPA but that you either don’t know you have—because no one is looking at the facts you gather—or know you have, but don’t know what to do with.
So what does a good intelligence analysis process look like? One possibility is that for each fact you gather, you assign a point value. Add up the points to understand what category your TPA falls into. I would suggest two categories: high and low. Why two instead of three? I’m a believer in simplicity. The more complicated things get, the more things can get screwed up. Keep it simple. Because here’s truth #2: whatever you do, it needs to last for the long term.
And complicated things break.
Next comes the hardest part. You’ve got your facts, you’ve got your risk rating. What do you do with it? Because here’s truth #3: if you don’t use information, it’d be better if you didn’t have it. You can justify why you collect the information you collect, and by inference why you don’t collect what you don’t collect. It’s harder to justify having information and doing nothing with it.
Another digression: this applies across the board, in my opinion. If your AML program has information about a TPA, and you don’t access it and use it, that’s a problem. It also makes you lose face with the regulators. Some people talk about credibility, I like talking about these things in terms of face. You can’t afford to lose face with the DOJ.
Anyway, what do you do with the information? First, remember that diligence is a movie, not a photograph. It’s not “one time and out.” You have to keep at it, at least for your high-risk TPAs. For higher risk TPAs, your analysis has to mean something. Extra transaction monitoring. Stronger terms in contracts. Audit rights (yes, I threw up a little in my mouth when I said that). More frequent diligence updates. You have to run periodic news searches. The funny thing is, you don’t have to do much. You just have to do it consistently. I especially like the new-case-comes-out-we-run-the-name-against-our-highest-risk-TPAs.
So your three stages: find the facts, analyze the facts, do something with the facts. And your three truths: if you don’t do all three things, it’s not reasonable, whatever you do, it needs to last for the long term, and if you don’t use the information, it’d be better if you didn’t have it.
Be careful out there.