Let’s see, I’ve disagreed with Alexandra Wrage, Thomas Fox, the FCPA Professor (who, by the way, has a really interesting piece on the UK Bribery Act), and now, Michael Volkov. And again, it’s not that I disagree, exactly. But I think Mr. Volkov is taking an outside counsel view of the world, which is not surprising, because he is outside counsel. Sometimes, though, my in-house perspective looks a little different.
According to Thomas Fox, writing here, Volkov spoke yesterday at ACI’s FCPA Boot Camp about due diligence. He said some things I really don’t understand—maybe you had to be there—about diligence. One thing that Fox reports:
Volkov believes that the entire process of screening and evaluation of a new third party relationship should be done at the highest level possible within a corporation. This means in the General Counsel’s office; the Chief Compliance Officer or other equally high office trained to not only perform due diligence but also evaluate the risk. This centralized review should also include a centralized review of contracts to ensure consistent standards. He emphasized that the in-country business unit should not be allowed to handle this task. He noted that after the relationship is established you can set up a different standard for monitoring the relationship going forward. The key in this post-contract execution area is that if you detect a problem, then how does your company deal with the problem? Once again he emphasized Document, Document, and Document.
Now, Volkov is an expert, so you have to take him seriously. Taking Volkov seriously, we must ask: is he serious?
Let’s say I’m a compliance officer for a large corporation. Let’s say the corporation even has a dedicated FCPA person. So I’m that person, and I’m told I need to cede authority for due diligence to the General Counsel? Really? Or, being charitable, to the Chief Compliance Officer? Maybe I’m misunderstanding. He does say “General Counsel’s Office, not necessarily the GC. But he specifically says the CCO, which is just as ludicrous. Maybe his audience is smaller companies, where the GC takes a more hands-on role in the details. That would make more sense.
For a time, I ran anti-corruption compliance for American Express. The General Counsel of American Express is Louise Parent. Now, I was a prosecutor in the Bronx for the first six years of my career. I’ve stood across the table from murderers, rapists, armed robbers, etc. At this point, no one intimidates me. Except Louise. She intimidates the hell out of me. She’s brilliant, forward-thinking, tough, and yet knows how to put people at ease. She’s one of those people who is good at the vision, and the substance. She remains one of the best GC’s I’ve ever heard of.
The idea of her burying herself in the minutiae of due diligence, like who the beneficial owners are of a marketing company in Buenos Aires that we want to use for a Viva Amex! campaign, is ridiculous. It would, frankly, be a waste of her time. About the only thing that can be said that she and I have in common, skill wise, is that we both have 24 hours in our day to get things done. I’ll worry about the Buenos Aires marketing vendor. Let her worry about where the company is going.
I won’t be one of those people that says everyone else is wrong without putting an alternative out there. So let’s discuss first the theory of diligence then the reality of diligence, within the corporate framework.
As you can tell from my prior posts, I like defining my terms. So…due diligence is a process through which one gathers enough facts about another company so that an informed decision can be made about the risk of doing business with that other company.
Volkov suggests five pieces of diligence (I can’t believe these are the only five):
- Existence of relationships with foreign government officials
- Prior history of bribery or other crimes
- Nature of services to be provided
- Compensation and payment method
- The fifth, not really diligence related, is that Volkov suggests having a written contract with reps and warranties on compliance, right to audit, and a termination provision.
There’s no way that’s the whole list. I can almost guarantee there’s a five to six page questionnaire behind there somewhere. People who do this for a living often debate what the absolutely minimum amount of diligence is. I like to frame that question differently: what are the things you absolutely must know about a company before signing your contract?
In my opinion, here they are. Some of these, you’ll see, are questions that need to be asked internally, not just of the company itself.
1. Are any of the leaders of the company (beneficial owners, or senior management) government officials, or related to government officials? Notice that this means that you have to identify the beneficial owners and senior management.
[I won’t, can’t, go into here how you find out these things. The answer is, it depends. Most likely, it’ll be a questionnaire. Let me digress here for a second. The key to a lot of this stuff—and I agree that everything must be documented—is verification. What do you need to verify by an independent source? That’s a key question for diligence purposes. The more you independently verify, the stronger your diligence. But your information sources can be few and far between, and in markets that don’t have, for example, a corporate registry, verification can get expensive.]
2. Is this company going to interact with or sell products to government officials on your behalf?
3. Is the third party publicly traded, or subject to regulatory oversight?
4. How did you first become aware of this third party? This is an important question, because if the answer is, “we first heard of this contractor from the government official we’re trying to influence,” that’s a HUGE red flag. Enough, I think, by itself, to meet the “should have known” standard if a bribe ends up getting paid. Change that “I think” to “it’s a certainty” if you’re in a high-risk market.
5. Is the company what you’d expect—in terms of size, resources, office space, etc.—to allow the third party to provide the services they’re providing to you? How can you find this out? Site visits. I think a documented site visit is one of the best, and simplest, things you can do to protect yourself.
6. How is this company going to get paid? Weird payment arrangements are a red flag.
7. How much is this company going to get paid? Follow up, is that amount in line with what the market value is?
8. Will the company provide business references? Check them. Please. Just check them. I once prosecuted a woman for embezzlement. She had done it before. The first time, the company filed a complaint, and cooperated all through the case, up to and including testifying. The woman went to jail. When she got out of jail, and applied to the second company she put the first company—the one she stole from—as a reference! The second company never called the first company to check the reference. Don’t make that mistake. Check references. Don’t bother asking for them if you’re not going to check them, because you’ll look like an idiot.
9. Is anyone from senior management, or are the beneficial owners, on the SDN or debarred parties list? This is so simple I don’t understand why everyone doesn’t do it. It’s good optics, and you’ve probably already got access to SDN-checking software somewhere in your company.
10. Has this company been in the news for something negative? Do a google news search. Or Lexis-Nexis if you have access. Your anti-money laundering people have a list of negative news search terms. Use it. (If your AML people don’t have a negative-news search term list, fire your AML people.)
11. Has the third party said or done anything that makes your people nervous? Ask the question, you’d be amazed at the answers you get.
12. Was the procurement/onboarding process run according to normal channels, or was it a rush job?
Some people say that you should check with the US embassy. I never did, but knock yourself out. I think those 12 things will cover 90-95% of your risk. The answers to these questions gets you your risk profile. Then you need a process—and I don’t think you need much seniority, just a process, plus escalation if necessary—to approve the third party.
Now, here’s the trick. This gets you to the point where you can sign a contract. Have FCPA language in your contract. But, and this is me being contrarian again, I never liked contract language. I haven’t met anyone yet who was willing to bribe, but not willing to sign something that said they wouldn’t. I’m all about real protection. FCPA language is form, not substance. Important form, maybe; but form. If you’re going to have anyone sign anything, have it be semi-annually, and internal. Identify your highest-risk employees, and have them sign something once or twice a year, on pain of termination, that they haven’t bribed or seen anything that raised that concern. Again, not great prevention, but it looks good. Anyway, have language in your contract.
Audit rights: again, not a fan. The DOJ has said they expect them. Fine. But you have a problem: if you ask for intrusive audit rights, expect to have the request go both ways, which means you have people coming in and looking at your books. Also, if you ask for them, you need to exercise them. Audit rights become audit obligations. I like audit rights that say that if you suspect a violation has occurred, they’ll let you audit. Again, not preventative, but it looks like you have audit rights. I never had the staff or money to conduct an honest-to-G-d external audit of a third party. Maybe you do. Plus, if you really require audit rights, expect a longer, more ornery contract negotiation.
Now, here’s the real due diligence kicker. You’ve got your company diligence. Now you need transaction diligence. When you do business with higher-risk third parties, you need to understand not just the company, but the transactions that follow. The most important thing to know is, will there be money left on the table? This takes place most often with high discount goods. If you’re offering the third party a 30% discount, and he’s offering a 10% discount, there’s money left on the table. You need to know where that money is going. This is only true if the buyer is a government agency, mind you (although, the UK Bribery Act might make that untrue). But if the end user is government, you need transaction-level diligence if you want to be safe.
Plus, diligence is a snapshot. You need to make it a movie. You must, absolutely must, refresh the diligence on a regular basis. Biennially is fine. But the story to the DOJ is SO much stronger if you say, “this is the refreshed diligence we did per our policy of refreshing diligence every other year, the original diligence said ….” That’s a strong presentation, IMHO.
Last point. Who does the diligence? Volkov says you have to take it out of the local business unit’s hands. I almost agree. I agree that you can’t have the people seeking to onboard the third party do the diligence, but I also think that all diligence, like all politics, is local. You need people who know the culture, know the country, and know the language, to do your diligence. If someone is checking references, there’ll be a lot that can go unsaid, that a US compliance officer would just miss, that a local lawyer wouldn’t.
First, Tom Fox has a disclaimer on every post about how he’s not giving legal advice. I’m a lawyer, but I’m not your lawyer, okay? This is a blog, not a client memo. If you want a client memo, please hire Mr. Volkov, or one of the other fine outside counsel (I’m happy to talk about who I like in that world), to get you one. This is just my opinion, based on my experience.