Archive | Due Diligence RSS feed for this section

FINCEN & Customer Due Diligence

1 Aug

Yesterday, the Financial Crimes Enforcement Network held an all-day meeting at the Treasury Department to discuss the new proposed rule on customer due diligence. The proposed rule requires collection of beneficial owner information.

I wasn’t there. I’d like to find someone who was for an article I’m going to write about it on

Can someone point me to someone who attended? And make an introduction?


Three Truths About Due Diligence

2 Jun

We hear a lot about due diligence and its importance to effective anti-corruption controls.  It amazes me that people who universally recognize the need to do it well still do it so badly.

I read Mike Volkov’s article on his blog yesterday about due diligence programs.  First, a quick digression: make sure you go over to Mike’s blog and tell him “keep blogging.”  I got worried for a minute when he stopped.  He’s back now, and we need to keep him writing.

This is the point where I usually say something complimentary while setting up the fact that I totally disagree.  Sorry to disappoint.  OK, I don’t completely agree with everything Mike has to say.  But reasonable people can disagree.  Let’s go through his points one by one.  I’ll add my own flavoring along the way.

Mike’s introductory point is 100% correct: the Department of Justice will not prosecute a company that takes its due diligence responsibilities seriously, makes a good-faith effort at conducting diligence and analyzing the results, yet blows a call.  An error in judgment in the course of a real program isn’t a criminal violation.

There are three steps to a due diligence program:

  1. Fact-finding
  2. Intelligence analysis
  3. Putting the analysis to work

Here’s truth #1: If you don’t have all three steps, you don’t have a reasonable program.  People make a big deal of #1, often to the detriment of #2 & #3.  Don’t make that mistake.

Number 3 is the hardest.  By far, the hardest.

I disagree with Mike (see, you know you were waiting for that), that the third party agreement should be reviewed by a senior person.  Maybe not “disagree,” but I definitely think he’s solving the wrong problem.  First, the contract is not part of the diligence process; it is a result of the diligence process.  Talking about contract rights in the middle of due diligence is like talking about training: it’s important, but it’s two different things.  Tackle one at a time.  I’d rather have a strong diligence process and a weak contract than vice versa.  (I’m not a fan of spending too much time on contracts anyway, but that’s another story).

Fact finding, in my opinion, must be local.  There are four sources of information: a questionnaire, references, the internet, and “other.”  “Other” can be any number of things.  It can be a locally required government controlled list of corporate officers.  It can be a registry of corporations.  The “other” will be known to the local folks, and probably not to you.  That’s why fact-finding must be local.  The fact finding shouldn’t be a gathering, it should be a hunt.  You’re looking for specific information.  The question I hear most often is “what’s the minimum?”  My first reaction, frankly, is that if you’re asking that question, you’re not serious about getting a program in place.  You want the appearance of diligence, without the cost.  Because make no mistake, a real  diligence program is expensive.  I wrote on diligence once, saying that no case has been brought alleging insufficient diligence, only no diligence.  A savvy reader commented that Alcatel Lucent was an “insufficient diligence” case.  Not so.  The ICE petitions have made clear that Alcatel had the illusion of a program, but nothing real.  Don’t fall into that trap.

I believe that you need something from all four sources.  Having said that I don’t like “minimum” question, let me try to answer it anyway.  These aren’t questions to ask, they’re things your questions need to discover.

  • Is there any senior employee of the TPA (Third Party Agent) who is related to a relevant government official? (By “relevant,” I mean someone who has some sway over any aspect of your business).
  • Is the TPA on any list?  OFAC, UN Sanctions, local sanctions, debarred?
  • Does the TPA have the resources to do what you’re hiring them to do (I really like site visits)
  • Has there been any negative news?  By the way, I think it’s a best practice to maintain an open line of communication with your TPAs so that when a new case comes out which names a particularly crooked intermediary, you can  reach out to your highest risk TPAs and ask if they’ve done business with the now-famous wrongdoer.  (Jeffrey Tesler, anyone?)
  • Check references.
  • Are the optics in place?  By “optics” I mean, does the company have a real web site?  A working telephone; landline, not mobile?  A working email that’s not  Is the company a company?  Meaning, is it incorporated?  Are its corporate filings up to date?  Does the company have an office?  Employees?

Strangely enough, for all the time and resources spent on fact-finding, it’s the easiest of the three.

It’s much, much more difficult to analyze everything that’s coming in.  Remember, the more you collect, the more you need to analyze.  And believe you me, everything you bring in, you need to do something with.  It’s a balancing act: it’s great to collect more information, but you run a risk if your processes can’t deal with the volume of information.  Generally, you can deal with it, but you have to arrange things at the beginning when you’re setting things up.  Intelligence analysis means that you have to know why you’re asking every question you’re asking.  Every answer you get matters.  There’s little worse than a lot of intelligence you have about a TPA but that you either don’t know you have—because no one is looking at the facts you gather—or know you have, but don’t know what to do with.

So what does a good intelligence analysis process look like?  One possibility is that for each fact you gather, you assign a point value.  Add up the points to understand what category your TPA falls into.  I would suggest two categories: high and low.  Why two instead of three?  I’m a believer in simplicity.  The more complicated things get, the more things can get screwed up.  Keep it simple.  Because here’s truth #2: whatever you do, it needs to last for the long term.

And complicated things break.

Next comes the hardest part.  You’ve got your facts, you’ve got your risk rating.  What do you do with it?  Because here’s truth #3: if you don’t use information, it’d be better if you didn’t have it.  You can justify why you collect the information you collect, and by inference why you don’t collect what you don’t collect.  It’s harder to justify having information and doing nothing with it.

Another digression: this applies across the board, in my opinion.  If your AML program has information about a TPA, and you don’t access it and use it, that’s a problem.  It also makes you lose face with the regulators.  Some people talk about credibility, I like talking about these things in terms of face.  You can’t afford to lose face with the DOJ.

Anyway, what do you do with the information?  First, remember that diligence is a movie, not a photograph.  It’s not “one time and out.”  You have to keep at it, at least for your high-risk TPAs.  For higher risk TPAs, your analysis has to mean something.  Extra transaction monitoring.  Stronger terms in contracts.  Audit rights (yes, I threw up a little in my mouth when I said that).  More frequent diligence updates.  You have to run periodic news searches.  The funny thing is, you don’t have to do much.  You just have to do it consistently.  I especially like the new-case-comes-out-we-run-the-name-against-our-highest-risk-TPAs.

So your three stages: find the facts, analyze the facts, do something with the facts.  And your three truths: if you don’t do all three things, it’s not reasonable, whatever you do, it needs to last for the long term, and if you don’t use the information, it’d be better if you didn’t have it.

Be careful out there.


What to Do About the UK Bribery Act

24 Apr

This past week, I was on a webinar with Mark Mendelsohn (the replay can be found here:  One of the things we spoke about was what companies need to do now to comply.  I was a little more sanguine than Mark was; I thought that we should wait and see whether the UK actually enforces the Act before people spend a lot of money.

Mark made an excellent point right then.  Can a company have “adequate procedures” if their compliance program doesn’t include anything about preventing private-sector bribery?

It’s a fair point.  Let me think out loud for a minute about it.  My first thought is that no one ever got very far disagreeing with Mark Mendelsohn about the FCPA or the UK Bribery Act.  It might be a question of life not being fair, and companies just have to adjust to something that may turn out to be a theoretical risk.  The difficulty is that it’s going to be a significant change.

Let me be Devil’s Advocate here for a moment.  Can a company have adequate procedures without measures to prevent or detect private-sector bribery?  Let’s play it out.  A company has issues with a third party in Bribe-istan regarding a public-sector contract.  The UK government comes in.  Are they going to be looking at the private-sector pieces of your program?  Now, if you have an issue with private-sector bribery, that’ll be problematic.  The company, its officers and directors, and employees involved will all be in trouble.  The difficulty here is that while I don’t believe the UK government will be looking for private-sector bribery cases, it’s often the fact that cases come to the regulator.  This will become more true once the whistleblowing provsions of Dodd-Frank come into effect.  So maybe not so theoretical at that.

Let’s pause for a second and talk about the cost.  The cost of changing your program to include private-sector bribery.  First, your training costs go up.  It’s currently the case that programs spend time identifying who their public-sector-related employees are, and train them to a higher level.  That effort involves cost as well.  So those costs will go away, but training your entire sales force will cost you also.  More.  It’s time, and money.  And just because the UK government passes an Act doesn’t make your company any more willing to donate time and money to compliance.  One useful thing about the prescriptive rules the US puts into place is that you can go to your business and say “Reg C says we have to do x, y, or z.”  This principle-based paradigm is harder to sell.  Convincing your business to let you take every single sales and marketing employee out of commission for two or more hours is going to be tough.  It’s ridiculous that it’s tough, but that’s reality.  There’s also a monitoring aspect to it.  Here’s a truth that you need to internalize: if you have a rule, you must—absolutely must—monitor compliance and punish recalcitrant employees.  This is why I’m a fan of fewer rules, more stringently enforced.  If you don’t, you have what regulators call a “paper program.”  Disaster, if you’re ever challenged.

But training costs aren’t the biggest problem you have.  The biggest problem is your third-party due diligence program.  Unless you’ve spent considerable money on your DD program, you will likely have just a few employees involved, at minimal cost.  That’s gone.  Most programs were predicated on doing diligence on a small number of third parties.  Almost all programs lack scalability.  What might work for a 100 third parties won’t work for 1,000.  Most compliance programs are working on shoestring budgets as it is.  If you have to adjust to massively increased volumes, that Excel spreadsheet you have just won’t cut it.

You’re going to have to retool, not just readjust.

So you’re left with, on the one hand, a somewhat theoretical risk of having to justify your lack of a private-sector bribery program.  One quick digression: I’d hate to make the argument to the UK authorities that the reason you don’t have a private-sector bribery piece to your program is that your program is geared to FCPA compliance.  Somehow, I don’t think the SFO will be too receptive to that.  Anyway, it’s that cost, versus the certain cost of completely restructuring your due diligence and training programs.

I hate to disagree with Mark, but I’m going to.  I think you still don’t do anything too drastic to your FCPA compliance program (except enhance it…you know it needs it).  Wait and see what the UK does.  I said on the webinar that it would be bold of the UK if their first case was a private-sector case.  That would certainly change the playing field, and give the UK enforcement regime a much needed boost.

Anyway, just something to think about.

I sometimes give this disclaimer, which I think might be needed here: I’m a lawyer, but I’m not your lawyer.  This post is not legal advice, and you should not take it as directed at you.  If you do, frankly, you need your head examined.  This is a blog.  If you want legal advice, there are quite a few lawyers who’d just love to help you.  I’m offering informed commentary, not legal advice.

Case Study #6: How Much Diligence is Due?

12 Apr

I had been waiting for the hospitality case study.  Everyone else has been waiting for this one: due diligence of agents.

Diligence presents a number of difficulties for companies of all sizes.  It’s like the old journalism class I took: the question words.  Who?  What? Where?  When?  Why?  In fact, that’s a good mental framework for addressing the issues of due

Who?  Who should do the diligence?  This is a major decision for a company implementing a program; don’t underestimate the costs or the effort.  Diligence is a huge undertaking, and one that continues over time.  In fact, it not only continues over time, but also gets more important over time.  The reason its importance continually increases is that there is very little more damaging to a program to have great controls that last for 3 months.  This is why I always say that I’d rather have 2 controls that are kept religiously than 5 controls that are only followed every once in a while.  Because as sure as the sun will rise tomorrow, the agent who gets you into trouble will be one who fell through the cracks.  Also, this is a budgetary issue: you’ll have S&B spend, IT spend, outside counsel spend, probably some consultant spend.  Diligence costs, and one of the first ways that companies get themselves into trouble is to fail to plan for those expenses. Implementing appropriate diligence also requires a significant internal marketing effort, because you’re going to be delaying and in some cases terminating relationships the business thinks it needs.

Another “who” is, who do you do diligence on?  This is going to be the next big thing in anti-corruption compliance: segmenting your vendors pre-diligence.  The reason this is such a big deal—and something that no one, no one, is talking about—is the UK Bribery Act’s prohibition on private-sector bribery.  Instead of being able to segment your vendor/agent population into the majority who has no interaction with government, versus the minority who do, and only doing diligence on the latter, programs will now have to do diligence on everyone.  And the compliance programs I’ve seen simply aren’t scalable like that.  Companies are facing a tremendous increase in volume being pushed through their diligence programs.  Ask any financial services company’s Financial Intelligence Unit whether they can handle 50%-70% additional volume.  Most are straining at the seams as it is.  And FIUs are staffed, generally speaking, with investigators. People who know how to do this stuff.  Most anti-corruption programs aren’t.  Lawyers, compliance officers yes.  Investigators, not so much.  So who can you exclude?  Public companies?  Companies with over 500 employees?  Companies whose relationship goes back more than one year?  These are all possibilities that will have to become part of the conversation over the next few months and years.

What?  What information should you collect?  And another question word, “how.”  There’s also a hidden question here, which is, when you have all this information, what do you do with it?  When most people think of due diligence, they think questionnaire.  Questionnaires are important, and I’ve designed them and sent them out myself (always in consultation with outside counsel).  There’s an “after the questionnaire” also, though, called “verification.”  What information that you receive from the agent do you then have to verify?  And how do you verify it?  In a lot of markets, your available information sources are, shall we say, limited.  Finally, in addition to the information you collect from the agent, and
the verification of that information, there’s another question: what independent research should you do?  Do you need a “records check” (whatever that means)?  Do you need to check with the embassy (something I used to mock, but now think is a good idea)?  Do you need to hire one of the many—many, many—vendors who purport to do background checks?

Where?  The first decision is the easiest: centralized diligence or decentralized diligence.  The answer?  Decentralized.  You can’t conduct diligence around the world from one location.  Or rather, you can, but it’ll be done badly.  Local people must do the diligence, if for no other reason than being able to read the documents you’ll collect.

When?  This is more of an implementation problem than a design problem.  You need to insert these controls early enough in the process that you can act on information before the relationship comes into being.  There will normally be Procurement involvement when you onboard a vendor (one would hope), but in my experience, avoiding Procurement has evolved into an art form. If there’s no pre-relationship legal involvement, getting Legal in there is a tough sell, and
tough to implement.  This is also where you’re going to have problems with people trying to circumvent.  There’s going to be a lot of “a lack of planning in your life does not constitute an emergency in mine” going on, as people come to you with agents they HAVE TO USE TOMORROW OR THE DEAL WILL DISAPPEAR! “Process” is an important noun here.  Follow the process.  Because, again, the one time you don’t, that’ll be the one to bite you.

Why?  What’s the purpose of all this?  I really like the saying, “if you don’t know where you’re going, you stand little chance of getting there.”  The purpose of diligence is to allow you to collect enough information so that you can make a reasoned decision on whether to accept the risk of doing business with the third party who was the subject of the diligence.  There will always be risk.  Most of the time, the level of risk is acceptable.  That’s why most discussions about risk end too early.  They talk about the questionnaire, and maybe the risk rating, but not how that rating comes about, or what happens next.  Because here’s the truth that you need to internalize if you want to stay out of trouble: the diligence process begins at a definable point, but never ends. Your diligence leads into—and, if you’re doing it right, defines—a monitoring program that you must maintain throughout your relationship with the third party.

Let’s look at the case study with that in mind, that diligence is a marathon, not a sprint.

Case study #6 posits a medium to large manufacturer of equipment, with an opportunity to enter an emerging market by way of a government contract.  Local “convention” requires foreign businesses to operate through a local agent.

The optional controls are:

  • Having a questionnaire requiring a) ownership details, b) CVs and references for those involved in performing the service, c) details of directorships held, existing partnerships, and third-party relationships, and any relevant judicial or regulatory findings.
  • Having a clear SOW, including fees, costs, commissions, etc.
  • Undertaking research, including Internet research on everyone, including control people if the third party is a corporation.
  • Make inquiries “with relevant authorities” in the market to verify “the information received in response to the questionnaire.”
  • Following up on references and clarifying any matters arising from the questionnaire
  • Looking at the agent’s anti-bribery policies and procedures, and, if applicable, records
  • Being alert to key commercial questions such as a) is the agent really required, b) does the agent have the required expertise, c) is the agent going to interact with the government official, and d) is the payment reasonable
  • Renewing due diligence on a periodic basis

This actually isn’t a bad list.  The problem isn’t what’s included, the problem lies in what’s omitted.

First, a glaring omission is any OFAC/Sanctions check.  That’s a must-do.  Also missing is what you do with the diligence.  But let’s leave that for a bit while I comment on each of the proposed controls.

Second, the questionnaire.  Undoubtedly an important piece of diligence, be careful not to put too much effort into it.  It’s a blunt tool.  And, since you’re relying on the agent to answer everything honestly, you need to put more effort into designing how you’re going to verify, and then react to, the answers.  In other words, for every question you ask, ask yourself, “what am I going to do with the answer? How will my actions change depending on what the person says?”  You need questions that will be more likely to generate honest responses, and you need questions that make sense.

It’s important that this is a medium to large company.  Larger companies can force these things on smaller companies.  But smaller companies have a much harder time.  I worked in large companies, and I would always a) send out my own questionnaires and b) push back on people trying to send questionnaires to us.  Was I just being mean?  No.  The question, “who are your beneficial owners?”  is a common question.  But for a large, public company, it’s an almost impossible question to answer.  A better question is “if public, who owns more than 10% of your company?”  But I saw really badly drafted questionnaires.  And really, if a company is in the US, and listed on a national exchange, why bother with a  questionnaire?  The information is all on Google Finance anyway.  And let’s see, you want a CV, and references, from those performing the service.  Yeah, right.  Good luck with that.  This is where you really have to be careful what you ask for.  Because let’s say you’re hiring me as an external sales agent.  I have 400 employees who are going to actively push your product in the Democratic People’s Republic of Bribe-istan.  You ask for the CVs and references of everyone  providing the service.  Fine.  Being the good-hearted, wholesome vendor that I am, I give them to you, three references each.  So now, you have 401 (the workers, plus me) resumes to look over, and 1,203 calls to make to check the  references.  Because, oh yes, if one of my workers pays a bribe, you’ll get asked, “you asked for references, did you get them?  And if so, did you check them?”  If you say “no” to either of those questions, you’re toast.  And you’re planning on
making those 1,200 calls with what resources?  Oh, just you?  And do you speak the local language?  Because the references don’t speak English.  See why choosing the right questions becomes really important?

Next control suggestion from the guidance: get a detailed SOW.  This sounds more like a business requirement than a compliance one, but I suppose it’s both.  This looks like a pre-relationship control, but really, it’s more in line with the ongoing monitoring requirement.  In anti-money laundering compliance, one of the requirements is to understand what the expected account activity will be.  This is like the SOW requirement.  It’s important not for what it is at the start, but because it sets the expectation.  If you have an expectation that payment will be by check, and you get a request for a wire, that’s outside the SOW, and inherently suspect.  It’s situations like this that illustrate and validate the marathon v. sprint paradigm.  It’s not enough to have an SOW.  You have to understand when the relationship veers outside of the boundaries of the SOW.  The only way to do that is by monitoring the activity.  Vendors need key performance  indicators that should be reported monthly, and compliance should have some KPIs in there; KPIs like “did the vendor’s payment vary from the SOW this month?”  “have we verified that whatever the vendor was supposed to provide this month was actually provided, and worth what we pay for it?”  “Were there any requests for non-SOW payments this month?”  If you get dodgy answers, you have to follow up.

Next: independent research.  Yes, thanks.  Now, the tougher question isn’t whether to do it, but how much to do.  Figuring out what information to collect is one of the trickiest pieces to diligence.  As I said above, there are two elements:
information from the vendor/agent, and information you collect independently.  Here’s where setting global definitions becomes hard.  Local information sources around the globe vary in quality.  Vary dramatically.  So if you say that you
want to independently collect beneficial owner information, you may just not be able to do that everywhere.  (Or anywhere, frankly, with that particular piece of information.)

Make inquiries with relevant authorities to verify: a really good idea, if you can find “relevant authorities” with knowledge of what you want to verify.  “Relevant authorities” might not know about beneficial ownership, or whether the  proposed price is reasonable for the market.  Or whether a particular agent is the brother-in-law of the zoning board official you’re dealing with.  But like I said, after Sophie and Herbert and Billy said it was a good idea, I bowed to their
greater knowledge and said reaching out to the Embassy was a good idea.  Just remember that “relevant authorities” is just another information source for your independent research.

Following up: It’s amazing to me how two little words can translate into so much work.  The difficultly here is that you’re not doing diligence on one vendor, you’re designing a repeatable process to do diligence on all vendors.  And sometimes it’s not so easy to know what you need to follow up on.  References?  Absolutely yes.  I told the story of the thief who put a prior victim down as a reference, and almost bankrupting the company who didn’t check the reference.  That’s true here.  There’s just no excuse for not following up on a reference once you’ve asked for it.  Then again, I think a regulator would say that there’s no excuse for following up with any information you ask for.  That’s why I think you have to be very careful what you ask for.  You have to know, and I’ve said this before, for every question you ask, what’s the riskier answer, and what am I going to do with a risky answer?

Looking at the agent’s anti-bribery policies and procedures.  To which I respond, what if they don’t have any?  Seriously, do you expect every two-bit company that provides marketing services in Azerbaijan to have an anti-bribery policy or procedure?  And  what exactly does that get you?  We’re told over and over that paper policies are no good.  So now we’re supposed to take a paper policy and use it as part of our diligence?  What you’re really looking to know is, does the vendor take seriously its commitments to anti-corruption?  Because everyone will tell you they’re strong on anti-corruption.  Most will even sign a certification to that effect (don’t get me started).  But I haven’t met a vendor/agent yet who would pay a bribe but refuse to sign a piece of paper saying they won’t.  So the question is, does having a policy represent evidence of a serious commitment to anti-corruption.  To which I reply, not so much.  It may prove the opposite: not having a policy might show that you’re not serious.  But even that’s iffy, in my opinion.  And again, remember follow-up.  If the person says they have a policy, you have to physically see it.  And have it translated.  And read it.  Then, what if it stinks?  Is that more trouble than the existence of a policy is worth to your diligence efforts?  Tough call.

Being alert to commercial questions: I’m going back to “water is wet, thanks,” on this one.  If you’re  not alert to a commercial question like, am I paying an unreasonable amount for this product or service, you’re not going to be in business long.  But, kudos to the author, being alert to expertise and government interaction are key.  Key.  You see cases all the time where an agent was hired who has no expertise other than his or her political connections.  And, who could have known, they bribed someone.  I would go so far as to say that if you can metric expertise, and you monitor just that metric in hiring agents, you’re probably going to be fine.  But remember, the metric is more than “gets results.”  The other  metric, by the way, that I think is absolutely necessary is verifying that what you’re receiving is worth what you’re paying.  Verifying it, mind you.  I would go so far as to say that verification can even come from somewhere else inside the  company.  Someone unconnected with the hiring of the agent to be a reality check.

Lastly, renewing the diligence.  Absolutely yes.  No more need be said: you must do this.  One thing, though.  You should stagger the periodicity of the renewal based on risk.  That is, higher risk vendors/agents get more diligence, more  often.

Now, let’s look to Principle #4 on due diligence.  The Guidance states, “the significance  of the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right,” as opposed to diligence to mitigate  general third-party risk.  I think they’re right; diligence for the purpose of assessing bribery risk is so major an effort that it deserves attention in its own right.  The Principle also correctly (in my opinion) states that the purpose of diligence is to “inform the application of proportionate measures” to prevent associated persons from  bribery.  The Principle also correctly (again, in my opinion) explains that diligence procedures should vary according to the risk that the third party presents.  There’s a little of a chicken-egg problem here, because the diligence should help identify that very risk.  But really—and I agree with the Guidance on this point—the type of third party, the category of service, can provide enough  guidance to define what level of diligence is necessary.  You have to start somewhere, and service type is a really good place.

The Principle then degenerates into some “water is wet” statements about how the amount of care needs to vary with the type of third party relationship.  I think it’s also obvious (but as I’ve said before, I’ve been surprised at what some  people don’t recognize as obvious) that lower risk gets lower diligence, and higher risk should incorporate more stringent diligence like hiring local firms to investigate the partner.

If you’ve read this far, you’re a trooper, so stick with me just a little longer while I talk about my ideas for effective due diligence.

First, TRACE (an organization you know I’m a fan of, if you’ve read this blog at all) has put out a pamphlet on what a minimum amount of diligence looks like.  A valiant effort, and always worth paying attention to.

Here’s what I think.  I’m prefacing this, however, by saying that if the UK actually prosecutes private-sector bribery, this is going to change.

First, you have dual requirements to differentiate your diligence processes (simply because of expense and ensuring it’s repeatable) into high-risk diligence and low-risk diligence.  Assume that everything is low risk except for the following: proposed JV partners, external sales agents or other product-distribution agents, external marketing firms, external law firms, anyone hired specifically to interact with the government on your behalf, and anyone whose low-risk diligence produces a red flag.  You can exclude from diligence altogether any firm that is regulated by a government entity in its own right.  (Some will argue with this rule, and reasonable people can disagree, but if it’s a regulated entity, there’s  nothing you’re going to find out about it that isn’t already known, so why bother?)

Low risk diligence should include, at a minimum, the following: identifying the beneficial owners of the third party, identifying senior management, identifying supervisory personnel servicing your account.  The level of management to be
identified can vary with the size of the third party.  Run all names through an OFAC/Sanctions check.  As the third party if they do business in sanctioned countries (don’t say that…list out the sanctioned countries and ask if they do business there).  Perform a news search using Google news, or Lexis/Nexis.  There’s a negative-news search string that your AML people will have, use it.  Save the search as a search agent, so you’ll get notified if anything pops up.  Call the contact  number given by the third party to see if they answer.  Go to the  web site, print out the front page.  Cal the embassy in the country, talk to the commercial attaché, and take notes.  Ask the third party for a customer reference.  Call the  reference.  Take notes.  If feasible, have the businessperson who wants to onboard the third party conduct a site visit.  That’s it.

Here’s the trick: first, take notes of everything, and put those notes in a vendor/agent file for that third party.  Keep the file safe, and take it out every 2 years for low risk.

For high-risk, you do more.  And how much depends on why the third party is in this bucket.  For high-risk diligence, at a minimum, I’d inquire whether anyone at the third party company is related to a government official.  I’d think about  “boots on the ground.”  And I’d get more than one customer reference.

Finally, remember that, as I understand it, no company—no company at all—has gotten into trouble for doing their due diligence, but later having the amount of diligence questioned.  If a company gets into trouble, they did NO diligence, not insufficient diligence.  Process is just as important here as the specific diligence information collection points.  If you collect information, conduct independent inquiry on that information, present that information to a disinterested committee, and follow that committee’s recommendation, in my mind, you’re fine.

[Remember my standard disclosure: I’m a lawyer, but I’m not your lawyer, and I’m not licensed to practice in the UK.  If you want advice you can rely on, hire someone.  I offer opinion commentary, not legal advice.)

After the Bribe

28 Mar

The first thing I do in the morning, via my Google Reader, is read a few FCPA-related blogs.  One of these is the FCPA Professor.  An excellent source of information.  Today, he brings word of a quiet settlement by the Ball Corporation.  Reading it, Prof. Koehler quotes from the SEC’s cease-and-desist proceeding (the least stringent of the SEC’s enforcement channel options):

For example, key personnel responsible for dealing with customs officials remained at Formametal [ed. note: Ball’s subsidiary in Argentina], even though external due diligence performed on Formametal suggested that Formametal officials may have previously authorized questionable payments.”

I found this interesting: it highlights a disconnect between the enforcement agency’s belief in the reality of in-house life, and the reality of in-house life. Compliance officers in-house are not unlike politicians. Compliance sometimes is the art of the possible. You need political capital, just like in politics. A compliance officer’s ability to earn political capital is crucial to his ability to succeed in his role. As are his decisions on where to spend that capital.

The first thing enforcement agencies should remember is that compliance is a cost center. For those government employees who have never been in the private sector (and I’m not being pejorative: before I moved in house, I was an enforcement agent who had never been in the private sector), a “cost center” is a department within a corporation that does not add revenue. Legal, compliance, HR, marketing, public relations, investor relations, are all cost centers. The opposite of a cost center (at least, at successful corporations) is a “profit center.” Profit centers are those operational areas within the corporation that actually sell what the corporation makes.

Corporations—at least, those with decent management—structure their expenditures to support their profit centers.  T. Boone Pickens had it right, the purpose of a corporation is to make money.  So when a company has money to spend, most times, the profit centers of that company get to spend it.  In other words, it is more likely that if a company has an extra $100,000 to spend, they’ll spend it on one year’s salary for a sales manager versus one year’s salary for a compliance manager.  Every dollar that’s spent on a cost center is one more dollar with an ROI of zero.  Yes, we can have a fascinating conversation about the ROI of ethics, but whatever it is, that ROI is awfully hard to monetize.  [And for those no-private-sector-experience government folks, an ROI is “return on investment.”  It’s the idea that if you are going to spend a dollar, figure out a way to spend it that you get $1.50 back.  That’s a 50% ROI.  A salesperson will bring in more in sales than the corporation spends on his salary.  Thus, dollars spent on salespeople have a positive ROI.]  Cost centers, traditionally, have zero ROI.  There are exceptions, like when the legal department at American Express brought the antitrust suit against Visa and Mastercard, and the settlement was worth more than all the operating profit of the “profit centers” that year.  By a lot.  But I digress.

The point is, for a cost center to disrupt a profit center, that’s a big deal.  And the source of disruption is irrelevant, whether it’s outlandish budget requests or new policies that restrict the ability of salespeople to make money.  Each of those requires an expenditure of political capital, as well as significant “internal marketing” to get it done.  Sometimes, like right after a major issue, it gets easier.  But that effect, in my experience, lasts 6-9 months.  After that, it’s back to cost-center-ness.  Remember also that there are internal-to-compliance issues.  I know it’ll come as a shock, but compliance programs are just as, if not more so, subject to the silo issues as the business.  In a typical financial services compliance program, for example, you have sanctions people who need a new sanctions-monitoring tool, you have FCPA people who want increased spend on due diligence, you have anti-money laundering people—the 800 lb. gorilla of financial services compliance programs—who need more AML people, plus you have country-level compliance people.  Your people in Asia, probably, are operating with older technology, and need money for upgrades.  So if an FCPA needs money for new diligence programs, first they need to justify it in their own budget, then they need to get the CCO on board to prioritize the FCPA request over various AML requests, sanctions requests etc.  After they get the CCO on board, depending on the amount, then it needs to go to corporate planning, which is where it bumps up against new Sales requests etc.  And remember, the inherent bias is to give the operational divisions what they need first.

Now we come back to the SEC’s cease-and-desist action against Ball, and what they cited Ball for.  Ball’s due diligence suggested that employees of a subsidiary authorized bribes.  So why didn’t Ball just fire those people?  Well, first, firing someone, especially in a worker-friendly place like Argentina, isn’t such an easy process.  Have you ever tried to fire someone in Germany?  Next to impossible.  Even in the UK, you have “consultation periods,” etc.  There’s an image in government that corporate workers can get fired for anything.  In reality, especially in larger corporations, it’s a process.  Plus, and here’s where tone at the top becomes important, what if those people were big revenue generators?  It’s a rare corporation that will fire top performers for a compliance-related issue.  Discipline?  Maybe.  Fire?  Hardly ever.  So those employees who Ball left in place?  Not so unusual.

This also brings up another question: when you have due diligence on third parties, what do you do with that information?  The government has said, over and over, that if a JV partner does some bad stuff, that you have to react, even to the extent of pulling out.  Oh, please.  Given the foreign-ownership rules in China, pulling out of a JV could mean pulling out of the market.  Even if you don’t exit the market entirely, the Chinese are not above making you suffer for embarrassing a Chinese company by ending the relationship.  And when I say “not above,” I mean that culturally, it won’t even be questionable.  There will be payback.  Plus, who’s to say that you can pull out?  Some of these JVs date back a while, and who knows what termination language there is.  Plus, even if you can, there could be litigation for breach of contract if you terminate.  You’ll then be litigating against a local company in their courts.

Even less drastic, what if the supplier about whom you have negative information is a crucial supplier?  Do you have to cut them off?  Just because they are important to you doens’t mean you’re important to them.  If you try to tell them that they need to reform themselves or else you won’t do business with them, what if they answer “tough noogies?”  They’re a crucial supplier.  Do you just stop?  What if the closest competitor is 14% more expensive?  There goes 14% of your profit margin right there?  What if that makes you uncompetitive?  Do you have to cease operations entirely?  Plus, sometimes there just aren’t that many choices.  Halliburton got jobs in Iraq because, frankly, it was the only company with the capabilities to do what needed to get done.  Political connections are nice, but if you’re the only game in town, you’re going to get the business. 

And isn’t that hypocritical of the government to get all righteous when the US government is a huge purchaser from Siemens (over $1 billion a year).  In fact, it’s been argued that the structure of the Siemens settlement (pleading to internal controls violations) was for the express purpose of it not being debarred from government sales.  And talk about bad information about a company!  Siemens engaged in a decade-long global bribery pattern of activity.   But if  Ball corp. gets some information that a couple of employees may have bribed a couple of customs officials, they’re supposed to divest?   Just to twist the knife, by the way, Siemens income from continuing operations in the period after its massive settlement, was up 21%.  No one stopped buying from Siemens, not just the US government.  What does that tell us?  (This was actually the subject of another FCPA Professor post from a while back.)

How is the business to react when its compliance officers are saying, “hey guys, we have issues here?”  The first question the business often asks—and I find it hard to argue with this line of logic—is “are we required by regulation to stop doing business with this third party?”  The answer is “no.”  Virtually never will a company fight if its compliance officers say, “according to Reg so-and-so, we can’t do this.”  So, the business says, “short of not doing business, what can we do to protect ourselves?”  Well, there’s regular auditing (which requires will, skill, and money: none of which you’re likely to have), there’s increased monitoring of KPIs, regular invoice review, etc.  But you’re still in business with the risky third party.  We’d love it if the business got righteous and said, “you’re dead to me,” to the offending third party.  But in all but the most extreme circumstances, that’s unlikely. 

I guess my point is, despite what the SEC says, it’s not always so easy for a company to fire people, stop doing business with third parties, or even affect how a third party does business.  I’m not justifying bad acts.  I’m really not.  Companies need to bite the bullet and increase spending on FCPA compliance.  Even more important than spending, however, is the need to allow compliance to define criteria for the business to onboard third parties. 

In fact, I would say that latter piece is so important that you can judge a company’s tone at the top based only on two criteria, that being one.  The other is whether compliance is in the metrics of the sales teams.  If you have those two things, I don’t care if the CEO puts a video on the intranet.  But it’s difficult, because of internal politics, to just say “don’t do business with them.”  The SEC and DOJ, in my opinion, need to be more okay with the concept, like in privacy, of “compensating controls.”  Meaning, you can still do business with risky third parties as long as you have specialized controls in place to protect yourself.   What should these controls look like?  Well, I have to leave something for another post.