In the context of COVID-19, there are significant challenges involved in conducting due diligence: hard-copy documents are inaccessible, in-person meetings have moved online, and on-site visits may be impossible. Companies nonetheless can and should continue to comply with the law by adjusting policies and procedures, mitigating new risks that arise through the use of alternative diligence methods, and by staying abreast of changing regulatory expectations.
For compliance professionals, applying “enhanced” reviews to higher-risk scenarios necessarily requires direct human involvement: an experienced hand to assess the universe of available information and make sometimes difficult judgment calls. Certain aspects of this work can, with varying degrees of difficulty, be completed from the (in)convenience of the myriad home offices that have sprouted in response to the COVID-19 pandemic—assuming that the compliance professional is in possession of all required information. However, compliance teams and those who support them are finding that a major challenge arises in gathering the detailed information upon which compliance decisions are based. Physical documents are not accessible, travel is impossible, and in many cases, key information must be obtained from third parties who are themselves struggling to navigate the pandemic.
This article discusses the significant challenges to effective due diligence resulting from restrictions on international and domestic travel, stay-at-home orders, and general “social distancing” in response to COVID-19. It also considers strategies that corporations and financial institutions can adopt to remain in compliance with the law during the pandemic.
The Way It Was
In the context of international business and finance, bodies of law that are top of mind for most compliance teams include the Foreign Corrupt Practices Act (“FCPA”), economic sanctions administered by the Office of Foreign Assets Control (“OFAC”), and anti-money laundering (“AML”) rules administered by the U.S. Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and other financial regulators.
While specific due diligence efforts are not legally mandated by the FCPA or OFAC, they nevertheless form a key part of a company’s system of internal controls. Companies routinely collect identifying and ownership information to understand any connections to government officials, sanctioned persons, and other potential risk factors. And companies often undertake more detailed reviews for higher-risk jurisdictions, as well as for activities like customs clearance, lobbying, and other interactions with government officials. These efforts may include background or reference checks that rely on local or regional networks for key business intelligence. In some cases, including mergers and acquisitions, companies undertake in-depth, on-the-ground due diligence reviews in multiple countries around the world, often working under tight deadlines (discussed further below).
Indeed, doing risk assessments, monitoring third parties, conducting in-country audits, and implementing a host of other internal controls are described in the DOJ’s Evaluation of Corporate Compliance Programs as best practices business organizations should undertake to assure FCPA compliance. Similarly, OFAC emphasized the importance of due diligence and understanding third party relationships in its May 2019 Framework for Compliance Commitments.
U.S. AML rules under the Bank Secrecy Act (“BSA”) require financial institutions to implement risk-based policies and procedures for identifying new customers, and for monitoring the transactions and other conduct of existing customers. Many financial institutions’ know-your-customer (“KYC”) policies and procedures, adopted pre-COVID-19, require enhanced due diligence for higher-risk customers. In addition, enhanced due diligence is mandated by regulation for foreign banks holding correspondent accounts with U.S. banks and for senior foreign political figures, or politically exposed persons (“PEPs”), using private banking services at U.S. banks.
To conduct enhanced AML KYC due diligence, financial institutions typically collect additional information to confirm the identity, beneficial owner(s), source of wealth, source of funds, and reputation of a new, higher-risk customer. Financial institutions also conduct more extensive and more frequent monitoring of the customer relationship. Reviewing hard-copy documents, meeting in person, and traveling to customer locations overseas is (or was) not unusual, and regulations and regulatory guidance have cemented these “physical” practices as best practice.
The Challenges of Due Diligence from Your Dining Room Table
As many compliance professionals can now attest, the sudden switch from a physical to virtual work environment is jarring. The specific challenges to conducting due diligence in a mostly virtual environment generally relate to trust, credibility and the ability to verify information:
- Inability to obtain original documents. Many companies are currently unable to ensure that their employees personally view key original documents.
- Inability to conduct on-site visits. With borders closed and planes grounded, companies are unable to put head offices’ boots on the ground in far-flung locales. This challenge may prove particularly acute for companies in the midst or on the cusp of a strategic transaction, such as a merger or acquisition. The DOJ’s FCPA Enforcement Policy states that a company can earn the presumption of a declination from prosecution through timely due diligence of an acquisition target (among other requirements, including voluntary self-disclosure of identified misconduct). Historically, companies have sought to adhere to the aggressive 180-day due diligence review and self-reporting period described in the DOJ’s Opinion Procedure Release 08-02, often entailing a flurry of detailed site visits in dozens of countries around the world.
- Inability to meet in person. Even where long-distance travel is not required, in-person meetings of any type, including interviews and background or reference checks, cannot safely be conducted under current circumstances.
- Risk of abuse by third parties. In addition to managing their usual workloads—not to mention troubleshooting home network outages, wrangling kids, and replenishing food stocks—compliance professionals must guard against efforts by unscrupulous customers or third parties to take advantage of the pandemic. In particular, some might dishonestly claim an inability to access identification papers, corporate documents, signed contracts, and other information in order to eschew costly or cumbersome due diligence requirements—possibly in furtherance of a scheme to engage in bribery, fraud, or other misconduct, or to hide the proceeds of their illegal activities.
Finding the New Normal
Companies are already seeing regulators shift deadlines, examination methods, and enforcement priorities in response to COVID-19. On the one hand, numerous agencies have announced various forms of regulatory relief. The SEC, for example, has issued a no-action letter extending deadlines for the Consolidated Audit Trail until mid-May.1 Similarly, the SEC’s Office of Compliance Inspections and Examinations has announced that its normally on-site examinations would be conducted virtually.2
At the same time, regulators have called upon companies to pay increased attention to their compliance obligations in the context of COVID-19. FinCEN has called upon financial institutions to be vigilant for fraud schemes related to COVID-19 and has requested that related suspicious activity reports (“SARs”) be filed with a “COVID19” label in the report, presumably to permit FinCEN to prioritize investigations of pandemic-related financial crime.3 For its part, the SEC’s Division of Corporate Finance released guidance setting forth COVID-19-related disclosure expectations for public companies, and reemphasizing the prohibition on insider trading.4 The SEC has also said its enforcement teams continue to actively monitor for fraud, illicit schemes, and other misconduct.5 In addition, the Attorney General has announced that “it is essential that the Department of Justice remain vigilant in detecting, investigating, and prosecuting wrongdoing related to the crisis.”6
Bearing in mind that some of the recently announced enforcement priorities relate directly to regulated companies, while others relate more to customers and counterparties, how can organizations navigate regulatory shifts and remain compliant with their due diligence obligations?
First, companies should closely monitor regulatory pronouncements both to take advantage of available relief, and to step up efforts in areas that regulators prioritize for enforcement.
Second, companies need to review their compliance policies and procedures to identify requirements that may prove challenging to satisfy under current circumstances. By doing so, companies will understand where potential shortfalls are most likely to arise, and they will be better able to craft effective alternatives and ensure that exceptions are carefully documented. Increased reliance on digitized documents, e-signatures, and remote meetings is all but inevitable—but firms should ensure such measures are consistent with legal requirements.
To the extent necessary, organizations may consider revising their policies and procedures to permit effective, alternative processes, either as a general matter, or in limited circumstances (e.g., a widespread health emergency). For example, methods of obtaining documents or conducting interviews may need to be broadened to include newer forms of technology, provided that those technologies are sufficiently reliable and appropriate in the circumstances. Of course, companies under a monitorship agreement should take care to comply with any terms of the monitorship that require notice or pre-approval for changes to compliance policies and procedures. These modifications may be simple, yet instrumental in ensuring that companies commit to effective compliance programs that can be implemented even during an emergency such as COVID-19.
The following examples illustrate additional accommodations that organizations may need to adopt in response to the challenges listed above:
- Develop protocols for digital documents. If firms are unable to review certain original physical copies of documents, they will need a process to review secure and authentic digital versions. For example, banks have long accepted check deposits digitally scanned through the bank’s smartphone app. This technology is reliable in part because the bank’s control over the app, the camera, and, increasingly, the device’s geolocation data provide the bank with sufficient assurances that the electronic image of the document has not been altered and that the user of the app is the customer. Companies could consider similar technology to remotely accept documents that previously needed to be viewed in person. Where the only copies of physical documents are located in an area subject to restrictions on movement, companies should consider whether anyone has safe access to the documents, whether suitable alternative documents or information are available, and whether an onboarding or transaction needs to be postponed. Similarly, contracts with third parties may need to be revised to require identification, transactional, and other information be provided electronically.
- Develop protocols for locally-staffed or digital site visits. While restrictions on international travel continue, companies planning site visits should consider whether local conditions may permit meetings to continue, either with local staff, or by partnering with a local, reputable provider of compliance or legal services. In some cases, video or telephonic meetings may be an adequate substitute. Indeed, the proliferation of video conferencing—both for business and personal use—is the conspicuous corollary to current demands for increased physical distance. Compliance professionals must work to adapt these tools to their due diligence efforts, just as they increasingly are doing for training and other activities.
- Replace in-person meetings with virtual meetings. In many cases, even local meetings may need to be conducted by phone or video call. Companies should bear in mind that one purpose of in-person meetings is to assess credibility; to the extent that compliance personnel grow confident using video calls, they may be comfortable making credibility determinations on the basis of virtual meetings. Depending on the goals of the meeting, geolocation data associated with a device being used for a video call may be helpful for verifying claims regarding an individual or entity’s location or residency.
- Prevent fraud and abuse. Some individuals or entities may attempt to manipulate new remote diligence protocols to enable fraud and abuse. Companies should be mindful of this risk and adopt appropriate mitigation measures. For example, where a higher-risk customer or third party is on-boarded with less than the full panoply of a company’s enhanced due diligence measures, consider subjecting the relationship to transaction limits and/or more extensive monitoring. In addition, ensure that any ad hoc modifications to a company’s diligence of a higher-risk customer or third party are fully documented and promptly reviewed once exigent circumstances abate.
It is crucial that companies continue to follow their policies and procedures. A company that puts in place a well-designed compliance program but fails to effectively implement that program can quickly become a target for a regulatory enforcement action.
Third, companies should communicate with their regulators. If it is simply not possible to conduct legally required diligence and regulatory relief has not been announced, or if a company is unsure how a regulator might view a particular alternative procedure or other workaround, then a formal or informal inquiry may be warranted. For example, in July 2018, Deputy Assistant Attorney General Matthew Miner encouraged companies to make use of the Opinion Procedure Release process in connection with their FCPA compliance efforts.7 If a company finds itself unable to meet the typical FCPA due diligence timeline for mergers and acquisitions due to the COVID-19 pandemic, requesting a DOJ opinion should be considered. Likewise, on March 16, 2020, FinCEN asked financial institutions that expect to miss filing or reporting deadlines due to the illness or unavailability of key staff to communicate those expectations to FinCEN as soon as possible.8 When necessary, companies should take advantage of these invitations.
Although there are significant challenges involved in conducting due diligence in the COVID-19 era, companies can and should continue to comply with their legal obligations. To do so, companies need to make nimble use of personnel, technology, and outside partners to fulfill their diligence requirements. Companies should also closely track shifts in regulatory relief and enforcement priorities. In addition, companies may need to adjust their policies and procedures to account for new information collection methods, or the involvement of new service providers in diligence processes. Finally, companies should document any new risks that arise due to the use of alternative diligence methods, engage in appropriate mitigation measures both now and after the crisis, and consider whether there is a need to communicate any specific diligence challenges to regulators.