Today, I continue my exploration of Level III, deep dive due diligence, by discussing how this should be considered for third parties. I am joined this week by Candice Tal, founder and Chief Executive Officer (CEO) of Infortal Worldwide, a corporate security and investigations firm founded in 1985 to serve emerging growth and Fortune 500 clients globally in a variety of sectors including biotechnology, financial services, high-technology, manufacturing and professional services. Tal’s extensive international experience and long-term relationships have enabled Infortal Worldwide to secure and deliver deep-level information not readily available through customary investigative channels.
Most companies fully understand the need to comply with the Foreign Corrupt Practices Act (FCPA) regarding third parties as they represent the greatest risks for a FCPA violation. However, most companies are not created out of new cloth but are ongoing enterprises with up and running businesses in place. They need to bring resources to bear to comply with the FCPA while continuing to do business. This can be particularly true in the area of performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigate third parties but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA.
Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. Jay Martin, Chief Compliance Officer (CCO) at BakerHughes Inc. (BHI) often emphasizes that a company needs to evaluate and address its risks regarding third parties. This means that the appropriate level of due diligence may vary depending on the risks arising from the relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology (IT) services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering into the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.
Carol Switzer, writing in Compliance Week, related that you should initially set up categories for your third parties of high, moderate and low risk and based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as… World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records… and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”
Tal said that a Level III “typically refers to in-country searches but it may also include things like business operational information, trade reputation, how are they known locally. Are they known to operate corruptly in any way shape or form or are the executives involved in any underhand or shady relationships? Or perhaps they, on a routine basis, do business with countries and governments that are sanctioned by the US that may not be sanctioned in their own country.” Even armed with basic financial information, you need to go past the documentation provided to test that documentation. While some type of third party certification may be a nice to have, such a certification will not protect your company if you have not performed your own due diligence to determine if the facts on the ground are as the written record presents them.
Another way to consider the Level III approach is through a ‘boots on the ground’ investigation. It is a targeted check in-country to make sure that the entity actually exists. Tal provided a couple of examples to illustrate. In one she said, “we’ve gone in-country and found that there was a military style compound there with very high barbed wire fences and in addition to that no one has shown up to work there for at least six months.” A second example related to a “company [that] checked out in the Level I, but we found that there was some question marks about who showed up at the facility to work every day” so Infortal visited the company, “when we went to check on the facility it wasn’t at any of the addresses provided by the company. We did however locate them and they were in a warehouse.”
The results were quite telling as the company “had one person behind a desk who said he was the marketing manager and no one else was in the empty barren warehouse except this one individual and so that was a big red flag for that particular company too because they didn’t have any high-tech workers there at all. There were no engineers. There was no one else, just one single guy in a warehouse. So, these are the types of red flag issues that come up that maybe only found at tier three investigation level but it should actually be identified at tier one and these are some of the things that are very different about how we do our work and so we’re looking at undisclosed information.”
In a white paper entitled “Deep Level Due Diligence: What You Need to Know”, Tal related that “Controlling identified risk factors will often yield greater mid-range and long-term profitability with a relatively small capital outlay. Due diligence investigations often form a key portion of large corporations’ emerging market & high growth markets success strategy in addition to meeting regulatory compliance objectives. Deep level due diligence reports should provide corporate clients the assurance needed to comply with global anti-corruption regulations FCPA and to engage in new markets with clearly identified and manageable risks.”
Tomorrow I conclude this series by considering a deep dive, Level III due diligence as a tool for the Board of Directors.
Candice Tal can be reached via email at email@example.com.