In the context of COVID-19, there are significant challenges involved in conducting due diligence: hard-copy documents are inaccessible, in-person meetings have moved online, and on-site visits may be impossible. Companies nonetheless can and should continue to comply with the law by adjusting policies and procedures, mitigating new risks that arise through the use of alternative diligence methods, and by staying abreast of changing regulatory expectations.
For compliance professionals, applying “enhanced” reviews to higher-risk scenarios necessarily requires direct human involvement: an experienced hand to assess the universe of available information and make sometimes difficult judgment calls. Certain aspects of this work can, with varying degrees of difficulty, be completed from the (in)convenience of the myriad home offices that have sprouted in response to the COVID-19 pandemic—assuming that the compliance professional is in possession of all required information. However, compliance teams and those who support them are finding that a major challenge arises in gathering the detailed information upon which compliance decisions are based. Physical documents are not accessible, travel is impossible, and in many cases, key information must be obtained from third parties who are themselves struggling to navigate the pandemic.
This article discusses the significant challenges to effective due diligence resulting from restrictions on international and domestic travel, stay-at-home orders, and general “social distancing” in response to COVID-19. It also considers strategies that corporations and financial institutions can adopt to remain in compliance with the law during the pandemic.
In the context of international business and finance, bodies of law that are top of mind for most compliance teams include the Foreign Corrupt Practices Act (“FCPA”), economic sanctions administered by the Office of Foreign Assets Control (“OFAC”), and anti-money laundering (“AML”) rules administered by the U.S. Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and other financial regulators.
While specific due diligence efforts are not legally mandated by the FCPA or OFAC, they nevertheless form a key part of a company’s system of internal controls. Companies routinely collect identifying and ownership information to understand any connections to government officials, sanctioned persons, and other potential risk factors. And companies often undertake more detailed reviews for higher-risk jurisdictions, as well as for activities like customs clearance, lobbying, and other interactions with government officials. These efforts may include background or reference checks that rely on local or regional networks for key business intelligence. In some cases, including mergers and acquisitions, companies undertake in-depth, on-the-ground due diligence reviews in multiple countries around the world, often working under tight deadlines (discussed further below).
Indeed, doing risk assessments, monitoring third parties, conducting in-country audits, and implementing a host of other internal controls are described in the DOJ’s Evaluation of Corporate Compliance Programs as best practices business organizations should undertake to assure FCPA compliance. Similarly, OFAC emphasized the importance of due diligence and understanding third party relationships in its May 2019 Framework for Compliance Commitments.
U.S. AML rules under the Bank Secrecy Act (“BSA”) require financial institutions to implement risk-based policies and procedures for identifying new customers, and for monitoring the transactions and other conduct of existing customers. Many financial institutions’ know-your-customer (“KYC”) policies and procedures, adopted pre-COVID-19, require enhanced due diligence for higher-risk customers. In addition, enhanced due diligence is mandated by regulation for foreign banks holding correspondent accounts with U.S. banks and for senior foreign political figures, or politically exposed persons (“PEPs”), using private banking services at U.S. banks.
To conduct enhanced AML KYC due diligence, financial institutions typically collect additional information to confirm the identity, beneficial owner(s), source of wealth, source of funds, and reputation of a new, higher-risk customer. Financial institutions also conduct more extensive and more frequent monitoring of the customer relationship. Reviewing hard-copy documents, meeting in person, and traveling to customer locations overseas is (or was) not unusual, and regulations and regulatory guidance have cemented these “physical” practices as best practice.
As many compliance professionals can now attest, the sudden switch from a physical to virtual work environment is jarring. The specific challenges to conducting due diligence in a mostly virtual environment generally relate to trust, credibility and the ability to verify information:
Companies are already seeing regulators shift deadlines, examination methods, and enforcement priorities in response to COVID-19. On the one hand, numerous agencies have announced various forms of regulatory relief. The SEC, for example, has issued a no-action letter extending deadlines for the Consolidated Audit Trail until mid-May.1 Similarly, the SEC’s Office of Compliance Inspections and Examinations has announced that its normally on-site examinations would be conducted virtually.2
At the same time, regulators have called upon companies to pay increased attention to their compliance obligations in the context of COVID-19. FinCEN has called upon financial institutions to be vigilant for fraud schemes related to COVID-19 and has requested that related suspicious activity reports (“SARs”) be filed with a “COVID19” label in the report, presumably to permit FinCEN to prioritize investigations of pandemic-related financial crime.3 For its part, the SEC’s Division of Corporate Finance released guidance setting forth COVID-19-related disclosure expectations for public companies, and reemphasizing the prohibition on insider trading.4 The SEC has also said its enforcement teams continue to actively monitor for fraud, illicit schemes, and other misconduct.5 In addition, the Attorney General has announced that “it is essential that the Department of Justice remain vigilant in detecting, investigating, and prosecuting wrongdoing related to the crisis.”6
Bearing in mind that some of the recently announced enforcement priorities relate directly to regulated companies, while others relate more to customers and counterparties, how can organizations navigate regulatory shifts and remain compliant with their due diligence obligations?
First, companies should closely monitor regulatory pronouncements both to take advantage of available relief, and to step up efforts in areas that regulators prioritize for enforcement.
Second, companies need to review their compliance policies and procedures to identify requirements that may prove challenging to satisfy under current circumstances. By doing so, companies will understand where potential shortfalls are most likely to arise, and they will be better able to craft effective alternatives and ensure that exceptions are carefully documented. Increased reliance on digitized documents, e-signatures, and remote meetings is all but inevitable—but firms should ensure such measures are consistent with legal requirements.
To the extent necessary, organizations may consider revising their policies and procedures to permit effective, alternative processes, either as a general matter, or in limited circumstances (e.g., a widespread health emergency). For example, methods of obtaining documents or conducting interviews may need to be broadened to include newer forms of technology, provided that those technologies are sufficiently reliable and appropriate in the circumstances. Of course, companies under a monitorship agreement should take care to comply with any terms of the monitorship that require notice or pre-approval for changes to compliance policies and procedures. These modifications may be simple, yet instrumental in ensuring that companies commit to effective compliance programs that can be implemented even during an emergency such as COVID-19.
The following examples illustrate additional accommodations that organizations may need to adopt in response to the challenges listed above:
It is crucial that companies continue to follow their policies and procedures. A company that puts in place a well-designed compliance program but fails to effectively implement that program can quickly become a target for a regulatory enforcement action.
Third, companies should communicate with their regulators. If it is simply not possible to conduct legally required diligence and regulatory relief has not been announced, or if a company is unsure how a regulator might view a particular alternative procedure or other workaround, then a formal or informal inquiry may be warranted. For example, in July 2018, Deputy Assistant Attorney General Matthew Miner encouraged companies to make use of the Opinion Procedure Release process in connection with their FCPA compliance efforts.7 If a company finds itself unable to meet the typical FCPA due diligence timeline for mergers and acquisitions due to the COVID-19 pandemic, requesting a DOJ opinion should be considered. Likewise, on March 16, 2020, FinCEN asked financial institutions that expect to miss filing or reporting deadlines due to the illness or unavailability of key staff to communicate those expectations to FinCEN as soon as possible.8 When necessary, companies should take advantage of these invitations.
Although there are significant challenges involved in conducting due diligence in the COVID-19 era, companies can and should continue to comply with their legal obligations. To do so, companies need to make nimble use of personnel, technology, and outside partners to fulfill their diligence requirements. Companies should also closely track shifts in regulatory relief and enforcement priorities. In addition, companies may need to adjust their policies and procedures to account for new information collection methods, or the involvement of new service providers in diligence processes. Finally, companies should document any new risks that arise due to the use of alternative diligence methods, engage in appropriate mitigation measures both now and after the crisis, and consider whether there is a need to communicate any specific diligence challenges to regulators.