Conducting Due Diligence Today

We have been doing due diligence for close to a decade. First were larger due diligences involving anti-corruption issues while working at large firms. Now, our firm does mostly third-party service intermediaries and joint ventures. We have seen how companies use a range of different methodologies to conduct due diligence, and different ideas of what it means to have a risk-based process. There is no one-size-fits-all approach, but some methods are significantly cheaper and more aligned to the business than others.

For some context, third parties that interact with foreign government officials pose significant risk to companies. As most readers know, the U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC) published a guide in 2012 collecting various documents associated with the U.S. Foreign Corrupt Practices Act (FCPA), including opinion letters, prosecutions and other documents. The FCPA Guide notes that companies commonly use third parties to conceal the payment of bribes to foreign government officials in international business transactions. Commentators have echoed this concern. Mike Koehler, FCPA guru and law professor, has noted that a significant percentage of anti-bribery violations are based on the conduct of agents, representatives, distributors or even joint venture partners. As prosecutions have increased globally, third parties have frequently been in the cross-hairs.

A Streamlined Process

Over the past few years, in our own work and benchmarking, we have developed a streamlined process that is risk-based, effective and minimizes unnecessary costs. Generally, for most companies with foreign bribery risk, a due diligence process consists of collecting information on the third party — whether it's a customs broker or a joint venture partner — evaluating that information for compliance issues (or red flags), documenting the information and evaluation, and forming a decision on whether the company can enter into the relationship and, if so, under what conditions. This process usually begins with the business' request to conduct due diligence and ends with a report.

The key to an efficient and effective process is simplicity, a risk-based approach, and adequate documentation. Unnecessary costs can occur when: the expectations/questions for the third party are unclear; the company uses overpriced tools or software to conduct database searches; efforts of different functions and external parties are duplicative; the reports are unnecessarily complex; and the process is a one-size-fits-all approach.

Here are some ways to get it right:

• Use simple forms and language. Most sophisticated companies use standardized forms to collect information on what the third party will do, for whom, the prior relationship, how they will be paid, etc. No one likes long forms. If your due diligence form looks like your cellphone contract, think about cleaning it up and making it simpler — use plain language and non-leading questions (those that do not assume facts). Consider that many third parties completing the form may not be native English speakers and are not lawyers familiar with anti-corruption lingo (g., the definition of a foreign official). Define terms in a simple and obvious way. If terms are unclear, chances are the third party may not ask for clarification. Make it easier.
• Use a cost-effective search tool. With the proliferation of due diligence, tech and database companies have developed a variety of tools to provide background information using common name searches. Many generate similar results on key issues (g., political relationships), and some generate false positives using news articles and other information. Searches using free databases may take longer to filter through results, but if the tool you pay for does not limit false positives, it may make sense to use a free tool or craft a better search. If you are paying for a tool, ask questions about the scope of the searches and number of licenses your team truly needs. The best information comes from talking to the third party and their references-avoid over-reliance on database searches.
• Identify common themes and key issues. When you talk to third parties or their references, structure the phone interview around the type of third party and the key issues you identified from the information you collected on the form. Be efficient with their time and yours. Remember to interview someone who is knowledgeable of the business and the risks posed by what they will do for the company.
• Allocate most resources to greatest risk. Utilize the data collected from the forms and searches, as well as the phone interviews and reference checks (which are key) to identify high-risk third parties. Data points such as the type of work, where it will be done, and the types of interactions and payments that will be made are key factors to help make risk-based determinations. This data will allow you to allocate resources in a risk-based manner and focus on controls, training or other processes the company will ask the third party to undertake to minimize corruption risks.
• Generate one report. Now that you've done all this work, you should document it. Draft a streamlined report to document the information you collected through the third-party form, phone interview and database searches. You can use checklists and other time-saving methods to document issues like payment type, country and issues that lend themselves to lists. Other information gathered during interviews may lend itself to a narrative form. Clear and simple writing is key. The report should provide bespoke advice tailored to what works for the business.

Analysis

The FCPA guide mandates that companies undertake some form of ongoing monitoring of third-party relationships, which may include periodically updating due diligence, exercising audit rights, or providing periodic training/requesting annual compliance certifications from the third party. This evaluation should not only focus on effectiveness, but cost and alignment with the business. A streamlined process minimizes costs and ensures that resources are allocated to the highest risk. Simple helps the business move faster. Saving money shows that legal/compliance is aligned with helping the business win.

*****

Ryan McConnell and Stephanie Bustamante are lawyers at R. McConnell Group, a compliance boutique law firm in Houston with Fortune 500 clients across the globe. McConnell is a former assistant U.S. attorney in Houston who has taught criminal procedure and corporate compliance at the University of Houston Law Center. Bustamante's work at the firm focuses on risk and compliance issues in addition to assisting clients with responding to compliance failures. This article also appeared in Corporate Counsel, an ALM sibling publication to this newsletter.