Warning: this is a long one but every word is gold.  Pure gold.  So read it, and favourite Howard’s blog.

By Howard Sklar

I had been waiting for the hospitality case study. Everyone else has been waiting for this one: due diligence of agents.

Diligence presents a number of difficulties for companies of all sizes. It’s like the old journalism class I took: the question words. Who? What? Where? When? Why? In fact, that’s a good mental framework for addressing the issues of due
diligence.

Who? Who should do the diligence? This is a major decision for a company implementing a program; don’t underestimate the costs or the effort. Diligence is a huge undertaking, and one that continues over time. In fact, it not only continues over time, but also gets more important over time. The reason its importance continually increases is that there is very little more damaging to a program to have great controls that last for 3 months. This is why I always say that I’d rather have 2 controls that are kept religiously than 5 controls that are only followed every once in a while. Because as sure as the sun will rise tomorrow, the agent who gets you into trouble will be one who fell through the cracks. Also, this is a budgetary issue: you’ll have S&B spend, IT spend, outside counsel spend, probably some consultant spend. Diligence costs, and one of the first ways that companies get themselves into trouble is to fail to plan for those expenses. Implementing appropriate diligence also requires a significant internal marketing effort, because you’re going to be delaying and in some cases terminating relationships the business thinks it needs.

Another “who” is, who do you do diligence on? This is going to be the next big thing in anti-corruption compliance: segmenting your vendors pre-diligence. The reason this is such a big deal—and something that no one, no one, is talking about—is the UK Bribery Act’s prohibition on private-sector bribery. Instead of being able to segment your vendor/agent population into the majority who has no interaction with government, versus the minority who do, and only doing diligence on the latter, programs will now have to do diligence on everyone. And the compliance programs I’ve seen simply aren’t scalable like that. Companies are facing a tremendous increase in volume being pushed through their diligence programs. Ask any financial services company’s Financial Intelligence Unit whether they can handle 50%-70% additional volume. Most are straining at the seams as it is. And FIUs are staffed, generally speaking, with investigators. People who know how to do this stuff. Most anti-corruption programs aren’t. Lawyers, compliance officers yes. Investigators, not so much. So who can you exclude? Public companies? Companies with over 500 employees? Companies whose relationship goes back more than one year? These are all possibilities that will have to become part of the conversation over the next few months and years.

What? What information should you collect? And another question word, “how.” There’s also a hidden question here, which is, when you have all this information, what do you do with it? When most people think of due diligence, they think questionnaire. Questionnaires are important, and I’ve designed them and sent them out myself (always in consultation with outside counsel). There’s an “after the questionnaire” also, though, called “verification.” What information that you receive from the agent do you then have to verify? And how do you verify it? In a lot of markets, your available information sources are, shall we say, limited. Finally, in addition to the information you collect from the agent, and
the verification of that information, there’s another question: what independent research should you do? Do you need a “records check” (whatever that means)? Do you need to check with the embassy (something I used to mock, but now think is a good idea)? Do you need to hire one of the many—many, many—vendors who purport to do background checks?

Where? The first decision is the easiest: centralized diligence or decentralized diligence. The answer? Decentralized. You can’t conduct diligence around the world from one location. Or rather, you can, but it’ll be done badly. Local people must do the diligence, if for no other reason than being able to read the documents you’ll collect.

When? This is more of an implementation problem than a design problem. You need to insert these controls early enough in the process that you can act on information before the relationship comes into being. There will normally be Procurement involvement when you onboard a vendor (one would hope), but in my experience, avoiding Procurement has evolved into an art form. If there’s no pre-relationship legal involvement, getting Legal in there is a tough sell, and
tough to implement. This is also where you’re going to have problems with people trying to circumvent. There’s going to be a lot of “a lack of planning in your life does not constitute an emergency in mine” going on, as people come to you with agents they HAVE TO USE TOMORROW OR THE DEAL WILL DISAPPEAR! “Process” is an important noun here. Follow the process. Because, again, the one time you don’t, that’ll be the one to bite you.

Why? What’s the purpose of all this? I really like the saying, “if you don’t know where you’re going, you stand little chance of getting there.” The purpose of diligence is to allow you to collect enough information so that you can make a reasoned decision on whether to accept the risk of doing business with the third party who was the subject of the diligence. There will always be risk. Most of the time, the level of risk is acceptable. That’s why most discussions about risk end too early. They talk about the questionnaire, and maybe the risk rating, but not how that rating comes about, or what happens next. Because here’s the truth that you need to internalize if you want to stay out of trouble: the diligence process begins at a definable point, but never ends. Your diligence leads into—and, if you’re doing it right, defines—a monitoring program that you must maintain throughout your relationship with the third party.

Let’s look at the case study with that in mind, that diligence is a marathon, not a sprint.

Case study #6 posits a medium to large manufacturer of equipment, with an opportunity to enter an emerging market by way of a government contract. Local “convention” requires foreign businesses to operate through a local agent.

The optional controls are:

* Having a questionnaire requiring a) ownership details, b) CVs and references for those involved in performing the service, c) details of directorships held, existing partnerships, and third-party relationships, and any relevant judicial or regulatory findings.
* Having a clear SOW, including fees, costs, commissions, etc.
* Undertaking research, including Internet research on everyone, including control people if the third party is a corporation.
* Make inquiries “with relevant authorities” in the market to verify “the information received in response to the questionnaire.”
* Following up on references and clarifying any matters arising from the questionnaire
* Looking at the agent’s anti-bribery policies and procedures, and, if applicable, records
* Being alert to key commercial questions such as a) is the agent really required, b) does the agent have the required expertise, c) is the agent going to interact with the government official, and d) is the payment reasonable
* Renewing due diligence on a periodic basis

This actually isn’t a bad list. The problem isn’t what’s included, the problem lies in what’s omitted.

First, a glaring omission is any OFAC/Sanctions check. That’s a must-do. Also missing is what you do with the diligence. But let’s leave that for a bit while I comment on each of the proposed controls.

Second, the questionnaire. Undoubtedly an important piece of diligence, be careful not to put too much effort into it. It’s a blunt tool. And, since you’re relying on the agent to answer everything honestly, you need to put more effort into designing how you’re going to verify, and then react to, the answers. In other words, for every question you ask, ask yourself, “what am I going to do with the answer? How will my actions change depending on what the person says?” You need questions that will be more likely to generate honest responses, and you need questions that make sense.

It’s important that this is a medium to large company. Larger companies can force these things on smaller companies. But smaller companies have a much harder time. I worked in large companies, and I would always a) send out my own questionnaires and b) push back on people trying to send questionnaires to us. Was I just being mean? No. The question, “who are your beneficial owners?” is a common question. But for a large, public company, it’s an almost impossible question to answer. A better question is “if public, who owns more than 10% of your company?” But I saw really badly drafted questionnaires. And really, if a company is in the US, and listed on a national exchange, why bother with a questionnaire? The information is all on Google Finance anyway. And let’s see, you want a CV, and references, from those performing the service. Yeah, right. Good luck with that. This is where you really have to be careful what you ask for. Because let’s say you’re hiring me as an external sales agent. I have 400 employees who are going to actively push your product in the Democratic People’s Republic of Bribe-istan. You ask for the CVs and references of everyone providing the service. Fine. Being the good-hearted, wholesome vendor that I am, I give them to you, three references each. So now, you have 401 (the workers, plus me) resumes to look over, and 1,203 calls to make to check the references. Because, oh yes, if one of my workers pays a bribe, you’ll get asked, “you asked for references, did you get them? And if so, did you check them?” If you say “no” to either of those questions, you’re toast. And you’re planning on
making those 1,200 calls with what resources? Oh, just you? And do you speak the local language? Because the references don’t speak English. See why choosing the right questions becomes really important?

Next control suggestion from the guidance: get a detailed SOW. This sounds more like a business requirement than a compliance one, but I suppose it’s both. This looks like a pre-relationship control, but really, it’s more in line with the ongoing monitoring requirement. In anti-money laundering compliance, one of the requirements is to understand what the expected account activity will be. This is like the SOW requirement. It’s important not for what it is at the start, but because it sets the expectation. If you have an expectation that payment will be by check, and you get a request for a wire, that’s outside the SOW, and inherently suspect. It’s situations like this that illustrate and validate the marathon v. sprint paradigm. It’s not enough to have an SOW. You have to understand when the relationship veers outside of the boundaries of the SOW. The only way to do that is by monitoring the activity. Vendors need key performance indicators that should be reported monthly, and compliance should have some KPIs in there; KPIs like “did the vendor’s payment vary from the SOW this month?” “have we verified that whatever the vendor was supposed to provide this month was actually provided, and worth what we pay for it?” “Were there any requests for non-SOW payments this month?” If you get dodgy answers, you have to follow up.

Next: independent research. Yes, thanks. Now, the tougher question isn’t whether to do it, but how much to do. Figuring out what information to collect is one of the trickiest pieces to diligence. As I said above, there are two elements:
information from the vendor/agent, and information you collect independently. Here’s where setting global definitions becomes hard. Local information sources around the globe vary in quality. Vary dramatically. So if you say that you
want to independently collect beneficial owner information, you may just not be able to do that everywhere. (Or anywhere, frankly, with that particular piece of information.)

Make inquiries with relevant authorities to verify: a really good idea, if you can find “relevant authorities” with knowledge of what you want to verify. “Relevant authorities” might not know about beneficial ownership, or whether the proposed price is reasonable for the market. Or whether a particular agent is the brother-in-law of the zoning board official you’re dealing with. But like I said, after Sophie and Herbert and Billy said it was a good idea, I bowed to their
greater knowledge and said reaching out to the Embassy was a good idea. Just remember that “relevant authorities” is just another information source for your independent research.

Following up: It’s amazing to me how two little words can translate into so much work. The difficultly here is that you’re not doing diligence on one vendor, you’re designing a repeatable process to do diligence on all vendors. And sometimes it’s not so easy to know what you need to follow up on. References? Absolutely yes. I told the story of the thief who put a prior victim down as a reference, and almost bankrupting the company who didn’t check the reference. That’s true here. There’s just no excuse for not following up on a reference once you’ve asked for it. Then again, I think a regulator would say that there’s no excuse for following up with any information you ask for. That’s why I think you have to be very careful what you ask for. You have to know, and I’ve said this before, for every question you ask, what’s the riskier answer, and what am I going to do with a risky answer?

Looking at the agent’s anti-bribery policies and procedures. To which I respond, what if they don’t have any? Seriously, do you expect every two-bit company that provides marketing services in Azerbaijan to have an anti-bribery policy or procedure? And what exactly does that get you? We’re told over and over that paper policies are no good. So now we’re supposed to take a paper policy and use it as part of our diligence? What you’re really looking to know is, does the vendor take seriously its commitments to anti-corruption? Because everyone will tell you they’re strong on anti-corruption. Most will even sign a certification to that effect (don’t get me started). But I haven’t met a vendor/agent yet who would pay a bribe but refuse to sign a piece of paper saying they won’t. So the question is, does having a policy represent evidence of a serious commitment to anti-corruption. To which I reply, not so much. It may prove the opposite: not having a policy might show that you’re not serious. But even that’s iffy, in my opinion. And again, remember follow-up. If the person says they have a policy, you have to physically see it. And have it translated. And read it. Then, what if it stinks? Is that more trouble than the existence of a policy is worth to your diligence efforts? Tough call.

Being alert to commercial questions: I’m going back to “water is wet, thanks,” on this one. If you’re not alert to a commercial question like, am I paying an unreasonable amount for this product or service, you’re not going to be in business long. But, kudos to the author, being alert to expertise and government interaction are key. Key. You see cases all the time where an agent was hired who has no expertise other than his or her political connections. And, who could have known, they bribed someone. I would go so far as to say that if you can metric expertise, and you monitor just that metric in hiring agents, you’re probably going to be fine. But remember, the metric is more than “gets results.” The other metric, by the way, that I think is absolutely necessary is verifying that what you’re receiving is worth what you’re paying. Verifying it, mind you. I would go so far as to say that verification can even come from somewhere else inside the company. Someone unconnected with the hiring of the agent to be a reality check.

Lastly, renewing the diligence. Absolutely yes. No more need be said: you must do this. One thing, though. You should stagger the periodicity of the renewal based on risk. That is, higher risk vendors/agents get more diligence, more often.

Now, let’s look to Principle #4 on due diligence. The Guidance states, “the significance of the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right,” as opposed to diligence to mitigate general third-party risk. I think they’re right; diligence for the purpose of assessing bribery risk is so major an effort that it deserves attention in its own right. The Principle also correctly (in my opinion) states that the purpose of diligence is to “inform the application of proportionate measures” to prevent associated persons from bribery. The Principle also correctly (again, in my opinion) explains that diligence procedures should vary according to the risk that the third party presents. There’s a little of a chicken-egg problem here, because the diligence should help identify that very risk. But really—and I agree with the Guidance on this point—the type of third party, the category of service, can provide enough guidance to define what level of diligence is necessary. You have to start somewhere, and service type is a really good place.

The Principle then degenerates into some “water is wet” statements about how the amount of care needs to vary with the type of third party relationship. I think it’s also obvious (but as I’ve said before, I’ve been surprised at what some people don’t recognize as obvious) that lower risk gets lower diligence, and higher risk should incorporate more stringent diligence like hiring local firms to investigate the partner.

If you’ve read this far, you’re a trooper, so stick with me just a little longer while I talk about my ideas for effective due diligence.

First, TRACE (an organization you know I’m a fan of, if you’ve read this blog at all) has put out a pamphlet on what a minimum amount of diligence looks like. A valiant effort, and always worth paying attention to.

Here’s what I think. I’m prefacing this, however, by saying that if the UK actually prosecutes private-sector bribery, this is going to change.

First, you have dual requirements to differentiate your diligence processes (simply because of expense and ensuring it’s repeatable) into high-risk diligence and low-risk diligence. Assume that everything is low risk except for the following: proposed JV partners, external sales agents or other product-distribution agents, external marketing firms, external law firms, anyone hired specifically to interact with the government on your behalf, and anyone whose low-risk diligence produces a red flag. You can exclude from diligence altogether any firm that is regulated by a government entity in its own right. (Some will argue with this rule, and reasonable people can disagree, but if it’s a regulated entity, there’s nothing you’re going to find out about it that isn’t already known, so why bother?)

Low risk diligence should include, at a minimum, the following: identifying the beneficial owners of the third party, identifying senior management, identifying supervisory personnel servicing your account. The level of management to be
identified can vary with the size of the third party. Run all names through an OFAC/Sanctions check. As the third party if they do business in sanctioned countries (don’t say that…list out the sanctioned countries and ask if they do business there). Perform a news search using Google news, or Lexis/Nexis. There’s a negative-news search string that your AML people will have, use it. Save the search as a search agent, so you’ll get notified if anything pops up. Call the contact number given by the third party to see if they answer. Go to the web site, print out the front page. Cal the embassy in the country, talk to the commercial attaché, and take notes. Ask the third party for a customer reference. Call the reference. Take notes. If feasible, have the businessperson who wants to onboard the third party conduct a site visit. That’s it.

Here’s the trick: first, take notes of everything, and put those notes in a vendor/agent file for that third party. Keep the file safe, and take it out every 2 years for low risk.

For high-risk, you do more. And how much depends on why the third party is in this bucket. For high-risk diligence, at a minimum, I’d inquire whether anyone at the third party company is related to a government official. I’d think about “boots on the ground.” And I’d get more than one customer reference.

Finally, remember that, as I understand it, no company—no company at all—has gotten into trouble for doing their due diligence, but later having the amount of diligence questioned. If a company gets into trouble, they did NO diligence, not insufficient diligence. Process is just as important here as the specific diligence information collection points. If you collect information, conduct independent inquiry on that information, present that information to a disinterested committee, and follow that committee’s recommendation, in my mind, you’re fine.

[Howard: Remember my standard disclosure: I’m a lawyer, but I’m not your lawyer, and I’m not licensed to practice in the UK. If you want advice you can rely on, hire someone. I offer opinion commentary, not legal advice.] – Ed: Of course Barry & Richard would be delighted to help you 🙂