International business partner duediligenceHow much is enough?

Deloitte Forensic Center

1

Introduction

As evidenced by Securities and Exchange Commission (SEC) and Department of Justice (DOJ) judgments, in which U.S. companies have been fined for not performing sufficient due diligence, a cursory approach will no longer suffice. Increasingly, companies will be expected to conduct a deeper, more systematic investigation of potential international business agents and partners that involves collecting information from the business partner, verifying the data and following up on identified “red flags.” This article reviews regulatory guidance on the sufficiency of background research, explores options for information-gathering, and examines factors to consider in the due diligence process.

Conducting due diligence on international business partners is now considered a leading practice for companies operating in international jurisdictions. The U.S. Foreign Corrupt Practices Act (FCPA), U.K. Bribery Act and multinational agreements all oblige companies to “know” their foreign counterparts. While the need is clear, there is no regulatory guidance specifying a minimum level of due diligence to be conducted. This ambiguity can make it tempting for companies to take a cursory swipe at due diligence; review one database, check the “all-clear” box, and enter into a business agreement.

As used in this document Deloitte means Deloitte Financial Advisory Services LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

2

Actions filed by the SEC and DOJ reveal some common due diligence pitfalls that should be considered when designing an effective compliance program:

Failing to conduct timely and sufficient due diligenceMany companies fail to collect sufficient information on their overseas business partner, often relying on their own employees to complete internal documents without requiring the business partner to answer specific questions. Companies should create a thorough due diligence questionnaire that obliges a business partner to attest to understanding anti-corruption regulations and controls.

SEC and DOJ enforcement actions have cited situations where companies engaged business partners and conducted due diligence after the fact. In one case,1 the DOJ faulted a company for hiring a Taiwanese consultant and only obtaining a profile, which indicated the consultant had no relevant experience, two years after the fact. In another case, court papers state that the company “did not conduct any formal due diligence regarding the … Agent's background, qualifications, other employment, or relationships with foreign government officials before or after engaging him.”2

Failing to adequately verify information provided by business partners Verifying information disclosed on questionnaires completed by business partners is a critical step; numerous SEC and DOJ enforcement actions have criticized companies for failing to do so. In one case resulting from an enforcement action,3 company officials prepared an internal approval document for a proposed agent in the United Kingdom which “contained false statements as to, among other things, the UK Agent's place of business (falsely stated to be Monaco) and number of employees (falsely stated to be four).” The document was signed for approval by senior company officials, yet “none of the senior [Company A] or [Company B] officials who signed the document undertook any independent review or asked any questions concerning the UK Agent.”

In a previously cited case,4 the DOJ stated that a company official would typically request a Dun & Bradstreet profile after receiving internal documentation on a potential business partner and noted that the company official “made no effort, or virtually no effort, to verify the information provided by the consultant in the Consultant Profile, apart from using Dun & Bradstreet reports to confirm the consultant's existence and physical address.” In a previously cited case5, the SEC noted that the company’s attorneys knew that shareholders of a Gibraltar shell company that had received payments were held by two other offshore entities, yet the attorneys “never learned the identity of the beneficial owner[s] of the shares.”

Failing to act on identified red flags The DOJ has also opined on the need for companies to act on risk factors identified during the due diligence process. In a case cited above6, the DOJ faulted a company for failing to follow up on what were considered obvious red flags identified when hiring a consultant in Honduras for work in the telecommunications industry. As stated in the case, the consultant’s company profile, signed by the consultant and the U.S. company’s area president, listed the consultant’s main business as the distribution of "fine fragrances and cosmetics in the Honduran market" and the Dun & Bradstreet report on the consultant stated that the company was "engaged in cosmetic sales, house-to-house.“ The same case further states that “there was no requirement for the provision of information regarding conflicts of interest or relationships with government officials” and that “even where the Dun & Bradstreet report disclosed problems, inconsistencies, or red flags, typically nothing was done.”

Common due diligence pitfalls

1 U.S. V. Alcatel-Lucent Trade Int’l, A.G.2 U.S. V Titan Corp.3 SEC V. Halliburton Company and KBR, Inc.4 U.S. V. Alcatel-Lucent Trade Int’l, A.G.5 SEC V. Halliburton Company and KBR, Inc.6 U.S. V. Alcatel-Lucent Trade Int’l, A.G.

3

Approaching due diligence

There is no law or regulation specifying the process for or the sufficiency of international due diligence. However, the examples of enforcement actions discussed above do provide some guidance for what is expected of companies operating overseas. Generally, companies should consider taking three steps in their investigation of a potential international business partner:

1. Require the business partner to disclose information on a questionnaire.

2. Use a risk-based approach to verify the information provided and independently identify adverse information.

3. Take action on any identified “red flags” uncovered in the process.

Information disclosureCompanies should design an effective and thorough questionnaire that asks reasonable questions and puts the business partner “on the record” regarding certain key issues. Such a questionnaire should be designed in conjunction with legal counsel and may contain, at a minimum, the following elements:• Company background, including identifying and

registration information • Ownership and management, including beneficial

owners and others able to exercise influence over the entity and any relationships with government officials, as well as identifying information on these individuals

• Disclosure of any civil, criminal, and regulatory matters, to identify a history of issues that may present risk factors

• Anti-corruption knowledge and compliance, including questions about knowledge of laws and the company’s compliance regime and training efforts

• References for individuals knowledgeable about the business partner who can provide verification of business relationships and experience

• Signature of a responsible party who attests to the veracity of the information and agrees to abide by all applicable laws and policies of the company in carrying out its activities.

Background research methodologyOnce the above information is collected, the company should conduct an assessment to determine the level of risk presented by each business partner. A number of factors should be considered, including the type of relationship, corruption risk associated with the jurisdiction, interaction with government officials, compliance regime, and known adverse information about the business partner. These factors may also vary depending on the industry in which the business partner is operating.

Business partners typically are divided into three categories: high-, medium-, and low-risk. High-risk business partners include those located in a country with a considerable risk of corruption, those having significant interaction with government officials, or those for which red flags have been identified in the due diligence process. Medium-risk business partners are those that may have a lesser degree of contact with government officials, such as lawyers or accountants, yet are located in a high-risk jurisdiction. Low-risk business partners might include vendors of goods and services that are not acting in an official capacity for the company.

What do you need to know about your business partners?

Effective international business partner due diligence requires that a company gather meaningful information, assess potential risk across the enterprise, and tailor risk mitigation actions accordingly. Among key questions a company should ask regarding international business partners:

• Is this a "real" business partner with a business profile and is it experienced in the relevant industry?

• Is the business partner owned by company employees, or do other potential conflicts of interest exist?

• Does the business partner, or its principals, have a track record of bankruptcy or solvency issues that might threaten the supply chain?

• Does the business partner, or its principals, have a history of serial litigation, criminal problems, counterfeiting, child labor, or product safety issues?

• Is the business partner associated with organized crime, terrorist groups, money laundering, bribery, or corruption?

• Is the business partner located in a country restricted by U.S. law from receiving payment, or does the vendor appear on sanction and embargo lists such as that of the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)?

4

The methodology for business partner background research will depend on the subject’s risk ranking. Figure 1 shows examples of the factors involved in the risk-ranking process and three representative levels of background checks commensurate with those risk levels.

Companies should strongly consider hiring an outside firm to conduct background research to benefit from access to sources otherwise not available and to demonstrate independence in the vetting process. When vetting a representative who has a high degree of contact with government officials, or one located in a high-risk jurisdiction, single-database resources will likely prove to be insufficient. Similarly, public record resources in many countries may prove to be sparse and unreliable; instead, local resources may be required for record retrieval and for human source inquiries regarding the reputation and background of the subject. Professional investigators may help lower the risk of overlooking important information and provide credibility that the approval process was conducted independently of commercial interests.

Following up on red flagsFinally, where the process does identify red flags, the company should perform additional diligence. As referenced above, when companies have been put on alert by adverse or conflicting information, regulators expect resolution.

In many cases, resolving red flag issues may be as simple as an inquiry with the business partner for clarification. For example, if a company self-discloses involvement in litigation, the company may want to inquire about the nature of the cases.

Likewise, where public record research conflicts with that provided in questionnaire responses about the status of a corporation, you may need to make further inquiries with the company or hire an outside investigator to conduct thorough public record research and source inquiries. In all cases, however, the company should resolve issues and take appropriate steps to assure that they are conducting business with reputable individuals and organizations and document these efforts.

[PEP: Politically Exposed Person][CPI: the Corruption Perception Index compiled by Transparency International]

 

• PEP/Sanction list• Adverse media  • Number of vendors

• Vendor activity

• Vendor contact withgovernment officials

• Known or prior allegations

• Jurisdictional risk (CPI score)

• Industry risk

• Country-specificcommon schemes

Data Source Considerations

Level 1

Level 2

Level 3

• Includes Level 1 research• Identify website/media profile• Locate D&B• Corporate registry check• Identify shareholders and directors• Credit report • Bankruptcy-civil litigation• Criminal records (to the extent

available)

•  Discreet source inquiries•  Includes Level 1 and 2 research

Figure 1

5

Closing thoughts

While the due diligence effort may lengthen the start-up time for a new business partner relationship, recent SEC and DOJ judgments have demonstrated that failing to do so can have considerable negative financial and operational repercussions for companies seeking to conduct business internationally. It is far better to proceed slowly, carefully, and thoroughly with any new business relationship.

Deloitte Forensic CenterThe Deloitte Forensic Center is a think tank aimed at exploring new approaches for mitigating the costs, risks and effects of fraud, corruption, and other issues facing the global business community.

The Center aims to advance the state of thinking in areas such as fraud and corruption by exploring issues from the perspective of forensic accountants, corporate leaders, and other professionals involved in forensic matters.

The Deloitte Forensic Center is sponsored by Deloitte Financial Advisory Services LLP. For more information, visit www.deloitte.com/forensiccenter or scan the code below.

6

Deloitte Forensic Center

The following material is available on the Deloitte Forensic Center Web site www.deloitte.com/forensiccenter or from dfc@deloitte.com.

Deloitte Forensic Center book:• Corporate Resiliency: Managing the Growing Risk of

Fraud and Corruption– Chapter 1 available for download

ForThoughts newsletters:• Internal Investigation Costs: Securing Elusive Insurance

Coverage• The Tone at the Top: Ten Ways to Measure

Effectiveness• Visual Analytics: Revealing Corruption, Fraud, Waste

and Abuse• Anti-Corruption Practices Survey 2011: Cloudy with a

Chance of Prosecution? • Fraud, Bribery and Corruption: Protecting Reputation

and Value• Ten Things to Improve Your Next Internal

Investigation: Investigators Share Experiences• Sustainability Reporting: Managing Risks and

Opportunities• The Inside Story: The Changing Role of Internal Audit

in Dealing with Financial Fraud• Major Embezzlements: How Can they Get So Big?• Whistleblowing and the New Race to Report: The

Impact of the Dodd-Frank Act and 2010’s Changes to the U.S. Federal Sentencing Guidelines

• Technology Fraud: The Lure of Private Companies

• E-discovery: Mitigating Risk Through Better Communication

• White-Collar Crime: Preparing for Enhanced Enforcement

• The Cost of Fraud: Strategies for Managing a Growing Expense

• Compliance and Integrity Risk: Getting M&A Pricing Right

• Procurement Fraud and Corruption: Sourcing from Asia• Ten Things about Financial Statement Fraud - Third

edition• The Expanded False Claims Act: FERA Creates New

Risks• Avoiding Fraud: It’s Not Always Easy Being Green• Foreign Corrupt Practices Act (FCPA) Due Diligence in

M&A• The Fraud Enforcement and Recovery Act “FERA”• Ten Things About Bankruptcy and Fraud• Applying Six Degrees of Separation to Preventing

Fraud• India and the FCPA• Helping to Prevent University Fraud• Avoiding FCPA Risk While Doing Business in China• The Shifting Landscape of Health Care Fraud and

Regulatory Compliance• Some of the Leading Practices in FCPA Compliance• Monitoring Hospital-Physician Contractual

Arrangements to Comply with Changing Regulations• Managing Fraud Risk: Being Prepared• Ten Things about Fraud Control

7

Deloitte Forensic Center

Notable material in other publications:• Anti-Corruption Practices Survey Highlights Challenges

Facing Companies, Business Crimes Bulletin, January 2012

• Execs Not Confident In Corporate Anti-Corruption Programs, FinancialFraudLaw.com, January 2012

• 10 Ways to Measure the Tone at the Top, WSJ Professional, January 2012

• So You Want to be a Multinational?, ChiefExecutive.net, December 2011

• Execs Lack Confidence in Anti-Graft Programs, Compliance Reporter, November 2011

• Bounty Hunting: Will New Regulations Create a New Incentive for Whistleblowers?, Perspectives (University of Illinois), November 2011

• The Hidden Risks of Doing Business in Brazil, Agenda, October 2011

• Use of Third Parties’ Seen as Leading Source of Corruption Risk, Ethikos, Sept/Oct 2011

• High Tide: From Paying For Transparency To ‘I Did Not Pay A Bribe’, WSJ.com, September 2011

• Executives Worry About Corruption Risks: Survey, Reuters, September 2011

• Whistleblowing After Dodd-Frank — Timely Actions for Compliance Executives to Consider, Corporate Compliance Insights, September 2011

• Corporate Criminals Face Tougher Penalties, Inside Counsel, August 2011

• Follow the Money: Worldcom to ‘Whitey,’ CFOworld, July 2011

• Whistleblower Rules Could Set Off a Rash of Internal Investigations, Compliance Week, June 2011

• Whistleblowing After Dodd-Frank: New Risks, New Responses, WSJ Professional, May 2011

• The Government Will Pay You Big Bucks to Find the Next Madoff, Forbes.com, May 2011

• Major Embezzlements: When Minor Risks Become Strategic Threats, Business Crimes Bulletin, May 2011

• As Bulging Client Data Heads for the Cloud, Law Firms Ready for a Storm, and More Discovery Woes from Web 2.0, ABA Journal, April 2011

• The Dodd-Frank Act’s Robust Whistleblowing Incentives,

• Forbes.com, April 2011• Where There’s Smoke, There’s Fraud, CFO magazine,

March 2011• Will New Regulations Deter Corporate Fraud? Financial

Executive, January 2011• The Countdown to a Whistleblower Bounty Begins,

Compliance Week, November 9, 2010• Deploying Countermeasures to the SEC’s Dodd-Frank

Whistleblower Awards, Business Crimes Bulletin, October 2010

• Temptation to Defraud, Internal Auditor magazine, October 2010

• Shop Talk: Compliance Risks in New Data Technologies, Compliance Week, July 2010

• Many Companies Ill-Equipped to Handle Social Media e-discovery, BoardMember.com, June 2010

• Mapping Your Fraud Risks, Harvard Business Review, October 2009

• Use Heat Maps to Expose Rare but Dangerous Frauds, HBR NOW, June 2009

8

This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering accounting, auditing, business, financial, investment, legal, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.

Copyright © 2012 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited

This article is published as part of ForThoughts, the

Deloitte Forensic Center’s newsletter series edited by Toby

Bishop, the director of the Deloitte Forensic Center.

ForThoughts highlights trends and issues in fraud,

corruption and other complex business issues. To subscribe

to ForThoughts, visit

www.deloitte.com/forensiccenter or send an email to

dfc@deloitte.com.

Author

John Leonard is a senior manager in the Forensic & Dispute

Services practice of Deloitte Financial Advisory Services LLP.

Mr. Leonard may be reached at jleonard@deloitte.com.