The case for vetting global business partners
CFOs should consider potential areas to strengthen their companies’ compliance programs.
Enforcement actions by the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) for insufficient due diligence on international business partners are underscoring the point that a cursory approach no longer suffices. In the aftermath of such actions, conducting due diligence on international business partners has become a leading practice for companies—and for CFOs—operating in global jurisdictions.
There are actually multiple factors driving the need for better compliance. The US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, and multinational agreements oblige companies to “know” their foreign counterparts. And with the release of A Resource Guide to the US Foreign Corrupt Practices Act by the DOJ and the SEC, companies have more information available to them about how these agencies view compliance with the FCPA and companies’ efforts to strengthen their anti-corruption programs.
CFOs, CROs, and legal and compliance officers should discuss the guide with other senior executives, board members, and their staffs, and consider potential areas to strengthen their companies’ own compliance programs. What seems clear is that companies will be expected to conduct a deeper, more systematic investigation of potential international business partners, and CFOs and others overseeing risk management can spearhead that effort by establishing a due diligence process that involves collecting information from the business partner, verifying the data, and following up on identified red flags.
Research compiled by the Deloitte Forensic Center explores options for information-gathering and examines factors in the due diligence process for senior business leaders to consider. And in this issue of CFO Insights, we discuss some of the takeaways from enforcement actions as well as those due diligence options.
Common due diligence pitfalls
The SEC and DOJ judgments show that it’s far better to proceed carefully and thoroughly with any new business relationship. The enforcement actions also reveal some common due diligence pitfalls to consider when designing an effective compliance program, including:
- Failing to conduct timely and sufficient due diligence. SEC and DOJ enforcement actions have cited situations where companies engaged business partners and conducted due diligence after the fact. In addition, many companies often rely on their own employees to complete internal documents without requiring the overseas business partner to answer specific questions.
- Failing to adequately verify information provided by business partners. Numerous SEC and DOJ enforcement actions have criticized companies for failing to verify information disclosed on questionnaires completed by business partners.
- Failing to act on identified red flags. The DOJ has also opined on the need for companies to act on risk factors identified during the due diligence process.
While there is no law or regulation specifying exactly the process for, or the sufficiency of, international due diligence, the enforcement actions in the report provide some guidance for what is expected of companies operating overseas. Generally, companies should consider taking the following three steps:
- Require the business partner to disclose information on a questionnaire.
- Use a risk-based approach to verify the information provided and independently identify adverse information.
- Take action on any identified red flags uncovered in the process.
Companies can design an effective and thorough questionnaire for business partners that asks reasonable questions and puts the business partner “on the record” regarding certain key issues. A questionnaire should be designed working with legal counsel and may contain, at a minimum, the following elements:
- Company background, including identifying and registration information.
- Ownership and management, including beneficial owners and others able to exercise influence over the entity and any relationships with government officials, as well as information on these individuals.
- Disclosure of any civil, criminal, and regulatory matters, to identify a history of issues that may present risk factors.
- Anti-corruption knowledge and compliance, including questions about knowledge of laws and the company’s compliance regime and training efforts.
- References from individuals knowledgeable about the business partner who can provide verification of business relationships and experience.
- Signature of a responsible party who attests to the veracity of the information and agrees to abide by all applicable laws and policies of the company in carrying out its activities.
Conducting background research
The approach for conducting background research on a potential business partner will depend on the potential partner’s risk ranking. To assess the risk level, companies can use the information collected in the questionnaire. Factors to consider include the type of relationship, corruption risk associated with the jurisdiction, interaction with government officials, compliance regime, and known adverse information about the potential business partner.
Business partners typically are divided into three categories: high-risk, medium-risk, and low-risk. High-risk business partners include those located in a country with a considerable risk of corruption, those having significant interaction with government officials, or those for which red flags have been identified in the due diligence process. Medium-risk business partners may have a lesser degree of contact with government officials, such as lawyers or accountants, yet are located in a high-risk jurisdiction. Low-risk business partners might include vendors of goods and services that are not acting in an official capacity for the company.
CFOs and risk managers may want to consider hiring an outside firm to conduct background research to benefit from access to sources otherwise not readily available and to demonstrate independence in the vetting process. When vetting a representative who has a high degree of contact with government officials, or one located in a high-risk jurisdiction, for example, single-database resources will likely prove insufficient. Local resources may be required for record retrieval and for human-source inquiries regarding the potential business partner’s reputation and background.
Following up on red flags
Resolving red flag issues may involve more in-depth research or a simple inquiry to the potential business partner for clarification. In all cases, however, it is critical that the company resolve issues, take appropriate steps to assure that it is conducting business with reputable individuals and organizations, and document these efforts. When companies have been put on alert by adverse or conflicting information, regulators expect resolution.
While the due diligence effort may lengthen the start-up time for a new business partner relationship, SEC and DOJ judgments have demonstrated that failing to do so can have considerable negative financial and operational repercussions for companies seeking to conduct business internationally. It is far better to proceed slowly, carefully, and thoroughly with any new business relationship.
What do you need to know about your business partners?
Effective international business partner due diligence requires that a company gather meaningful information, assess potential risk across the enterprise, and tailor risk-mitigation actions accordingly. Among key questions a company should ask regarding international business partners:
- Is this a "real" business partner with a business profile, and is it experienced in the relevant industry?
- Is the business partner owned by company employees, or do other potential conflicts of interest exist?
- Does the business partner, or its principals, have a track record of bankruptcy or solvency issues that might threaten the supply chain?
- Does the business partner, or its principals, have a history of serial litigation, criminal problems, counterfeiting, child labor, or product safety issues?
- Is the business partner associated with organized crime, terrorist groups, money laundering, bribery, or corruption?
- Is the business partner located in a country restricted by US law from receiving payment, or does the vendor appear on sanction and embargo lists such as that of the US Department of the Treasury’s Office of Foreign Assets Control (OFAC)?
About Deloitte’s CFO Program
The CFO Program brings together a multidisciplinary team of Deloitte leaders and subject matter specialists to help CFOs stay ahead in the face of growing challenges and demands. The Program harnesses our organization’s broad capabilities to deliver forward thinking and fresh insights for every stage of a CFO’s career–helping CFOs manage the complexities of their roles, tackle their company’s most compelling challenges, and adapt to strategic shifts in the market.
For more information about Deloitte’s CFO Program, visit our website at: www.deloitte.com/us/thecfoprogram.