While the need for conducting due diligence on international business partners is clear, there is no regulatory guidance specifying a minimum level to be conducted. This ambiguity can make it tempting for companies to take a cursory swipe at due diligence; review one database, check the “all-clear” box, and enter into a business agreement.
As evidenced by SEC and DOJ judgments, in which U.S. companies have been fined for not performing sufficient due diligence, a cursory approach will no longer suffice. Increasingly, companies will be expected to conduct a deeper, more systematic investigation of potential international business agents and partners. While this due diligence effort may lengthen the start-up time for a new business partner relationship, these recent judgments demonstrate that failing to do so can have considerable negative financial and operational repercussions for companies seeking to conduct business internationally.
This article, International business partner due diligence: How much is enough?, from the Deloitte Forensic Center, reviews regulatory guidance on the sufficiency of background research, explores options for information-gathering, and examines factors to consider in the due diligence process.
2. Introduction
Conducting due diligence on international business partners is
now considered a leading practice for companies operating in
international jurisdictions. The U.S. Foreign Corrupt Practices
Act (FCPA), U.K. Bribery Act and multinational agreements all
oblige companies to “know” their foreign counterparts. While
the need is clear, there is no regulatory guidance specifying a
minimum level of due diligence to be conducted. This
ambiguity can make it tempting for companies to take a
cursory swipe at due diligence; review one database, check
the “all-clear” box, and enter into a business agreement.
As evidenced by Securities and Exchange Commission (SEC)
and Department of Justice (DOJ) judgments, in which U.S.
companies have been fined for not performing sufficient due
diligence, a cursory approach will no longer suffice.
Increasingly, companies will be expected to conduct a deeper,
more systematic investigation of potential international
business agents and partners that involves collecting
information from the business partner, verifying the data and
following up on identified “red flags.” This article reviews
regulatory guidance on the sufficiency of background
research, explores options for information-gathering, and
examines factors to consider in the due diligence process.
As used in this document Deloitte means Deloitte Financial Advisory Services LLP, a subsidiary of Deloitte LLP. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services
may not be available to attest clients under the rules and regulations of public accounting.
1
3. Common due diligence pitfalls
Actions filed by the SEC and DOJ reveal some common due Failing to adequately verify information
diligence pitfalls that should be considered when designing an provided by business partners
effective compliance program: Verifying information disclosed on questionnaires completed
by business partners is a critical step; numerous SEC and DOJ
Failing to conduct timely and sufficient due enforcement actions have criticized companies for failing to do
diligence so. In one case resulting from an enforcement action,3
Many companies fail to collect sufficient information on their company officials prepared an internal approval document for
overseas business partner, often relying on their own a proposed agent in the United Kingdom which “contained
employees to complete internal documents without requiring false statements as to, among other things, the UK Agent's
the business partner to answer specific questions. Companies place of business (falsely stated to be Monaco) and number of
should create a thorough due diligence questionnaire that employees (falsely stated to be four).” The document was
obliges a business partner to attest to understanding anti- signed for approval by senior company officials, yet “none of
corruption regulations and controls. the senior [Company A] or [Company B] officials who signed
the document undertook any independent review or asked
SEC and DOJ enforcement actions have cited situations where any questions concerning the UK Agent.”
companies engaged business partners and conducted due
diligence after the fact. In one case,1 the DOJ faulted a In a previously cited case,4 the DOJ stated that a company
company for hiring a Taiwanese consultant and only obtaining official would typically request a Dun & Bradstreet profile after
a profile, which indicated the consultant had no relevant receiving internal documentation on a potential business
experience, two years after the fact. In another case, court partner and noted that the company official “made no effort,
papers state that the company “did not conduct any formal or virtually no effort, to verify the information provided by the
due diligence regarding the … Agent's background, consultant in the Consultant Profile, apart from using Dun &
qualifications, other employment, or relationships with foreign Bradstreet reports to confirm the consultant's existence and
government officials before or after engaging him.”2 physical address.” In a previously cited case5, the SEC noted
that the company’s attorneys knew that shareholders of a
Gibraltar shell company that had received payments were held
by two other offshore entities, yet the attorneys “never
learned the identity of the beneficial owner[s] of the shares.”
1 U.S. V. Alcatel-Lucent Trade Int’l, A.G.
2 U.S. V Titan Corp.
3 SEC V. Halliburton Company and KBR, Inc.
4 U.S. V. Alcatel-Lucent Trade Int’l, A.G.
5 SEC V. Halliburton Company and KBR, Inc.
2
4. Failing to act on identified red flags What do you need to know about your business
The DOJ has also opined on the need for companies to act on partners?
risk factors identified during the due diligence process. In a
case cited above6, the DOJ faulted a company for failing to Effective international business partner due diligence requires
follow up on what were considered obvious red flags that a company gather meaningful information, assess
identified when hiring a consultant in Honduras for work in potential risk across the enterprise, and tailor risk mitigation
the telecommunications industry. As stated in the case, the actions accordingly. Among key questions a company should
consultant’s company profile, signed by the consultant and the ask regarding international business partners:
U.S. company’s area president, listed the consultant’s main
business as the distribution of "fine fragrances and cosmetics • Is this a "real" business partner with a business profile and
in the Honduran market" and the Dun & Bradstreet report on is it experienced in the relevant industry?
the consultant stated that the company was "engaged in • Is the business partner owned by company employees, or
cosmetic sales, house-to-house.“ The same case further states do other potential conflicts of interest exist?
that “there was no requirement for the provision of • Does the business partner, or its principals, have a track
information regarding conflicts of interest or relationships with record of bankruptcy or solvency issues that might threaten
government officials” and that “even where the Dun & the supply chain?
Bradstreet report disclosed problems, inconsistencies, or red • Does the business partner, or its principals, have a history
flags, typically nothing was done.” of serial litigation, criminal problems, counterfeiting, child
labor, or product safety issues?
• Is the business partner associated with organized crime,
terrorist groups, money laundering, bribery, or corruption?
• Is the business partner located in a country restricted by
U.S. law from receiving payment, or does the vendor
appear on sanction and embargo lists such as that of the
U.S. Department of the Treasury’s Office of Foreign Assets
Control (OFAC)?
6 U.S. V. Alcatel-Lucent Trade Int’l, A.G.
3
5. Approaching due diligence
There is no law or regulation specifying the process for or the • References for individuals knowledgeable about the
sufficiency of international due diligence. However the business partner who can provide verification of business
examples of enforcement actions discussed above do provide relationships and experience
some guidance for what is expected of companies operating • Signature of a responsible party who attests to the veracity
overseas. Generally, companies should consider taking three of the information and agrees to abide by all applicable
steps in their investigation of a potential international business laws and policies of the company in carrying out its
partner: activities.
1. Require the business partner to disclose information on a Background research methodology
questionnaire. Once the above information is collected, the company should
2. Use a risk-based approach to verify the information conduct an assessment to determine the level of risk presented
provided and independently identify adverse information. by each business partner. A number of factors should be
3. Take action on any identified “red flags” uncovered in the considered, including the type of relationship, corruption risk
process. associated with the jurisdiction, interaction with government
officials, compliance regime, and known adverse information
Information disclosure about the business partner. These factors may also vary
Companies should design an effective and thorough depending on the industry in which the business partner is
questionnaire that asks reasonable questions and puts the operating.
business partner “on the record” regarding certain key issues.
Such a questionnaire should be designed in conjunction with Business partners typically are divided into three categories:
legal counsel and may contain, at a minimum, the following high-, medium-, and low-risk. High-risk business partners
elements: include those located in a country with a considerable risk of
• Company background, including identifying and corruption, those having significant interaction with
registration information government officials, or those for which red flags have been
• Ownership and management, including beneficial owners identified in the due diligence process. Medium-risk business
and others able to exercise influence over the entity and partners are those that may have a lesser degree of contact
any relationships with government officials, as well as with government officials, such as lawyers or accountants, yet
identifying information on these individuals are located in a high-risk jurisdiction. Low-risk business
• Disclosure of any civil, criminal, and regulatory matters, to partners might include vendors of goods and services that are
identify a history of issues that may present risk factors not acting in an official capacity for the company.
• Anti-corruption knowledge and compliance, including
questions about knowledge of laws and the company’s
compliance regime and training efforts
4
6. The methodology for business partner background research Likewise, where public record research conflicts with that
will depend on the subject’s risk ranking. Figure 1 shows provided in questionnaire responses about the status of a
examples of the factors involved in the risk-ranking process corporation, you may need to make further inquiries with the
and three representative levels of background checks company or hire an outside investigator to conduct thorough
commensurate with those risk levels. public record research and source inquiries. In all cases,
however, the company should resolve issues and take
Companies should strongly consider hiring an outside firm to appropriate steps to assure that they are conducting business
conduct background research to benefit from access to with reputable individuals and organizations and document
sources otherwise not available and to demonstrate these efforts.
independence in the vetting process. When vetting a
representative who has a high degree of contact with
government officials, or one located in a high-risk jurisdiction,
single-database resources will likely prove to be insufficient. Data Source Considerations
Similarly, public record resources in many countries may prove
• PEP/Sanction list
to be sparse and unreliable; instead, local resources may be Level 1
• Adverse media • Number of vendors
required for record retrieval and for human source inquiries
regarding the reputation and background of the subject. • Vendor activity
• Includes Level 1 research
Professional investigators may help lower the risk of • Identify website/media profile • Vendor contact with
overlooking important information and provide credibility that • Locate D&B government officials
the approval process was conducted independently of • Corporate registry check
Level 2 • Identify shareholders and directors • Known or prior
commercial interests. allegations
• Credit report
• Bankruptcy-civil litigation • Jurisdictional risk (CPI
Following up on red flags • Criminal records (to the extent score)
Finally, where the process does identify red flags, the company available)
• Industry risk
should perform additional diligence. As referenced above,
when companies have been put on alert by adverse or • Country-specific
• Discreet source inquiries
Level 3 common schemes
conflicting information, regulators expect resolution. • Includes Level 1 and 2 research
In many cases, resolving red flag issues may be as simple as an Figure 1
inquiry with the business partner for clarification. For example,
if a company self-discloses involvement in litigation, the [PEP: Politically Exposed Person]
company may want to inquire about the nature of the cases. [CPI: the Corruption Perception Index compiled by
Transparency International]
5
7. Closing thoughts
While the due diligence effort may lengthen the start-up time Deloitte Forensic Center
for a new business partner relationship, recent SEC and DOJ The Deloitte Forensic Center is a think tank aimed at exploring
judgments have demonstrated that failing to do so can have new approaches for mitigating the costs, risks and effects of
considerable negative financial and operational repercussions fraud, corruption, and other issues facing the global business
for companies seeking to conduct business internationally. It is community.
far better to proceed slowly, carefully, and thoroughly with
any new business relationship. The Center aims to advance the state of thinking in areas such
as fraud and corruption by exploring issues from the
perspective of forensic accountants, corporate leaders, and
other professionals involved in forensic matters.
The Deloitte Forensic Center is sponsored by Deloitte Financial
Advisory Services LLP. For more information, scan the code
below or visit www.deloitte.com/forensiccenter.
6
8. Deloitte Forensic Center
The following material is available on the Deloitte Forensic • E-discovery: Mitigating Risk Through Better Communication
Center Web site www.deloitte.com/forensiccenter or • White-Collar Crime: Preparing for Enhanced Enforcement
from dfc@deloitte.com. • The Cost of Fraud: Strategies for Managing a Growing
Expense
• Compliance and Integrity Risk: Getting M&A Pricing Right
Deloitte Forensic Center book:
• Procurement Fraud and Corruption: Sourcing from Asia
• Corporate Resiliency: Managing the Growing Risk of Fraud
• Ten Things about Financial Statement Fraud - Third edition
and Corruption
• The Expanded False Claims Act: FERA Creates New Risks
– Chapter 1 available for download
• Avoiding Fraud: It’s Not Always Easy Being Green
• Foreign Corrupt Practices Act (FCPA) Due Diligence in M&A
ForThoughts newsletters: • The Fraud Enforcement and Recovery Act “FERA”
• Internal Investigation Costs: Securing Elusive Insurance • Ten Things About Bankruptcy and Fraud
Coverage • Applying Six Degrees of Separation to Preventing Fraud
• The Tone at the Top: Ten Ways to Measure Effectiveness • India and the FCPA
• Visual Analytics: Revealing Corruption, Fraud, Waste and • Helping to Prevent University Fraud
Abuse • Avoiding FCPA Risk While Doing Business in China
• Anti-Corruption Practices Survey 2011: Cloudy with a • The Shifting Landscape of Health Care Fraud and
Chance of Prosecution? Regulatory Compliance
• Fraud, Bribery and Corruption: Protecting Reputation and • Some of the Leading Practices in FCPA Compliance
Value
• Monitoring Hospital-Physician Contractual Arrangements to
• Ten Things to Improve Your Next Internal Investigation:
Comply with Changing Regulations
Investigators Share Experiences
• Sustainability Reporting: Managing Risks and Opportunities • Managing Fraud Risk: Being Prepared
• The Inside Story: The Changing Role of Internal Audit in • Ten Things about Fraud Control
Dealing with Financial Fraud
• Major Embezzlements: How Can they Get So Big?
• Whistleblowing and the New Race to Report: The Impact of
the Dodd-Frank Act and 2010’s Changes to the U.S.
Federal Sentencing Guidelines
• Technology Fraud: The Lure of Private Companies
7
9. Deloitte Forensic Center
Notable material in other publications: • Whistleblowing After Dodd-Frank: New Risks, New
• Anti-Corruption Practices Survey Highlights Challenges Responses, WSJ Professional, May 2011
Facing Companies, Business Crimes Bulletin, January 2012 • The Government Will Pay You Big Bucks to Find the Next
• Execs Not Confident In Corporate Anti-Corruption Madoff, Forbes.com, May 2011
Programs, FinancialFraudLaw.com, January 2012 • Major Embezzlements: When Minor Risks Become Strategic
• 10 Ways to Measure the Tone at the Top, WSJ Threats, Business Crimes Bulletin, May 2011
Professional, January 2012 • As Bulging Client Data Heads for the Cloud, Law Firms
• So You Want to be a Multinational?, ChiefExecutive.net, Ready for a Storm, and More Discovery Woes from Web
December 2011 2.0, ABA Journal, April 2011
• Execs Lack Confidence in Anti-Graft Programs, Compliance • The Dodd-Frank Act’s Robust Whistleblowing Incentives,
Reporter, November 2011 • Forbes.com, April 2011
• Bounty Hunting: Will New Regulations Create a New • Where There’s Smoke, There’s Fraud, CFO magazine,
Incentive for Whistleblowers?, Perspectives (University of March 2011
Illinois), November 2011 • Will New Regulations Deter Corporate Fraud? Financial
• The Hidden Risks of Doing Business in Brazil, Agenda, Executive, January 2011
October 2011 • The Countdown to a Whistleblower Bounty Begins,
• Use of Third Parties’ Seen as Leading Source of Corruption Compliance Week, November 9, 2010
Risk, Ethikos, Sept/Oct 2011 • Deploying Countermeasures to the SEC’s Dodd-Frank
• High Tide: From Paying For Transparency To ‘I Did Not Pay Whistleblower Awards, Business Crimes Bulletin, October
A Bribe’, WSJ.com, September 2011 2010
• Executives Worry About Corruption Risks: Survey, Reuters, • Temptation to Defraud, Internal Auditor magazine, October
September 2011 2010
• Whistleblowing After Dodd-Frank — Timely Actions for • Shop Talk: Compliance Risks in New Data Technologies,
Compliance Executives to Consider, Corporate Compliance Compliance Week, July 2010
Insights, September 2011 • Many Companies Ill-Equipped to Handle Social Media e-
• Corporate Criminals Face Tougher Penalties, Inside Counsel, discovery, BoardMember.com, June 2010
August 2011 • Mapping Your Fraud Risks, Harvard Business Review,
• Follow the Money: Worldcom to ‘Whitey,’ CFOworld, July October 2009
2011 • Use Heat Maps to Expose Rare but Dangerous Frauds, HBR
• Whistleblower Rules Could Set Off a Rash of Internal NOW, June 2009
Investigations, Compliance Week, June 2011
8