Putting Together a Due Diligence Package
FCPA bloggers can be repetitive. We like to repeat important points. How many more times do we have to remind everyone on the importance of documentation?
In the interest of originality, I wanted to address documentation for a due diligence package of third-party agents. Every FCPA enforcement case involves deficiencies in the hiring and supervision of third-party agents. If a company has to prioritize its compliance program projects, third-party due diligence has to be at, or near, the top of its list.
For each third-party agent, I like to keep a file with complete documentation of the due diligence process. Nothing is left to word of mouth – everything is recorded with either handwritten notes, or preferably short and succinct memos.
As a first step, the company has to identify the third-party, explain how the third-party agent was identified or referred to the company, detail the services to be provided, and list all preliminary information known to the company. The company needs to identify the current and past countries and industries in which the agent is working or has worked in the past.
After all this information is gathered and documented, the company needs to conduct an open source intelligence check with a third-party intelligence provider. Most companies buy a license to such services and integrates such checks into its due diligence protocol. This check is a critical part of the due diligence inquiry and will identify any possible connections the proposed agent has with foreign government officials, any reports of prior corruption, criminal charges or civil enforcement matters, or any other relevant facts to assessing the reliability of the agent.
The initial third-party interview should follow a questionnaire which is adapted to include relevant issues. Any due diligence process must take into account new information as it is learned. An inflexible formula which does not take into account new issues is a recipe for disaster. The questionnaire should never be completed by the third-party agent but should be filled in by the company’s interviewer. The third-party agent should review the questionnaire and then sign it to verify the answers. Some companies conduct third-party interviews over the phone, given the cost of traveling to far away places. It is preferable to conduct face-to-face interviews but the company has to be practical.
A key part of the process which is often over looked is obtaining and interviewing business references. These interviews and documentation can often ferret out questionable agents and provides important information to build a due diligence file.
Your file is now getting thick. Assuming that there are no significant issues, there needs to be further discussions on the terms and conditions of a contract. The company needs to focus on the a few issues – compensation, commissions, specific services to be provided, invoices, representations and warranties and audit rights. The negotiations do not need to be recorded unless some issues come up. Any written draft contracts, changes to written contracts and final contracts should be preserved.
The most important question is what exactly is the agent going to do for the company? This should be outlined in as much detail as possible. The more the agent does — the better. It is important to emphasize that invoices should include detailed descriptions of the services the agent provides. In a sense, the due diligence process has to detail the reason for paying the agent for his services. The more justification included in the file, the more defensible the hiring of agent will be down the road.
The compensation package should be considered carefully. There is nothing wrong with commissions, there is nothing wrong with retainers, and there is nothing wrong with reimbursing agents for their expenses. Any package has to be justified as reasonable in the market. Extravagant commissions should be avoided as a self-inflicted red flag, but there is no hard and fast rule on commissions. Common sense is the company’s guidepost.
If the agent is unwilling to represent and warrant that he or she has not violated the FCPA, or will not do so in the future, that is not just a red flag, it is a Run Away red flag! The company needs to be realistic – the representation is more symbolic than anything else since it will rarely be enforced. It is a good test to see the third-party agent’s reaction.
The more difficult issue is audit rights. When I use that term, I mean not just the right to audit transactions between your company and the agent, but the right to audit the agent’s entire business operation. If I were an agent, I would never agree to such terms, much less any of the model provisions floating around which require the agent to keep such records for a period of five years. If the agent is willing to agree to this provision, that is a great sign. If not, the agent needs to explain the reasons for not agreeing to full audit rights. It is important to document that the company asked for full audit rights and the agent denied the request and provided various reasons.
This step-by-step outline, however, assumes that there are no significant issues or any red flags. If there are significant issues, a “deeper dive” due diligence may be needed. Again, the compliance market has numerous services, some of which have “boots on the ground” in various countries to gather more information. If possible, “boots on the ground” are always preferable to other services which are data collectors.
A detailed report may be necessary to confirm certain facts or negate allegations or suspicions. The crafting of the assignment and the report should be tailored to the specific risk issues identified. The company needs to be involved in this process and make sure that the report prepared by the investigative company is reviewed and finalized by the company consistent with the due diligence inquiry. The company should make sure that unsubstantiated or “stray” allegations of misconduct against the agent are not included in the report unless such information is corroborated.
In order to finalize the due diligence package, company officials need to review and approve the due diligence inquiry and the hiring of the agent. Each review step needs to be documented and reflected in the file. If follow up is requested, then it should be completed before moving up the ladder.
Before final approval, the company needs to include a review by counsel, preferably outside counsel. For routine reviews, the counsel’s memo does not need to be very long but it should include a statement that counsel has reviewed the entire file and finds that it is complete. The memo should include a general conclusion that based on all the facts contained in the file, counsel has not identified any significant risk of FCPA (and/or any other applicable law) violation, which would prevent the company from engaging the third-party agent.
With all of this information now in the file, the company is ready to proceed. Everyone can breathe a sigh of relief at the end for a job well done. For the company compliance officers, the work is just beginning – now they have to monitor the third-party agent’s performance.