Ten Requirements for an Effective Due Diligence System
The purpose of a due diligence system is not to identify and prevent hiring of a third-party who will commit bribery. To the contrary, no one can predict with accuracy who will commit bribery, unless they truly have mind-reading capabilities.
Instead, the purpose of a due diligence program is to build a documentary record that can protect the company from an enforcement action under the FCPA statute when a third-party engages in bribery. With this perspective in mind, there are ten basic requirements for an effective due diligence system.
- Risk-Ranking: A due diligence program has to risk-rank third party intermediaries so that the due diligence program does not treat all third parties equally. Some present a higher risk than others, and the system has to be designed to treat higher risk candidates differently than lower risk candidates. The risk-ranking factors are outlined in the FCPA Guidance and they provide a comprehensive set of factors that can be used, coupled with any additional factors that are industry specific.
- Written Policies and Procedures: It is important to establish a written set of policies and procedures that are followed with respect to the initial hiring, renewal, monitoring and auditing process for third parties. The document should be comprehensive but not too detailed since several issues will be decided on a case-by-case basis.
- Business Justification: A company has to require a businessperson to “sponsor” a proposed third party. This information is critical for answering the questions of how the company learned of the third party, what services the third party will provide, and the reason for hiring the third party rather than providing the services itself through internal expansion.
- Open Source Intelligence Screening: A company has to use an open source intelligence screening service to check the third party and its owners against databases that collect adverse information, prior corruption allegations, civil and criminal prosecutions and other important relationship information. There are many alternatives but the system has to be efficient, minimize false positives, and be easily accessible for company staff.
- Questionnaires and Reference Checks: Everyone has their favorite draft questionnaire – they always claim theirs is the best. Some questionnaires are too complicated and unworkable. It is important to maintain focus. Why is the information needed? What will the information tell you? The questionnaire should be provided electronically to minimize the burden – technology has made it easier and companies have to take advantage of technology. The questionnaire should include references.
- Due Diligence investigative Services: Websites are filled with advertisements and claims by third-party due diligence services. There is no question that due diligence services are needed to provide adverse media searches, local investigations and reputational evidence. The difficult questions are when to use such services and which ones to hire. The industry is moving fast in this area; information is becoming critical to corporate decisions on due diligence candidates. Some companies are stronger in certain regions, and others pride themselves on customer responsiveness. It is an important decision and one that requires careful soul-searching and ultimately, comfort with the company.
- Enhanced Due Diligence: For important relationships that require in-depth due diligence, outside counsel should be used for investigation and resolution. These due diligence reviews are difficult and often present serious risks. They should be reserved for the critical third party reviews.
- Comprehensive and Creative Written Contract Procedures: Too often companies do not approach the issue of drafting a contract as an important step in the due diligence process. It is the most effective way to reduce risk and demonstrate a company’s good faith attempt to ensure compliance with the FCPA. Specific contractual provisions should be drafted to respond to specific risks or concerns.
- Documentation and Advice of Counsel: A due diligence program should be fully documented. Tom Fox has emphasized this point repeatedly, and rightfully so. If it is not documented, it did not happen. Similarly, due diligence requires advice of counsel – an extra layer of protection for every company so that they can argue to the DOJ and/or the SEC that they sought advice of counsel on a due diligence issue, and relied on that advice of counsel when making its good faith decision.
- Monitoring and Auditing: DOJ and SEC have seen improvements in every company’s due diligence programs. The next issue they are certain to emphasize is how did the company monitor its third parties and how did the company use its audit rights to ensure compliance. This is the new cutting-edge issue and one that demands careful thought and design.