Due Diligence Basics – Beneficial Ownership
I hate to be the harbinger of bad news; that is against my nature; I am naturally an optimistic person. As I always say, there are solutions to every problem.
Many companies have responded to third party risks and built effective risk management programs. It is perhaps one of the most significant changes in the compliance landscape – third parties create significant risks and companies have responded to the risks by designing effective risk management systems.
Frankly, companies have come by it honestly. One-by-one we followed companies settling FCPA enforcement actions where corrupt third parties were used to funnel bribes to government officials for lucrative contracts or elimination of regulatory impediments.
I do not want to diminish the compliance commitment or the accomplishments of corporate compliance programs that review potential third parties before engaging them, that monitor the third parties after they are on boarded, and that subject a number of them annually to audits.
But … and here comes the but . . . I have one basic question – do you know the beneficial owners of the third party entity? If the answer is yes, we can wipe our brows and collectively sigh, “whew” (dodged that bullet).
Let me pose a common scenario – When conducting initial due diligence of a third party entity, XYZ LLC, a privately-owned company operating in Angola, did you conduct due diligence screen of XYZ LLC, or did you ask and verify the information concerning the natural person who owned XYZ LLC? If you did not, your due diligence is on its face defective.
If you identified and verified the individuals, did you make sure they were not nominees but the true owners? If you did, “whew;” if you did not, yikes! Houston, we have a problem.
I have labeled this the year of beneficial ownership, and it should infuse every aspect of understanding with whom you are doing business. The risks are evident and cross a number of issues: legal risks such as corruption, AML, and sanctions, and reputational risks – a company should always know with whom it is conducting business. This is a basic requirement in the compliance world, and companies have to double check that they can answer this question in the affirmative.
However, we can all agree that not all risks are the same, and identifying beneficial owners may not be as important in some contexts as in others.
In the FCPA context, a company has to identify the verify the beneficial owners of a third party to determine whether there is a foreign government owner who may have a hidden interest as a way to earn illegal bribes. The fact of the ownership interest – however small – could be critical rather than the size of the ownership interest. So, for example, a 5 percent ownership interest could create significant risks.
In the sanctions context, the inquiry is a little different. Under the attribution rules for OFAC, an entity that is owned 50 percent or more by a prohibited person or entity or combination of prohibited persons or entities is considered a barred entity itself. If a prohibited individual owns only 20 percent of another entity, and the other owners (80 percent) are not prohibited SDNs, then there is little risk that you may violate the OFAC prohibition, even assuming the 20 percent owner is an SDN. Notwithstanding that concern, however, it is still good to know whether the 20 percent owner of any entity is an SDN for purposes of managing the reputational risk, as well as possible OFAC risks should the SDN increase its ownership interest or assert control through some other means of the entity with which you are doing business.
The permutations of possible risks are endless. In general, it is imperative to know from a legal and reputational perspective the identities of all persons with whom you are conducting business. Given the myriad of risks, and the possible consequences, digging a little more on due diligence to beneficial owners is a basic requirement for any third party risk management system.