While the need to conduct due diligence on international business partners is clear, there is no regulatory guidance specifying the depth to which companies need to investigate the background of third parties.  However, Securities and Exchange Commission (SEC) and Department of Justice (DOJ) judgments in Foreign Corrupt Practices Act (FCPA) cases in which U.S. companies have been fined for not performing sufficient due diligence on third parties indicate that a cursory approach will no longer suffice. Increasingly, companies will be expected to conduct a deeper, more systematic investigation of potential international business agents and partners that involves collecting information from the business partner, verifying the data and following up on identified red flags.

Common due diligence pitfalls

Actions filed by the SEC and DOJ reveal some common due diligence pitfalls that should be considered when designing an effective compliance program:

1. Failing to conduct timely and sufficient due diligence. Many companies fail to collect sufficient information on their overseas business partner, oftentimes relying on their own employees to complete internal documents without requiring the business partner to answer specific questions.  Companies should create a thorough due diligence questionnaire that obliges a business partner to attest to understanding anti-corruption regulations and controls. SEC and DOJ enforcement actions have cited situations where companies engaged business partners and conducted due diligence after the fact.  In one case,[1] the DOJ faulted a company for hiring a Taiwanese consultant and only obtaining a profile, which indicated the consultant had no relevant experience, two years after the fact.  In another case, court papers state that the company “did not conduct any formal due diligence regarding the … Agent's background, qualifications, other employment, or relationships with foreign government officials before or after engaging him.”[2]

2. Failing to adequately verify information provided by business partners.Verifying information that business partners disclose on questionnaires is a critical step; numerous SEC and DOJ enforcement actions have criticized companies for failing to do so.  In one case resulting from an enforcement action,[3] company officials prepared an internal approval document for a proposed agent in the UK that “contained false statements as to, among other things, the UK Agent's place of business (falsely stated to be Monaco) and number of employees (falsely stated to be four).”  The document was signed for approval by senior company officials, yet “none of the senior [Company A] or [Company B] officials who signed the document undertook any independent review or asked any questions concerning the UK Agent.” In a previously cited case,[4] the DOJ stated that a company official would typically request a Dun & Bradstreet profile after receiving internal documentation on a potential business partner and noted that the company official “made no effort, or virtually no effort, to verify the information provided by the consultant in the Consultant Profile, apart from using Dun & Bradstreet reports to confirm the consultant's existence and physical address.”  Also in a previously cited case,[5] the SEC noted that the company's attorneys knew that shareholders of a Gibraltar shell company that had received payments were held by two other offshore entities, yet the attorneys “never learned the identity of the beneficial owner[s] of the shares.”

3. Failing to act on identified red flags.The DOJ has also opined on the need for companies to act on risk factors identified during the due diligence process. In a case cited above,[6] the DOJ faulted a company for failing to follow up on what were considered obvious red flags identified when hiring a consultant in Honduras for work in the telecommunications industry.  

As stated in the case, the consultant's company profile, signed by the consultant and the U.S. company's area president, listed the consultant's main business as the distribution of “fine fragrances and cosmetics in the Honduran market” and the Dun & Bradstreet report on the consultant stated that the company was “engaged in cosmetic sales, house-to-house.”  The same case further states that “there was no requirement for the provision of information regarding conflicts of interest or relationships with government officials” and that “even where the Dun & Bradstreet report disclosed problems, inconsistencies, or red flags, typically nothing was done.”

Closing thoughts

While the due diligence effort may lengthen the start-up time for a new business partner relationship, recent SEC and DOJ judgments have demonstrated that failing to do so can have considerable negative financial and operational repercussions for companies seeking to conduct business internationally.  It is far better to proceed slowly, carefully and thoroughly with any new business relationship.

While the need to conduct due diligence on international business partners is clear, there is no regulatory guidance specifying the depth to which companies need to investigate the background of third parties.  However, Securities and Exchange Commission (SEC) and Department of Justice (DOJ) judgments in Foreign Corrupt Practices Act (FCPA) cases in which U.S. companies have been fined for not performing sufficient due diligence on third parties indicate that a cursory approach will no longer suffice. Increasingly, companies will be expected to conduct a deeper, more systematic investigation of potential international business agents and partners that involves collecting information from the business partner, verifying the data and following up on identified red flags.

Common due diligence pitfalls

Actions filed by the SEC and DOJ reveal some common due diligence pitfalls that should be considered when designing an effective compliance program:

1. Failing to conduct timely and sufficient due diligence. Many companies fail to collect sufficient information on their overseas business partner, oftentimes relying on their own employees to complete internal documents without requiring the business partner to answer specific questions.  Companies should create a thorough due diligence questionnaire that obliges a business partner to attest to understanding anti-corruption regulations and controls. SEC and DOJ enforcement actions have cited situations where companies engaged business partners and conducted due diligence after the fact.  In one case,[1] the DOJ faulted a company for hiring a Taiwanese consultant and only obtaining a profile, which indicated the consultant had no relevant experience, two years after the fact.  In another case, court papers state that the company “did not conduct any formal due diligence regarding the … Agent's background, qualifications, other employment, or relationships with foreign government officials before or after engaging him.”[2]

2. Failing to adequately verify information provided by business partners.Verifying information that business partners disclose on questionnaires is a critical step; numerous SEC and DOJ enforcement actions have criticized companies for failing to do so.  In one case resulting from an enforcement action,[3] company officials prepared an internal approval document for a proposed agent in the UK that “contained false statements as to, among other things, the UK Agent's place of business (falsely stated to be Monaco) and number of employees (falsely stated to be four).”  The document was signed for approval by senior company officials, yet “none of the senior [Company A] or [Company B] officials who signed the document undertook any independent review or asked any questions concerning the UK Agent.” In a previously cited case,[4] the DOJ stated that a company official would typically request a Dun & Bradstreet profile after receiving internal documentation on a potential business partner and noted that the company official “made no effort, or virtually no effort, to verify the information provided by the consultant in the Consultant Profile, apart from using Dun & Bradstreet reports to confirm the consultant's existence and physical address.”  Also in a previously cited case,[5] the SEC noted that the company's attorneys knew that shareholders of a Gibraltar shell company that had received payments were held by two other offshore entities, yet the attorneys “never learned the identity of the beneficial owner[s] of the shares.”

3. Failing to act on identified red flags.The DOJ has also opined on the need for companies to act on risk factors identified during the due diligence process. In a case cited above,[6] the DOJ faulted a company for failing to follow up on what were considered obvious red flags identified when hiring a consultant in Honduras for work in the telecommunications industry.  

As stated in the case, the consultant's company profile, signed by the consultant and the U.S. company's area president, listed the consultant's main business as the distribution of “fine fragrances and cosmetics in the Honduran market” and the Dun & Bradstreet report on the consultant stated that the company was “engaged in cosmetic sales, house-to-house.”  The same case further states that “there was no requirement for the provision of information regarding conflicts of interest or relationships with government officials” and that “even where the Dun & Bradstreet report disclosed problems, inconsistencies, or red flags, typically nothing was done.”

Closing thoughts

While the due diligence effort may lengthen the start-up time for a new business partner relationship, recent SEC and DOJ judgments have demonstrated that failing to do so can have considerable negative financial and operational repercussions for companies seeking to conduct business internationally.  It is far better to proceed slowly, carefully and thoroughly with any new business relationship.