Is it necessary to conduct due diligence on clients, and if so, how? I have been asked this question frequently over the past few months.
Conducting due diligence on third parties who work for or with the company is manifestly necessary and useful. If the third party represents a corruption risk, the risk can be mitigated with anti-corruption clauses, modifications to working conditions, anti-corruption training, more intensive monitoring or by demanding audit rights and subsequent controls.
Does conducting due diligence on clients make as much sense? If they present a risk of corruption it will be difficult if not impossible to demand their written commitments to integrity, impose corruption prevention training, or exercise the right of audit and control.
Despite these difficulties, it is useful – and sometimes mandatory - to conduct due diligence on clients; it is a requirement of the ISO 37001 standard, an obligation of SAPIN II in France and a recommendation of the US Department of Justice.
In the ISO 37001 standard clients are considered business partners
At various points, the standard refers to Business Associates, particularly as they relate to any corruption risk to which they may expose the company. The standard defines Business Associates as any “external party with whom the organization has, or plans to establish, some form of business relationship.”
The standard specifies “Business associate includes but is not limited to clients, customers, joint ventures, joint-venture partners, consortium partners, outsourcing providers, contractors, consultants, sub-contractors, suppliers, vendors, advisors, agents, distributors, representatives, intermediaries and investors. This definition is deliberately broad and should be interpreted in line with the bribery risk profile of the organization to apply to business associates which can reasonably expose the organization to bribery risks.
The standard goes on to qualify that “Different types of business associate pose different types and degrees of bribery risk, and an organization will have differing degrees of ability to influence different types of business associates. Different types of business associate can be treated differently by the organization’s bribery risk assessment and bribery risk management procedures ».
The obligation to carry out due diligence on clients contained in the French SAPIN II law
In article 17.II.4, of the SAPIN II law which entered into force in June 2017, companies are required “to evaluate their clients, first tier suppliers and intermediaries taking into account the corruption risk mapping,” which is required under 17.II.3.
Under the law SAPIN II, companies are required to conduct due diligence on clients to identify potential corruption risks. As for due diligence on any other party, the due diligence designed for clients must be risk-based.
Identifying risks associated with clients: a recommendation from the US FCPA Resources Guide
From as early as 2008, the Opinion Procedure Release (OPR 08-14) issued by the American authorities identified the potential risk of working with public clients and recommended that due diligence be carried out on these entities.
Later, in 2012, Chapter 5 of the FCPA Resources Guide reiterated the recommendation that companies have a clear understanding of the corruption risk associated with public or private clients.
In the same chapter, the section “risk evaluation” addresses the issue by recommending a graduated approach to due diligence depending on the level of risk: Performing identical due diligence (…) irrespective of risk factors, is often counter-productive (…) As a company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits.
How should these graduated risk analyses be organized?
Three types of client: three levels of risk
It is accepted practice to identify three types of commercial interactions: with administrations (BtoA), with other companies (BtoB), with individual consumers (BtoC). This breakdown is particularly useful when evaluating corruption risk.
The client is an administration: high risk
The risk must be considered high when the client is an administration. Not only because sanctions for corruption of a public official are often higher at both the national and international levels, but because the intrinsic risk of corruption is high in these transactions.
Any administration’s budget is allocated using funds raised through taxation. Public officials often enjoy a job for life once hired by a public administration and this even if the administration experiences a major deficit. Thus, control of public expenses is de facto far less rigorous than in the private sector and sanctions are rare. In addition, collusion between members of the administration and the political elite can lead to obscure financing for political parties or politicians.
For the aforementioned reason, companies who have public administrations as clients must consider that transactions come with a high level of risk. The risk can be weighted using country indicators like the Transparency International Corruption Perceptions Index which will give an indication of the socio-political environment and likelihood of corruption.
The client is a company: medium risk
When the client is a company the corruption risk is considered medium. Not that the possibilities for corruption are fewer than in the public sector, but because the company will have a vested interest in preventing corruption in the supply chain.
The economic objective of a company is to generate profit. Profits are generated in large part by the difference between the price at which a company purchases goods and services and the price at which it sells them. It is therefore in the company’s interest to control very strictly the amounts spent on purchasing. If a buyer is corrupted by a supplier, the company will not be purchasing the goods or services at the best price, which explains why these transactions are controlled very strictly to ensure the company’s competitiveness. Corruption then, is possible between two companies, but it is more difficult to execute than a corrupt transaction with an administration.
The constant vigilance of purchasing companies on corruption prevention renders the risk of relations between two private companies as medium. This risk can be weighted with other criteria: the country risk referenced earlier (TI CPI), or the complexity of the transaction. If the client is a public enterprise, it is necessary to study its governance and function to decide whether it should be considered an “administration (BtoA)” or a “company (BtoB).”
The client is a consumer: non-existent risk
If the client is a consumer, the risk is non-existent.
For an act of corruption to occur there has to be the possibility of a conflict of interest between the individual and the organization he represents. This possibility exists in BtoA and BtoB transactions. It is absent in BtoC.
This does not mean that a company which sells exclusively to individuals does not run the risk of corruption. It simply means that there is no risk of active corruption in sales operations. The company could still run risks in its dealings with administrations on fiscal, regulatory or permit issues. It could also run the risk of passive corruption from within its own supply chain.
Due diligence on clients: what are the consequences for the company?
The due diligence that a company conducts on third parties working for or on its behalf will allow a corruption risk assessment which will, in turn, help the company determine an appropriate contractual relationship and the ways in which the two parties will work together.
A company’s due diligence on a client, on the other hand, has an entirely different purpose. The company has little to no influence over the ways in which it is going to work with the client, particularly if the client is a public administration with all the concomitant authority to impose its conditions.
However, risk identified during due diligence on clients will enable the company to design prevention procedures more or less robust depending on the risk. Thus, if the company’s client is an administration which represents a high risk and is located in a country graded poorly on the TI CPI, it will have to demonstrate that it has made its best efforts both before and after the transaction as opposed to if it were entering a contract with a company reputed for its ethical practices from a well-ranked country in the TI CPI.
Third parties or clients, the company must carry out due diligence based on risks keeping in mind that the potential consequences are different. Prevention procedures will be focused on third parties in the first instance and on the company itself in the second.