Why should due diligence be conducted on third parties?
Companies which conduct business overseas face growing legal and reputational risks. Those risks have become even more important because of increasingly complex business regulations worldwide, mounting pressure from regulators, enforcement agencies and civil society, and a dramatic increase in levels of business carried out in higher risk jurisdictions.
Since the 1990s, international organizations have sought to develop a number of standards and internal controls to ensure compliance by their employees with various regulations – typically health and safety or employment law.
However, those systems are usually limited to employees and affiliates of an organization, rarely its third parties. Because many risks can be “imported” through a relationship with a third party, inevitably some checks – due diligence – should be carried out on third parties and their business prior to entering into a contract with them.
In the field of anti-corruption in particular, due diligence obligations on third parties have recently expanded in the wake of various laws, such as the UK Bribery Act. We will focus on this area.
For a long time, anti-corruption legislation was limited to the prohibition of domestic bribery (whether public or private). A second generation of legislation arose worldwide over the last decade relating to overseas corruption, mainly because of the 1997 OECD Convention.
Under most of these laws, corporate criminal liability can be triggered when the bribe is paid by/through a third party. Companies are therefore incentivised to look into the details of transactions and their related third parties, in order to identify and avoid the risk that third parties could bribe on their behalf. In the recent Panalpina case, six clients of a freight forwarder, Panalpina, were fined more than US$ 150 million for bribes allegedly paid by Panalpina on their behalf to speed customs clearance – a strong incentive to review third-party-related risks.
Over recent years, a third generation of anti-corruption legislation has emerged – where companies are required to actively prevent corruption risks. In some cases, the failure to adopt and implement adequate procedures to prevent bribery becomes in itself a new source of corporate criminal liability – as under the UK Bribery Act, Swiss or Italian law. Similar incentives can be found under the US Federal Sentencing Guidelines (reduction of fines) or the Integrity Compliance Guidelines of the World Bank (reduction of debarments).
Most of these new systems impose detailed anti-corruption compliance standards, including the need to conduct properly documented, risk-based due diligence on third parties. Therefore the failure to carry out due diligence can now result in criminal liability.
On which third parties should due diligence be conducted?
In recent years, international organizations have sometimes conducted due diligence on third parties which pose the highest risk – the proverbial marketing consultant or sales agent hired to win new business in high risk jurisdictions. Clearly, the scope of due diligence must now be wider.
However, approaches vary as to which third parties should undergo due diligence. For instance in the case of the UK Bribery Act guidance, due diligence must be conducted on “associated persons”, which are entities or individuals performing “a service for, or on behalf of” the relevant corporate body, including employees, subsidiaries or agents. Therefore, the definition of third parties could be limited to persons performing services. However, one must be careful to define which transactions involve the performance of services. Some contracts that relate mainly to the supply or manufacture of goods can include some ancillary services – such as customs clearance or a relevant licence – that could in turn become a potential source of liability…
Similarly, contracts that relate to the transfer of assets or rights – such as the acquisition of a company or the purchase of land – can also trigger the need for due diligence, where there is a clear risk that such assets (e.g. the business developed by a company) or such rights (e.g. a building permit) could have been obtained by the seller through bribery.
The discussion above has focused on the risk of “active” corruption (paying bribes) – because there is generally no corporate liability where a company’s employee has been bribed. However, some companies also use their review process to identify risks related to passive corruption (receiving bribes), where the third party could be bribing the company’s employees. Indeed, companies that are victims of passive corruption, whether in their supply chain or sales stream, not only suffer a financial prejudice, but may also attract the attention of the authorities, as such incidents can reflect poorly on an organization’s controls.
In any case, a number of international organizations that already carry out checks/audits on the third parties in their supply chain – often focusing on environmental or employment law issues in risky jurisdictions – can use those existing processes to mitigate their exposure to passive or active corruption risks.
What level of due diligence should be conducted on a third party?
Everything must of course be risk-based. As with most other anti-corruption measures, due diligence must be proportionate to the risks posed by the third party, its location or the type of transaction/business contemplated.
If it has not been done already, the first step is to carry out a risk assessment – to identify which corruption risks the company is exposed to, where, and which of those risks arise through third parties. The next step, on the basis of the risk assessment, is to categorize types of third parties and/or related transactions by level of risk, in order to determine the appropriate level of due diligence to be conducted. This categorization is generally mainly based on the location and nature of the proposed transaction with the third party.
The place where the third party is located or where the transaction is to take place is highly relevant, as there are jurisdictions where corruption is so endemic that it can contaminate a large number of otherwise non-risky transactions. For instance, in high risk jurisdictions, even if the third party is a branch/subsidiary of a reputed international group with good anti-corruption controls, some weight should be given to the inherent risks of the location – cultural aspects, poor law enforcement – and some form of due diligence should still be carried out on the “local components” of the third party. Most companies divide the countries in which they operate in two or three levels of risk.
Similarly, the nature of the proposed transaction, its size, or even the related potential margin/profit are elements that can all help assess the level of bribery risk and corresponding verifications needs.
In essence, a risk-based categorization will enable the determination of which level of risk and due diligence – generally three or four – a proposed transaction falls into, whether it is, say, a lobbyist in Asia or a customs agent in the USA.
Which are the other main principles of due diligence?
Since due diligence must be risk-based, the sources of information about the third party will vary according to the level of risk and due diligence. For the lowest risk transactions, the procedures generally require either no review or a simple desktop review. For medium risks, in addition to the company’s own review, the third party is often required to complete a questionnaire and sign a certification form. For the highest risks transactions, external risks consultants are often asked to prepare screening reports or investigate specific issues. Embassies, chambers of commerce, industry associations are sometimes consulted.
In terms of content, due diligence is mainly focused on two axes: due diligence on the third party, and on the proposed transaction. The level of detail of the questions will naturally depend upon the level of due diligence required.
The questions and answers will identify potential red flags that indicate specific risks and what should be the corresponding response: from additional due diligence or enhanced controls to the avoidance of the third party or the transaction.
Regarding the third party, due diligence can cover: its identity and that of its owners or key officers, potential conflicts of interest, its reputation and more generally its compliance – past incidents and own anti-corruption systems.
Regarding the transaction, most of the due diligence is centred on the nature of the services rendered, the qualifications of the third party, the price evaluation and structure, the use of sub-third parties, and how the third party’s effective implementation of the contract can/will be monitored. Another important principle for due diligence is to separate the person requesting the transaction, the person carrying out the due diligence, and the person ultimately authorizing the transaction.
Also, it is key to keep good written records/files of the work carried out through the due diligence process, as this is evidence of the company’s reasonable endeavours – which an authority may request in case something goes wrong. It is advisable to keep also the records of due diligence that led to the rejection of third parties or transactions – as it can help to demonstrate the efficacy of the process.
Do you have practical examples of due diligence that can be carried out in relation to a commercial contract?
As mentioned earlier, due diligence must be carried out both on the third party and on the proposed transaction. Naturally, where the due diligence on the third party has already been carried out in the course of a former transaction, and provided the information is up to date, the verifications can then be focused on the new proposed contract. –
Due diligence on the third party may include questions on:
- the identity of its direct and/or indirect owners/shareholders, as well as its main officers and directors, to identify potential conflicts of interest or connections with relevant public bodies, public officials, or current or prospective clients;
- the third party’s general business track-record, reputation and experience;
- relevant past incidents, investigations or convictions related to the third party and its officers, directors, employees – at least in the field of corruption and fraud;
- gifts or entertainment the third party may have recently offered to the company’s employees or relevant public officials, or clients or prospects;
- the third party’s possible own anti-corruption systems, such as the existence of a code of conduct, relevant policies and procedures on issues such as gifts and entertainment or their use of third parties, employee training, reporting/whistleblowing lines
Due diligence on the proposed transaction may include questions on:
- whether a third party is required at all: one can look at whether the services proposed could be dealt with internally rather than through an intermediary – or whether the third party’s presence or services is mandatory under the law, as in situations where bidders are required to appoint a local agent or defendants a local lawyer;
- how was the third party identified and selected – whether competitors were considered or conversely whether the third party was imposed or suggested by a public official, a client or prospective client;
- the exact nature of the specific services proposed, to analyse if the provision of the services involve direct interaction with any public official, current or prospective client and define the corresponding bribery risks and what measures should be taken in response – in the case of general consultancy services, which deliverables and timeline are proposed, in order to monitor them;
- the third party’s qualifications to deliver the specific services proposed;
- the amount and nature of the price/consideration – whether it is success-based or not, whether it is a reasonable market price or conversely whether it is inflated or contains a significant margin that could be used by the third party to bribe someone on the company’s behalf;
- payment terms, in particular whether it is to be made to someone other than the third party or to an offshore bank account;
- whether the third party intends to use other third parties to perform its obligations.
Do you have practical examples of due diligence conducted in the course of more structural transactions such as M&A or the formation of joint ventures?
In M&A or JV transactions, the scope of due diligence is slightly wider than in the case of a commercial contracts. Indeed, there are two main aspects: due diligence on the history of the business acquired or transferred; and due diligence or controls on the future of the acquired or combined business.
With regard to the past, one will verify that the business acquired from the seller, or the business transferred to the JV by the business partner, has been obtained lawfully. Indeed, a number of checks can help ensure that any licenses, authorizations, contracts, concessions or assets/lands have not been obtained through bribery. – Those checks will relate to the identity of the parties to the underlying contracts or licences and of the individuals involved, to check for conflicts of interest between the seller/partner and public official or relevant clients. Other checks can relate to the use of intermediaries by the seller/partner or to any problems encountered in the implementation of the contract. When acquiring a business posing a high risk, a number of more sophisticated audits or controls can be run in particular through the financial data of the business sold or transferred, with the help of forensic accountant.
Also, more generally some due diligence should be focussed on the seller/shareholders in M&A or the partner in the JV. One aspect is to investigate any incidents or investigations that might have taken place – and understand how any of those incidents have been dealt with. A second aspect is to review the acquired company’s, the seller’s or the partner’s own anti-corruption systems, as they will enable a better assessment of whether there could be hidden risks, such as that the business acquired is unethical or lacks adequate procedures. That can obviously have an impact on the negotiation of the price or the representations and warranties. – With regard to the future of the acquired or combined business, a number of steps may need to be taken to upgrade the acquired company’s compliance program or to build one for the new JV. In the case of a JV it will be very important to continue the due diligence post-signing, by continuing to monitor the business partner and its involvement/role in the JV.
M&A/JV due diligence should be carried out by specialised in-house and/or external lawyers, given the complexity of some corruption schemes and the sensitivity of the issues. In the course of international transactions, sophisticated acquirers can ask questions or request information that can be very intrusive – requests that could even raise issues under other laws, such as competition law.
It is frequent that anti-corruption due diligence in the course of M&A/JVs is split in various phases: pre-signing, pre-closing and post-closing. For instance, when Kraft acquired Cadbury following limited pre-acquisition due diligence, a robust and dense post-acquisition due diligence programme was conducted over a few months in order to identify any problems and disclose them to the authorities and mitigate Kraft’s liability as successors. –
Which other due diligence should be conducted once the third party has been appointed and the transaction entered into?
The process indeed does not stop with the approval/selection of the third party, as it is only then that it becomes an “associated person” to the company. Until the transaction or the relationship is over, a number of checks may need to be carried out. For instance, in the case of high-risk consultancy services, it is necessary to monitor the effective implementation of the contract and the timely provision of all the agreed deliverables. On long term contracts, it is important to make sure at, say, yearly intervals that information on the third party is up to date for instance that changes into the ownership or directorship of the third party do not raise new conflicts of interest issues.
Most of the due diligence carried out post-signing/closing will depend upon the nature and extent of the anti-corruption audit rights that have been agreed in addition to the usual representations, warranties and termination rights. Audit rights have sometimes become as intrusive as pre-signing due diligence information requests, including access to the third party’s books and records. But once those rights have been obtained, one must be careful to effectively exercise them on the third party, as otherwise such failure could backfire on the company in case of an incident of bribery.
22 March 2012