Dow Jones Due Dilligence e-book FINAL by Nikolay Zyryanov

t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t e lli g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n

e-Book

• C o m p l i a n c e • I n t e ll i g e n c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e

lli g e n c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e

n c e • Sa n c t i o n s • A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i l i g en c e • Sa n c t i o

- M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e Sa n c t i o n s • A n t i - M o n e y L au n d eri

Implementing a Robust Due Diligence Program

tc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i

u p t i o n • Ris k • C o m p l i a n c e • I n t e ll i g e n c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k

l i a n c e • I n t e lli g e n c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t ell

• D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i l i g en

n c t i o n s • A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i l i g en c e •

A Step-by-Step Guide

Sa n c t i o n s • A n t

e y L au n d eri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g

h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o

By Charles Thomas

o n • Ris k • C o m p l i a n c e • I n t e ll i g e n c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o

Head of Due Diligence, Dow Jones Risk & Compliance

e • I n t ell i g e n c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t elli g en

D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i l i g en c e Sa n

s • A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e

d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h

A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i

k • C o m p l i a n c e • I n t e ll i g e n c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c

e ll i g en c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u

n c e • Sa n c t i o n s • A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o

t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n

n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is

t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t e lli g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • C o m p l i a n c e • I n t e ll i g e n c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e

lli g e n c e • D u e D i l i g e n c e Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i

e • Sa n c t i o n s • A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i l i g en c e • Sa n c t i o n s

o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri

u p t i o n • Ris k • C o m p l i a n c e • I n t e lli g e n c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k i a n c e • I n t e lli g e n c e • D u e D i l i g e n c e •

Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t ell

n c t i o n s • A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t

Implementing a Robust Due Diligence Program A Step-by-Step Guide by Charles Thomas, Head of Due Diligence, Dow Jones Risk & Compliance

Contents Part One: Preparing A Due Diligence Strategy Introduction.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 What is Due Diligence?.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 How Does Due Diligence Fit into the Prevention of Bribery?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Carrying Out a Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Preparing a Due Diligence Strategy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 operationalizing the Strategy.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Part TWO: Carrying out Due Diligence Introduction.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Who, what, when: the basics.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Where: Location Matters.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 How to Do It: Carrying Out Due Diligence.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Resolving Red Flags.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Conclusion: Trust, but Verify.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Part One: Preparing a Due Diligence Strategy

Implementing A Robust Due Diligence Program |

Part One: Preparing A Due Diligence Strategy Introduction

“

“More than half of companies have delayed or avoided working with global business partners because of concerns about corruption.”

”

Due diligence is a vital tool in the prevention and discovery of

It is important to get a good, robust, companywide frame-

corruption. The UK Bribery Act makes it urgent for companies

work in place to handle due diligence. Failure to comply with

to use that tool as efficiently and effectively as possible. Yet in

legislation like the Bribery Act or the U.S. Foreign Corrupt

a recent survey*, while almost three quarters of respondents

Practices Act can cost hundreds of millions of pounds or

said they have anti-corruption programs in place, nearly half

dollars in fines. But an inability to deal with the issue can

said they lack confidence in their due diligence processes.

also harm business in other ways: according to the survey, more than half of companies had delayed or avoided work-

Both the Act and the government’s guidance make specific

ing with global business partners because of concerns about

reference to due diligence and its importance. But it isn’t

corruption.

always clear how to create and operationalize a strategy. This report sets out one view of how to use due diligence to help

Due diligence doesn’t imply a lack of faith in your partners,

your company navigate the risks that bribery and corruption

employees or agents. As the old saying goes, “Trust, but

pose to all companies. The first section explains the back-

verify.” This guide will help you understand how to assess and

ground and the thinking behind applying due diligence, and

plan what is appropriate, and what to do with the results. It is

the second explains how to execute it. The recommendations

aimed at management, risk and compliance staff, and others

in this report should be taken in conjunction with legal advice

who face the task of operationalizing a response to the threat

on appropriate steps for your specific situation.

of corruption.

* Dow Jones State of Anti-Corruption Compliance Survey 2011

3 | Part One: Preparing A Due Diligence Strategy

Implementing A Robust Due Diligence Program

What is due diligence?

“ ”

“Due diligence means looking for evidence and responding to it.”

Due diligence is a way of assessing the risks involved in

with investigations of mergers and acquisitions, and then

dealing with a person or entity by surveying the available

with a more general approach: checking the bona fides

evidence. It goes beyond your own internal opinions or

and backgrounds of people and companies before and

data to what is available elsewhere, so that you can form

during business.

an evidence-based view on whether to proceed with a relationship. What is available will depend on where you are

The “diligence” part implies work: due diligence means

and what you deem appropriate.

looking for evidence and responding to it. This can be done internally or it can be contracted out, depending on the

The term derives from a defense in U.S. securities litiga-

resources available and the risks involved. The “due” part

tion, implying that those offering securities had done what

means that there is a limit to this work: you are seeking

was appropriate to identify their risks. While it was initially

what is appropriate – no less, but equally no more.

limited to public offerings of equities, it became associated

Part One: Preparing a Due Diligence Strategy

Implementing A Robust Due Diligence Program |

How Does Due Diligence Fit into the Prevention of Bribery?

“ ”

“Due diligence might cover agents, employees, partners or others associated with a deal.”

The Bribery Act 2010 Guidance issued by the UK Ministry of

• Risk Assessment: Any company that is at risk from corrup-

Justice specifies six steps companies need to refer to when

tion needs to research the markets it operates in and the

they consider whether they have adequate procedures in

people it deals with: is there evidence that they are prone

place to prevent bribery in their organization or by the people

to corruption? Is the transaction under consideration a dif-

who operate on its behalf. Any due diligence strategy needs to

ficult or complex one? Due diligence forms an important

be thought of in this context. These steps would be significant

part of this stage: it helps you to understand who you are

if a case came to court, so it is worth taking a longer look at the

dealing with.

Ministry’s guidance. Here is an abbreviated sketch:

• Due Diligence: This section of the guidance sets out how

• Proportionality: First, companies need to assess the brib-

the Ministry of Justice sees the role of due diligence, and

ery risks they face and the size of their business. What sort

what it believes should be done. Due diligence might

of company is involved, how large and in what sector? This

cover agents, employees, partners or others associated

will help to influence what steps are taken, including in the

with a deal.

field of due diligence. • Top-Level Commitment: Companies need to show through communications, training, education and action that they do not tolerate bribery.

• Communication: Companies need to explain policies and procedures to staff and others. • Monitoring and Review: Policies, procedures, assessments and due diligence should be kept up-to-date, and checked on periodically.

5 | Part One: Preparing A Due Diligence Strategy

Implementing A Robust Due Diligence Program

Carrying out a Risk Assessment A first step before taking on a due diligence strategy is to carry out a risk assessment of your company. Are you a large, high-risk company or a smaller, low-risk company? Each would align with a different strategy for due diligence: more or fewer checks, and more or less depth. Your risk profile is a function of how big you are and the risks you face. It is a qualitative issue, but try asking these questions and using them to build a profile: The company and the background

The project, people and place

• How big is your company – one of the UK’s or world’s top 100? 500?

• What country are you working in? Is it more corrupt than others? The 2010 Corruption Perceptions Index shows that nearly three quarters of the 178 countries in the index score below five, on a scale from 1 (highly corrupt) to 10 (highly clean).

• Are you one of the largest in your sector in the world or in the UK? • What sector are you in – is it associated with a risk of corruption? • How high is your profile – were you in the media often last year? • Are your clients (or their clients) sometimes in government, or is the sector highly regulated?

• Have others in the same sector been prosecuted for corruption offenses? • Have you ever had a problem with corruption or other forms of fraud?

• Are cash payments sometimes or often part of your business?

• Is the project you are working on engaging with government, or governmentlinked companies, or with companies that have government for clients? • Are counterparties, partners or clients in high-risk sectors?

• Are you represented by sales agents or other third parties? • Is your organization relatively simple and centralized or complex and decentralized?

• Have you worked in this country before? Do you have specialists in the country on staff, and do you or senior management understand the language and culture?

• Are cash payments more common in the country you are working in? • Do you have your own staff involved in the project or do you use sales agents, contractors or other third parties?

There is no way of listing all the aspects that need to be considered. Use internal staff, directors, legal advisers, risk consultants and others to help fill out an appropriate approach, and remember that you can’t cover every eventuality – but you can get a good framework in place.

Part One: Preparing a Due Diligence Strategy

Implementing A Robust Due Diligence Program |

Preparing a Due Diligence Strategy

“

“An intern carrying out a Web search is neither ‘due’ nor ‘diligence.’ You need access to comprehensive, reliable, usable data.”

”

Because due diligence needs to align with the rest of the Bribery Act, as well as with other corporate obligations, it is important to have a strategy for carrying it out – one that covers all the necessary areas. These are some useful elements to cover in your company’s preparations, based on your findings from the risk assessment: • Governance and management: Who is responsible for

• Purpose of review: What are you looking for when you con-

overseeing due diligence, who carries it out, and what

duct a review? Due diligence is aimed at discovering areas

people and resources are available? Senior management

of risk in the people and companies you deal with. So key

needs to be involved. This can’t simply be left to the most

red flags might be evidence or suggestions of previous

junior member of staff or left unattended. Management

attempts to bribe; links to government, officials or entities;

needs to agree to the strategy, allocate resources and

or suggestions that people or companies are not quite what

people, and commit to reviewing results. Provide enough

they seem. Lack of information on someone can also be a

time to get the work done – this will depend on factors like

red flag. Remember that a “red flag” just means there are

who is being assessed, where and for what. And remem-

issues to assess and more questions to answer, not that

ber that access to information will not always be free: set

someone is necessarily guilty of some offense.

a budget and think about information resources. An intern carrying out a Web search is neither “due” nor “diligence.” You need access to comprehensive, reliable, usable data. Also consider if this is something better given to an outside provider.

7 | Part One: Preparing A Due Diligence Strategy

Implementing A Robust Due Diligence Program

“

“Look at suppliers of more advanced research services to help make the search more cost-effective and comprehensive.”

”

• Choice of subject: Who will be subject to review? Often,

operational staff in the field. You may also want to involve

sales agents and vendors are the main areas of concern,

business development or sales if clients are one of the main

since they are involved in sales processes and may also

areas of concern, and procurement if vendors are an issue.

be involved in payments to others. You may wish to look at

Getting all areas of the business involved means that you

partner organizations and potential acquisitions. In some

have a broader understanding in the company of what is

organizations, it may be appropriate to ensure that staff

being done, why, and how.

have been appropriately screened.

• Sources: What information can you get internally or from

• Timing of due diligence: At what point will you examine,

the third parties being assessed? You probably already

say, clients or sales agents? Depending on your scale and

have information on the person or company you are look-

organization, it may make more sense to do a basic check

ing at: internal records, or data they have submitted to

ahead of a discussion with a potential sales agent, and a

you. If there are no legal obstacles, this is a good place

more in-depth examination before taking them on. Will you

to start with any assessment. You may well have name,

review screening annually or less often? And what will you

addresses, company registration information and other

do about agents, vendors, partners, etc., that are already

public data. But you will also need access to other informa-

on the books?

tion resources, which are likely to go well beyond what you

• Communication and involvement: Which groups within your company need to be involved in the strategy? It may be that you decide that legal or compliance departments own the process. But they will probably need to cooper-

can get from the Internet. Choose a reputable, comprehensive information provider. And look at suppliers of more advanced research services to help make the search more cost-effective and comprehensive.

ate closely with other groups, in particular finance and

Part One: Preparing a Due Diligence Strategy

Implementing A Robust Due Diligence Program |

• Documentation: The results need to be appraised system-

• Storage and review: How and where are the results stored

atically, and there need to be records of the work done and

and used, and when are they to be reviewed? There may

the results achieved – when the work was done, where,

be data protection rules about storing some data, or rules

what was reported, and what results were acted upon.

relating to how long you keep some types of documenta-

Document the project and ensure that there is evidence of

tion. Will the data be stored centrally or in the office where

who did what when.

the agent or client is handled? Do you need to record in a

• Action and communication: Who reviews the results and

central system that due diligence has been carried out?

decides on the actions to be taken and the communication

• Additional: Are there other legal or regulatory consid-

of results? Once you have reviewed an individual or com-

erations that need to be applied to this process by virtue

pany, what next? How will you report? It is useful to start

of your company’s location, regulation, risks or profile?

out with an idea of who will review the results and decide

Some industries have additional requirements stemming

on the next steps. And will you communicate the results

from their regulatory regime, or additional issues posed by

to the individual or company concerned, or keep them

where they are headquartered. You will need to take legal

confidential?

advice on your obligations that may depend on your industry, location, size or other factors.

Operationalizing the Strategy Now that you have decided what your company’s level of risk is and what your strategy will be, the next step is to start work. Part Two of this report explains the work to be done and how to handle the results.

9 | Part One: Preparing A Due Diligence Strategy

Implementing A Robust Due Diligence Program

Part Two: Carrying Out Due Diligence Introduction In Part One of this guide, we covered the basics of setting up a due diligence strategy. Now, we get down to business: this section covers how to make due diligence happen — what to do, how to do it and how to follow up. As with the previous section, legal advice on your particular situation is important, and no general guide can cover every specific situation.

Who, what and when: The Basics The people and entities you might need to examine will vary.

custom means that it is necessary to work through a local

It will depend critically on the results of the risk assessment

firm, or to have a local resident as a director or partner.

done in Part One: how deep, how often and where you dig.

This often involves working with unfamiliar people whose

Different types of transactions (hiring, buying, investing,

motivations and identities can be hard to assess.

selling) may also create different levels of risk, and the size of the deal may also justify looking harder and digging deeper, as may the jurisdiction. So the first step is to decide whether the subject is low risk, moderate risk or high risk, according to your risk profile: • Sales agents: Their duty is to help sell your company’s services and products, so they (and the people they deal with) should attract attention. They may need checking when you engage them, and again at regular intervals. • Local partners: Sometimes local legislation, regulation or

Part Two: Carrying Out Due Diligence

• Vendors: What services and goods are they supplying you with – and are you paying them for? Check them as part of a supply chain screening process, or before you authorize payments. • Clients: Do you know who they are? In some parts of the world, the difference between state, ruling family, private sector and (for example) the military may be hard to distinguish. You are receiving money and in some cases (refunds, discounts) paying money to them. Check them as part of a client engagement process.

Implementing A Robust Due Diligence Program | 10

“

“You may wish to check family members as well, to avoid a situation where bribes are being paid to the family of a politician.”

”

• Senior employees: They are in a position to represent your

biggest risks is taking on new companies as entities where

company and to make payments and receive them. It makes

you know little about their vendors, clients, staff or agents.

sense to ensure that you and they are clear about their

In some U.S. cases this has triggered big problems.

interests and their roles, and due diligence can help. Most companies will provide some basic background screening when they engage senior staff, but it is worth including some aspect of screening for bribery and corruption risks. Regular updates can help.

For each of the above, decide whether these decisions count as low, moderate or high risk, based on your organization’s own risk profile. Check the individuals themselves, or in the case of an entity, also check the company, main officers, beneficial owners if possible, and any specific individuals you

• Junior employees: In most cases, these are low risk. But

will be dealing with. If new names or entities surface during

junior employees with access to cash, or who supervise

your assessment, you may wish to open a new inquiry. With

payments, may also be in a sensitive position.

individuals, you may wish to check family members as well,

• Mergers and acquisitions: Do you know everything you need to know about potential M&A targets? One of the

11 | Part Two: Carrying Out Due Diligence

to avoid a situation where bribes are being paid to the family of a politician.

Implementing A Robust Due Diligence Program

Where: Location Matters

“ ”

“It is a myth that corruption only occurs in developing countries or emerging markets.”

A second criterion in deciding the risk level is location.

• Transparency and information: How freely available is

Different countries experience corruption in different ways.

business information in the country you are dealing with?

However, it is a myth that corruption only occurs in developing

If all information is promptly and accurately published,

countries or emerging markets. As any study on corruption

and it is easily accessed and its integrity is respected, then

will quickly reveal, there are plenty of wealthier nations where

that helps. But in many countries (China, Russia and India

corruption is also a problem. All these factors will help decide

are all examples) the public record isn’t always complete,

the work you need to do:

accurate or easily accessed. That is grounds for checking

• Levels of corruption: It is easy enough to use publicly

more and going deeper.

available information to check what the public perceptions

• Regions and cities: It isn’t always enough to think about

of corruption are. The best known survey is the

a “country”: some cities or regions have specific issues

Transparency International Corruption Perceptions Index.

with regard to corruption and fraud. Chicago, New York

In high-corruption countries, more checks make sense.

and Minnesota would present different issues in the U.S.,

• Your knowledge of the country: It is helpful to use existing corporate knowledge of a place to guide understanding of the corruption risks. But equally, local staff may be

as would London, Glasgow and Newcastle in the UK. So, different regions in India or China will raise some different political, business and criminal issues.

blind to the dangers. So use input from regional staff but

Based on subject and geography, you should be able to assess

supplement it with other views – news reports, studies

the level of risk attached to the due diligence you propose to

and commercial country-risk-scoring tools such as Dow

carry out. Use this assessment to decide how much work

Jones Jurisdiction Risk. And consult the local embassy, if

needs to be done and of what type.

possible. Again, the less you know of the country, the more work you need to do.

Part Two: Carrying Out Due Diligence

Implementing A Robust Due Diligence Program | 12

How to Do It: Carrying Out Due Diligence

“

“A Web search is always a useful starting point – but it isn’t good enough for checking thoroughly in due diligence.”

”

The task is to collect information on your subjects of inquiry

Web search. And the information from many countries hasn’t

so that you can make decisions about them based on the

made it online – it still exists only in paper form. People and

evidence. Assemble the information systematically as you

companies may not be accessible at all and so there may be

go and cross-check the results. Are they consistent? Are

plenty of false negatives (subjects who you think are clear,

there red flags that indicate problems? Use a checklist of

but for whom there may be issues you don’t know about).

information that allows you to see how you progress. The

Information found on the Web may also be very misleading,

steps below are in order, from the most basic checks to more

since in some cases gossip, misunderstanding and slander

advanced, depending on the level of risk.

may have clouded someone’s reputation without cause.

• Check internal information. A first step is to ensure you

Many of the results may simply be irrelevant. In summary,

know what you already have. What information do you have on hand on the subject? Did you request and get basic

time spent on Web searches may be better spent on other resources that provide more systematic results.

identifiers (name, address and company, for example, and

• Check names against sanctions and other official lists.

a CV) and identification? Do you have internal records of

Most countries and several international organizations (the

doing business with this person or entity? Do people in the

UN, the EU) compile lists of individuals and entities that are

company have views? Interviews and emails as well as data

under sanctions for criminal or political acts. Dow Jones

can be helpful.

Risk & Compliance aggregates such lists, keeping them

• Search the Web. A Web search is always a useful starting point – but it isn’t good enough for checking thoroughly in due diligence. Much of the Web is inaccessible from a free

13 | Part Two: Carrying Out Due Diligence

updated and ensuring that you don’t have to check each one individually. A match here may indicate the individual has some big red flags. This is a fairly basic check – a “thick mesh” screen.

Implementing A Robust Due Diligence Program

“

“Dow Jones Risk & Compliance offers a global database of stateowned/controlled companies.”

”

• Check them against lists of public officials. There are

easier and more accurate. Company accounts should be

a number of publicly available lists covering Politically

available, as well as company registration documents; ask

Exposed Persons (PEPs), such as that from Dow Jones Risk

for them. If necessary, have someone with local awareness

& Compliance. It is important to get one that is broad, well-

help handle this aspect.

updated and accurate, and that includes family members as well. For more comprehensive protection from risk, checks can be extended to identify companies linked to the government. Dow Jones Risk & Compliance offers a global database of state-owned/controlled companies, making it far easier to screen all third parties. This is a slightly finer mesh of screen, as it will cover more individuals and entities.

• Check them against available media. Most countries’ media is now available online, but searching these databases one by one is time consuming and potentially misleading. Use one of the larger and more comprehensive media databases, such as Factiva. This will allow you to search flexibly, using a range of identifiers; will guarantee access to a wide range of sources; and will record what you

• Speak with the subject. If you can, interview the individual

did and when, allowing for audit if necessary. Also search

on his or her background, history and business. This

local-language media if possible, though this may require

needn’t be an arduous conversation – you just want to

language capabilities and specialist databases.

know a little about where the person comes from and what they do. Take notes.

• Basic public records. These exist in most countries, and in many places they are online. Search them if you have the

• Ask the subject for additional information. You can (and

resources yourself, or (as many companies do) use one

should) ask for more than basic information if you want

of the due diligence services that are available. These will

to go deeper: date and place of birth, identity document

normally provide a range of service levels incorporating

numbers and other forms of identifier help make the search

several of the different searches above, plus public records

Part Two: Carrying Out Due Diligence

Implementing A Robust Due Diligence Program | 14

and some evaluation of red flags. You may also check public

• Advanced work. In some cases, such as for very large

records in other jurisdictions. Some individuals and entities

entities, very high-risk entities or places, or in other special

have a presence in more than one place.

circumstances, it may be necessary to make more extensive

• Conduct third-party interviews. The company or individual you are dealing with may have provided references, in which case take them up and interview them. Ideally, these interviews should be done in conjunction with the

inquiries or to consult (for example) law enforcement, regulators or other authorities. It might also be necessary to work so that the subject is unaware of the due diligence. In these circumstances, it makes sense to take on one of

other searches so that they are informed and focused on

the specialist investigative firms. But this is relatively rare.

critical elements. Beyond references, you may choose to

The higher risk the individual or entity, the more levels of

speak to other local sources—perhaps including staff at the

inquiry you may wish to invoke. So as you escalate inquiries,

embassy, though they may face constraints on what they

add other types of verification. Data sources that allow more

can say. As the UK guidance says, “In higher risk situations,

detailed and customized searches are useful. So is language

due diligence may include conducting direct interrogative

capability. This is why many companies subcontract out

enquiries, indirect investigations, or general research

elements of this process to external providers. Ensure that

on proposed associated persons.” You may carry these

you have an information or service provider that you trust and

out yourself, but it is probably better done by a trained

that has global capabilities and comprehensive resources.

professional, in house or externally. There are many firms that will carry out these inquiries as part of a due diligence service.

15 | Part Two: Carrying Out Due Diligence

Implementing A Robust Due Diligence Program

“

“Due diligence is not just printing paper: you are looking for certain red flags in the evidence you gather.”

”

Remember that due diligence is not just printing paper: you

• Have there ever been allegations of corruption or fraud?

are looking for certain red flags in the evidence you gather.

• When you are looking at a company, is there evidence

• Can you verify their identities? Can you find the individuals

that it carries out the work that it says? Does it have an

or companies you are looking at, and positively identify

office, employees or other clients? Is there evidence that

them from the public record?

principals have the experience you would expect in sales or

• Are they mentioned on official lists that indicate possible association with crime, terrorism, corruption or other breaches of domestic or international law? • Do they have links to government officials or elected officials, past or present? Family members? Employees? • Are there allegations of any reputational issues that might cause management, regulators, shareholders, customers or the media some concern? Links to terrorism, fraud,

marketing, for example, or is there only a brass plate and some individuals with no discernible business? At this stage, record only what you know to be the case from the work you have done: what did the evidence say, and at what time and date? It isn’t necessary to point fingers, hold opinions or make accusations. These are red flags only, and decisions about how to interpret them might involve follow-up inquiries, escalation or clarification.

crime, abuses of human rights, or other issues?

Part Two: Carrying Out Due Diligence

Implementing A Robust Due Diligence Program | 16

Resolving Red Flags These are some common results from due diligence research: • I found far too many Web results and couldn’t read them all. Consider adapting your search strategy, or getting extra colleagues involved, or contracting this to a firm with more research capabilities. More work is needed; it isn’t enough to print everything out and file it. • There are lots of people with the same name. Very often, name alone doesn’t narrow down the search. Again, adapt the search strategy, get extra identifiers or use a professional firm. A database that allows for name variations is also very useful. • I didn’t find anything. Either this person has left no trace in their business career – or perhaps you got the name wrong, or the person has altered or concealed their identity. Ask them again to confirm the details. If you keep looking and still find nothing, this is a problem. • I found someone with a similar name with a red flag. If the name is common, this doesn’t necessarily tell you anything. But it is worth clarifying with a local expert, checking the identifiers you have and, if the issue is serious, escalating it for further work.

17 | Part Two: Carrying Out Due Diligence

• I found evidence that the subject is on a sanctions list, or has committed a crime, or that there are allegations of fraud or corruption in the media. A red flag might be a big issue or it might be an error – a false positive. Have the result reviewed and consider further checks. • The subject has a long, complex history with some red flags – but it is very mixed. A high-profile individual or firm may have many red flags, some of which can be explained as simply comments by adversaries, media errors or politics. If you want to proceed, you will almost certainly have to use a higher level of due diligence and make some difficult judgment calls. • I found a red flag, but a colleague said everyone in that country would understand. This is common: someone says that an issue is culturally different in a foreign country and so should be acceptable. Some things do differ around the world but other issues – and corruption is one – should be judged by your standards and your legal obligations. • The subject seems fine but had some bad luck with colleagues/partners. Often, a subject will claim – or the public record will indicate – that a person or firm was linked to someone who had an issue, while they themselves were blameless. This should be assessed carefully by a professional: who was responsible? Again, this justifies escalation and further work.

Implementing A Robust Due Diligence Program

“

“ The public record can change over time, so don’t cut corners and assume that this year’s report will be the same as last year’s.”

”

• There seems to be a dispute about whether the subject did something. Often media results show allegations and counter-allegations. These can’t be resolved with simple Web searches but probably require more in-depth investigation and assessment. Dealing with red flags requires discretion, diplomacy, legal compliance and business sense. Sometimes a red flag may on further examination have a weak basis (it is clear that it relates to another person or that the report is incorrect). Sometimes it may be correct but it can be set aside for further scrutiny if necessary (the subject was the client of a financial institution that had fraud problems, but there is no suggestion the subject was anything but a victim). It may be appropriate to raise issues with the subject to get an explanation and then assess the response, though this should be done very carefully. More often, you will want to do further work – to escalate it to the next level of due diligence or call in advisers. Sometimes, the evidence may be solid enough to justify stopping work and not proceeding with the relationship or transaction. These are decisions that can only be made with knowledge of the facts, so make sure you know as much as you can.

Part Two: Carrying Out Due Diligence

If you found plenty of evidence of the counterparty and their business and no red flags, or found only red flags that could be addressed, then have the result reviewed by a fresh pair of eyes, passed to whomever is running the process and decide if you are ready to proceed. It may be important to note areas for further work, or where you feel there are gaps, before finally signing off, or to get work reviewed elsewhere by another function or another level of management. There is also the question of legacy relationships: agents, vendors, clients and staff that were taken on in the past. There may be hundreds – perhaps thousands – of such relationships. Nobody expects you to examine each of them immediately. But you should ensure that they are assessed for risk as new relationships are, and that – over time – screening is applied to them too. Remember that you will probably need to renew the due diligence at intervals, perhaps every year for significant factors like sales agents. The public record can change over time, so don’t cut corners and assume that this year’s report will be the same as last year’s. The work needs to be done again, from scratch, though it is handy to compare back.

Implementing A Robust Due Diligence Program | 18

Conclusion: Trust, but Verify

“

“ As long as you choose an appropriate level of due diligence and do the work properly, you will have a good foundation to build a solid future business relationship.”

”

It is common to feel uncomfortable checking out a business partner in this way when you are embarking on a new relationship that you hope will be mutually beneficial. But using due diligence isn’t about doubting their good faith: it is about building trust. Facts should be examined in a critical light and evidence sought for them, and everyone should be

open to having themselves and their record examined. As long as you choose an appropriate level of due diligence and do the work properly, you will have a good foundation to build a solid future business relationship. And remember that they will probably do their due diligence on you, if they are serious about corruption.

About the Author

As the Head of Due Diligence within Dow Jones Risk & Compliance, Mr. Thomas is responsible for product development of the Dow Jones Due Diligence services. He has over six years’ experience working within open source due diligence, including helping many of the world’s leading companies design, develop and implement effective third-party screening and due diligence policies. Prior to joining Dow Jones, he worked for the Background Screening division of Kroll, where he had an EMEA-wide business development and consulting role. About Dow Jones Risk & Compliance

Dow Jones Risk & Compliance is a specialist provider of critical risk identification data to financial institutions and multinational companies globally. Our services include public record Due Diligence reports researched and compiled by a highly skilled and multilingual team and used by customers to vet and monitor third-party relationships. Find out more at:

dowjones.com/riskandcompliance

19 | Part Two: Carrying Out Due Diligence

Implementing A Robust Due Diligence Program

M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d er

Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A

o r ru p t i o n • Ris k • C o m p l i a n c e • I n t e ll i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ri

o m p l i a n c e • I n t e lli g en c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n

l i g e n c e • D u e D i l i g e n c e Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i

e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i l i g en c e • Sa n c t i

A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L a

e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h

A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t

• Ris k • C o m p l i a n c e • I n t e ll i g e n c e • D u e D i l i g en c e •

Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p

n c e • I n t elli g e n c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t elli g e

• D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i l i g en c e

Sa n c t i o n s • A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n

Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n

o m p l i a n c e • I n t e lli g e n c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n

i g e n c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D

e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i

A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o

s k • C o m p l i a n c e • I n t e lli g e n c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n

n t elli g en c e • D u e D i l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p l i a n c e • I n t ell i g en c e •

l i g e n c e • Sa n c t i o n s • A n t i - M o n e y L au n d e ri n g • Watc h l is t • A n t i - C o r r u p t i o n • Ris k • C o m p l i a n c e • I n t elli g en c e • D u e D i l i g en c e Sa n c t

• Ris k • C o m p l i a n c e • I n t e lli g e n c e • D u e D i l i g en c e • Sa n c t i o n s • A n t i - M o n e y L au n d eri n g • Watc h l is t • A n t i - C o r ru p t i o n • Ris k • C o m p