Is past behaviour a predictor of risk in your third parties?

Out-Law Analysis | 18 Oct 2018 | 5:12 pm | 5 min. read

ANALYSIS: The global trend towards corporate criminal liability for failures to prevent financial crimes, subject to an affirmative compliance-based defence, means that effective due diligence of your commercial partners and customers is now more important than ever before.

But how much emphasis should be placed on previous legal and regulatory failings uncovered during due diligence searches, particularly against a backdrop of complicated regulatory requirements and increased enforcement action? To what extent can such behaviour be seen as an indicator of future risk, and how can you identify apparent 'red flags' that are no longer relevant?

At a recent webinar, hosted by Dow Jones, I considered some of these questions together with Dow Jones due diligence expert Gavin Proudley.

What does the law tell us about due diligence?

Once commonly referred to as a 'background check', the due diligence process traditionally focused on what individuals or companies had done in the past. However, as the process - and the legislation around it - has matured, due diligence has also begun taking account of forward-looking risks that could potentially develop out of particular transactions or business relationships.

There is no global law governing due diligence processes, although there are some international standards such as the International Anti-Bribery Standard. However, we can identify some common themes.

If your business operates in the financial services, professional services or other regulated sector, anywhere in the world, it will almost certainly be subject to money laundering requirements. As the developing situation involving the Estonian branch of Danske Bank shows, we are likely to see a hardening enforcement environment around money laundering and the requirements to carry out customer due diligence and checks as to source of funds.

However, moving away from the regulated sectors, we are seeing substantial law reform applicable to all businesses requiring them to have oversight of their supply chain, and of employees or agents acting on their behalf. For example, we are seeing an international trend towards corporate criminal liability for failures to prevent financial crimes such as bribery or facilitation of tax evasion. These offences are generally subject to an affirmative compliance-based defence, and an integral part of this is that you have carried out risk-based due diligence.

What does effective due diligence look like?

Due diligence procedures should be built around a risk assessment, or 'risk map' as it is referred to in some jurisdictions, and should be fully documented (subject to data protection requirements, discussed below). Remember that, should it come to it, you will not be able to prove a compliance-based defence in the criminal courts or to a regulator without sufficient documentation.

Larger businesses should have a documented financial crime risk assessment which identifies their higher risk third party relationships and summarises the controls to mitigate those risks, including due diligence. Regular review of that document should be built into your processes, to ensure that it takes into account the latest important cases and newly-published international guidance.

Guidance from regulators and enforcement agencies tends to be drafted in broad terms, and concepts like "integrity", "ethical standards" and "business reputation" are common. However, looking for potential 'red flags' under these headings can, in practice, be much harder than the guidance indicates.

The key is to identify anything that points to potential dishonest conduct or very sharp business practices. Items of particular interest include:

  • civil court proceedings;
  • allegations in the course of employment tribunals made by employees claiming whistleblowing protection;
  • any allegations of corruption;
  • connections with foreign public officials.

For higher risk third parties such as agents, business development intermediaries, and distributors, you should be screening publicly available information and commercial databases, court record checks and corporate registries. Commercial risk management solutions such as that provided by Dow Jones operate by using a defined set of criteria, based on clear rationale, to identify potential red flags. It may also be cause for concern if your potential business partner has no, or very little, online presence.

How can you tell whether information you have identified is significant?

The significance of information that is established fact is obvious: for example, a criminal conviction, a deferred prosecution agreement (DPA) or, increasingly, findings made in the context of civil court proceedings. Where the information is along the lines of an unproven allegation or rumour, you should not immediately discount it without conducting further research and assessing the credibility of the allegations.

Some of the various pieces of international guidance suggest that companies should be paying attention to regulatory investigations of any size, in any field. It can on first glance be hard to see why an HR issue should matter compared to things like sanctions connections or politically exposed persons, but it is a question of nuance. All companies will have HR allegations against them, but something like a trend of whistleblowing reports that are leading to tribunal claims should raise alarm bells. Evidence of multiple health and safety or environmental breaches may, for example, indicate that you are dealing with a company that doesn't take compliance seriously – although bear in mind that for some companies operating in higher risk environments, such as big oil and gas services companies, this sort of breach may be more commonplace.

However, what is often more important than evidence of previous wrongdoing is your prospective business partner's response to that evidence. Are they constructively engaging with your due diligence process, seeking to explain any past infringements and able to show that the management has moved on and that new procedures are in place? While smaller businesses may find changes in management in particular more difficult to demonstrate, this type of transparency tends to suggest a company that has integrity and which is less of a risk to work with.

The flip-side to all this is that we live in an increasingly litigious world, with so many regulatory regimes that it can be difficult to achieve compliance. There are other steps you can take to address third party risk in cases without strong indicators of dishonesty. Appropriate solutions may include stronger contractual terms, key performance indicators (KPIs) around compliance, training requirements or audit rights, depending on the nature of the identified risk.

What should you do with due diligence information?

Due diligence and data protection present competing challenges. It is good practice, when performing checks directly with a prospective business partner, to obtain consent for that processing as well as confirmation that they have obtained consent from any individuals that have provided them with the requested information. This can take the form of a declaration at the end of your due diligence questionnaire.

Once consent is obtained, you should also have a clear document retention policy in place stating how long you will hold onto the data and for what purpose. The most recent French guidance suggests that a period of five years after the end of the business relationship is reasonable, although you might decide to hold onto the data for longer if there are particular risks in the third party relationship. Make sure that you document why this is necessary.

How should due diligence information be monitored and updated?

Information gathered during the due diligence process should be kept up to date in a way that is commensurate with the associated risk.

A shift to continuous monitoring is becoming more common among businesses. However, you should be careful not to over-commit in terms of your own policy. Unless you have a fool-proof system in place, and have invested in technology, it is unrealistic to expect you will be able to repeat all of your due diligence every six months or even every year. Make sure that your policy is realistic, and achievable. Bear in mind that if you cannot meet your own policy requirements, it is highly unlikely that you will be able to prove to a regulator in a future investigation that you have done enough.

Tom Stocker is head of corporate crime at Pinsent Masons, the law firm behind Tom will host Pinsent Masons' Business Crime & Compliance conference on 8 November 2018, at which Gavin Proudley of Dow Jones will be speaking.