Risk-based due diligence: SMEs and low risk engagements

AidanColclough2016Small and medium-sized enterprises (SMEs) are increasingly trading outside their local regions to access the opportunity and potential for high growth in emerging markets overseas. In Europe, for example, a survey authorised by the European Commission highlights that about half of SMEs in the European Union have been involved in international business outside the European Internal Market over the last three years.

A direct consequence of this internationalisation of commerce is that SMEs are often finding themselves engaging with third parties around the globe to facilitate their business operations.  In the wake of the UK Bribery Act 2000 (Bribery Act), and under the extensive reach of the US Foreign Corrupt Practices Act 1977 (FCPA), liability for corruption can be triggered when a bribe is paid indirectly through a third party. This opens up significant risks, and SMEs, unlike their blue chip counterparts, may not be so well versed with anti-corruption procedure and may lack dedicated compliance teams.

The vast fines consistently levied by the US Department of Justice (DoJ) and Securities Exchange Commission (SEC), and those imposed by the United Kingdom’s Serious Fraud Office are a clear reminder that the importance of effective third-party due diligence cannot be understated. Indeed, following a recent prosecution, the chief of the SEC Enforcement Division’s FCPA Unit noted that

This is a wake-up call for small and medium-size businesses … when a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.

Although recent enforcements and media attention may dissuade SMEs from participating in international commerce and establishing valuable relationships with third parties in overseas territories, such a response would be an overreaction; with appropriate measures in place, there is a way forward.

What is effective due diligence?

Both the United Kingdom and the United States recognise that, to be effective, due diligence does not always require a “kitchen-sink” approach; the extent of corruption risks will vary and, accordingly, so will the level of due diligence required.

Under the Bribery Act, a company will not be guilty of failing to prevent an act of bribery carried out by a third party on their behalf if they have “adequate procedures” in place to prevent such conduct. To demonstrate the presence of these adequate procedures, guidance from the Ministry of Justice recommends that the level of due diligence should be proportionate to the risk of corruption faced by the company and conducted using a risk-based approach.

DoJ and the SEC, through enforcement policies and Opinion Releases, have provided guidance on the FCPA, stating that the degree of due diligence necessary may vary depending on a number of factors, such as the industry, location, size and nature of a transaction, and the historical relationship with the third party.

Identifying risk

The engagement by a company of any third party agent poses a risk, but the level of that risk will vary.

For example, a UK company contracting with a distributor based in Denmark to resell products to Denmark-based retailers does not present the same level of risk as a UK company engaging a business consultant in Kazakhstan chosen by an official of the contracting company, for the sale of equipment to a large state-owned oil company.

These contrasting scenarios highlight that risk factors such as industry, geographical location and the nature of the third party relationship are all relevant in assessing what will be required for due diligence to be effective.

The following questions should, therefore, be considered as part of an initial screening process:

  • Is the third party in an industry or geographic location that is perceived to carry a greater risk of corruption? Transparency International’s Corruption Perceptions Index, which ranks countries by their perceived level of corruption, is a useful guide in establishing the level of such risks.
  • Will the third party perform services or enter into contracts on behalf of the company?
  • Is it likely that the third party will deal with government officials when representing the company?
    • If so, will such meetings be frequent and intimate and include, for example, meals and attendance at sponsored events?
  • Do initial background and identity checks highlight that previous sanctions have been imposed on the third party, or that the third party is inexperienced in the industry or sector?
  • Is the third party’s compensation structure performance-based?
  • Does the third party require payment by unconventional means, for example by way of political donations?

Negative responses to these questions will highlight a lower risk and therefore reduce the level of due diligence that is necessary.

Low risk due diligence

Given that the required level of due diligence is so closely linked to the particular circumstances of an engagement with a third party, there is no hard and fast rule as to what will constitute an adequate review. Approaches will vary, and in some circumstances it may suffice to conduct basic corporate and media searches. Given the risks associated with engaging a third party in an overseas territory, however, the following should certainly be considered:

  • A review of the party’s corporate information, ownership structure and financial viability.
  • An overview of the management of the party.
  • A review of the existing controls and risk management protocols that the party currently has in place.
  • Searches against the party regarding any sanctions or prior corruption violations.

In addition, roles and responsibilities should be clearly defined and concluded in written contracts.

A company could supplement and verify these checks by conducting internet and media searches. Any due diligence that is carried out should be documented and records kept. To mitigate corruption risks post-approval, investigations should be monitored and reviewed to ensure that the third party continues to fulfil its obligations.

Some risks can be managed

The current enforcement climate should not dampen the entrepreneurial spirit of SMEs, nor imply that engaging with third parties is an unnecessary risk not worth taking.  Although recent investigations highlight that enforcement bodies are increasingly looking to hold organisations accountable for the corrupt acts of third parties, an effective and proportionate due diligence policy provides an essential means of mitigating such risks.

Aidan Colclough

About Aidan Colclough

Aidan Colclough is an Associate at Dorsey & Whitney (Europe) LLP. He works with Dorsey’s Anti-Corruption Group in London assisting with corruption and compliance matters.
This entry was posted in 2016-05, Newsletter and tagged , , . Bookmark the permalink.