This week, on the FCPA Compliance Report, I am running a five-part podcast series on the current state of  investigative due diligence. The series features Candice Tal, founder and Chief Executive Officer (CEO) of Infortal Worldwide, which is the sponsor of this podcast series. We will be considering various aspects of international due diligence investigations. Tal will help us through that maelstrom to find useful and actionable information for your compliance program. We consider why basic Level I due diligence is not enough and how levels of due diligence are accomplished, what Chief Compliance Officers (CCOs) need to know, recent information actions involving ineffective due diligence and where innovation will be taking investigative due diligence going forward.

There are typically three levels of due diligence. The three levels are typically Level I, the basic level which typically looks only at a global watch lists for sanctions, politically exposed persons (PEPs), anti-terrorist lists, anti-money laundering (AML) and similar government produced lists. Level I generally provides a summary of the beneficial owners of a company, its corporate structure, perhaps some financial information and the Global Watch lists. Many companies use that as their primary tool for risk ranking. A Level II due diligence investigation is an intermediate between Level I and Level III. Level II takes a deeper dive looking at every aspect of public records information in addition to areas that are not necessarily in the public record. It encompasses items like a deeper dive of executive backgrounds. 

The final level, Level III, is also called a deep dive due diligence investigation. This level works to not to identify bad people or bad actors but also patterns of behavior which might tend to indicate a propensity for circumvention of internal controls or stepping over or even getting too close to the ethical line that indicates behavior that may turn criminal or turn in a direction that would hurt your business reputation going forward. Tal said there are behavioral issues that can be discovered through Level III due diligence. It can be through the online searching of media including newspapers, publications and digital media. A wide variety of information can come up in behavioral assessments in terms of what is the background of the executive or how they may have behaved in the past. Additionally there may be information available in a country that may not reach the rest of the press. So you may find that there are local issues that are well documented. Sometimes you can only find that information through local language searches online, other times Tal indicates you need to do in-country research.

Unfortunately most CCOs are working with limited information from their due diligence programs or due diligence providers. This means they do not have enough information to input into their risk assessment. As we previously explored, if a company is performing or having performed for them only a Level I due diligence, they may well only be uncovering up to 1% of the adverse information or raising the appropriate red flags. In a high-risk jurisdiction, Tal believes that if a company is not receiving up to 35% of the required information, they are really operating behind the 8-ball. 

Moreover, relying on computer searches raises an amount of concern for other reasons. These include both shell companies and front offices. There are still situations that without a physical drive by of the third parties facilitates, the address may simply be a local postal box. The problem of shell companies still exists far beyond the initial dump of information past the Panama Papers and Paradise Papers. Even with a real physical address, if your third-party shares an address of a flat in London that also houses some 1,500 additional corporations, this is a serious red flag that you are dealing with a shell company. That in and of itself is a red flag which, if not cleared, could lead to a serious legal violation and a significant reputational hit to your organization. 

The vast majority of FCPA enforcement actions over the past 10 years have involved some form of inadequate, insufficient or even a total lack of due diligence. We began by exploring how a company can perform sufficient due diligence without breaking the bank. Tal noted that most companies perform Level I due diligence, which of course provides limited information. Typically in Level I, companies find less than 1% of the issues that are out there. When you couple that with the realization that 90% of FCPA enforcement actions are against companies who engaged third parties and third-party vendors, it leads Now if you add due diligence in the Supply Chain component where there can be 5,000 or even 10,000 companies, you can begin to see the daunting nature of getting your arms around these risks. 

Another key feature of almost all FCPA enforcement actions is that companies that sustained enforcement actions most usually had ‘check-the-box’ compliance programs. We considered this implication in the context of due diligence. To increase the percent of information about the troubling 1% figure Tal noted above, she said companies need to “start looking at incorporating deep media searches, into their due diligence.” Deep media typically looks at aggregated data from companies that amass millions and millions of digitized records, journals, newspapers, articles, periodicals or other similar information. Now overlay global watch lists, with some basic corporate financial information, and you might be able to move from finding only 1% to up to 5% of the corruption and bribery related issues that exist amongst the parties. However, when you further expand that and do a deeper level search on online, beyond simply adverse keyword searches, it can move your discovery rate up to as much as 35% of the corruption and bribery related information. 

Tal believes that AI will be a “game changer” in compliance. Massive data sets require some type of AI to sort through and analyze the information. This is particularly important for internal controls and accounting books and records provisions to identify massive fraud. This is yet another area which is still developing. Tal stated, “I’ll frame that by saying at least in the next few years, there will still be a need for the traditional investigative approach that the boots on the ground, one where an investigator goes out and physically checks on facilities. Artificial intelligence is going to have limited ability to do that.” While drones may become part of an investigators tool kit, Tal believes that AI will be used “in a similar way to most data aggregators today. They find about 80% of the information. Yet there will always be the remaining 20% which they cannot find and you will need human intervention on the investigative side.”

Looking down the road to the veiled land of the future, Tal sees continued innovation facilitating investigative due diligence. While AI is more than simply on the horizon, she said it “is a tried and tested methodology that has existed for many years, in terms of how do you look for and locate shell companies.” It is also true about finding information about people who are trying to deliberately hide information. The bottom line is some of these investigative techniques involve old-fashioned shoe leather or simply hard diligent investigative work and “that’s not new”. Yet AI and other technological tools can make investigations more efficient and more cost effective, while giving better results. At the end of the day, AI can be used to sharpen and hone the due diligence process. 

I know you will find this podcast series useful. A new episode will release daily on the FCPA Compliance Report. All episodes will also be released daily on JDSupra. If you want to binge listen they have all been released YouTubeiTunes, or on the new hosting platform of the Compliance Podcast Network, Panoply.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018