Why you should do homework on your business partners

1 Introduction

US Defence Secretary, Donald Rumsfeld, once answered a question about a lack of evidence linking the Government of Iraq to selling weapons of mass destruction to terrorists, saying:

'Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things that we know that we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know.'1

In a complex business world with its associated risks, it has become even more important to understand the known unknowns and where possible, the unknown unknowns when dealing with business partners.

Whether engaging with suppliers or establishing businesses domestically or overseas, an appropriate level of integrity due diligence must be undertaken to 'Know Your Business Partner' (KYBP), specifically to establish the:

  • existence of the business partner, its operations and reputation
  • reputation of the business partner's third parties and connections.

You need to really understand who you are dealing with in order to protect your business from significant financial, reputational and regulatory risk.

In this article, David Lehmann, director in our Brisbane office, discusses why regulators are placing significant onus on companies to know who they are doing business with and the considerations for conducting due diligence on business partners.

2 The need for integrity due diligence

The use of third parties to win or retain business has come under scrutiny in the US for many years as some global companies engaged agents to pay bribes to foreign public officials to win or retain business.

For example, in 2010 Alcatel Lucent was fined US$137 million in civil and criminal penalties, when it was found that US$8 million in bribes had been paid between the late 1990s through to 2006 to foreign officials in countries such as Honduras, Costa Rica, Malaysia and Taiwan2 . In Honduras, an AlcatelLucent subsidiary company hired a 'consultant' who was a perfume distributor with no experience in telecommunications. The consultant was personally selected by the brother of a senior Honduran government official which led to Alcatel-Lucent winning contracts in Honduras worth $47 million. The Securities Exchange Commission (SEC) investigation found that little or no due diligence was conducted on agents and consultants used to represent interests (pay bribes) in foreign locations.

Closer to home, the Securency corruption scandal has also shown that no due diligence was conducted on agents, who are alleged to have paid millions in bribes to foreign officials in countries such as Indonesia, Vietnam, Nepal, Malaysia and Nigeria to win lucrative bank note contracts.

Simple web research conducted by the journalists who broke the story showed that some of the agents used had shady pasts that included involvement in fraudulent schemes and arms dealing.

In order to protect your business from significant financial, reputational and regulatory risk, it is essential that businesses know who they are dealing with, whether that be suppliers, customers, consultants or agents. Such integrity due diligence will reduce the potential damage arising from associated bad press and possible penalties by regulators.

3 The risk based approach

The sufficiency of integrity due diligence efforts can be subjective – something you want to avoid when it comes to the regulator. It is therefore important to establish criteria that trigger different levels of due diligence, based on the perceived risk associated with a business partner.

Such a risk based approach also makes sense given the various anti-corruption guidance, in particular the FCPA Resource Guide and UK Bribery Act adequate procedures guidance, which state that a risk based approach should be adopted as part of an effective anti-corruption compliance program. This includes conducting adequate due diligence on third parties.

For example, such an approach should be used for suppliers, as not all will require detailed due diligence. However, if a supplier will be financially significant and/or is located in a country that is perceived as highly corrupt (and therefore higher risk), there should be more detailed due diligence undertaken to facilitate informed decision making.

It makes a lot of sense to spend some time to establish the reputation of a prospective business partner before engaging with them rather than engaging on limited or no information and later finding that the business partner's reputation does not align with your company's corporate values.

Factors that will assist in determining the level of risk associated with a business partner include:

  • Location of domicile and operations. Transparency International's (TI) Corruption Perception Index (CPI) rating for most countries is easily available via TI's website3
  • Whether there is clear evidence of beneficial ownership in the case of a company or companies
  • The number of fraud and corruption or other significant incidents of misconduct within the organisation, if any, and the details of what occurred and how the matter was handled
  • The culture of the firm. For example, is there a well-defined fraud and corruption control framework and ethics program, and does the entity provide ethics training to its employees?
  • Is there a whistleblowing mechanism in place (internal or external) and does the organisation encourage employees and/or business partners to speak up about serious misconduct issues such as fraud and corruption?
  • The general reputation of the business partner in the business community/locations in which it operates
  • Any history of involvement in bribery and corruption, price fixing, money laundering, environmental breaches and so on
  • The reputation and background of the Board and Senior Management of the business partner, e.g. are any of them Politically Exposed Persons (PEPs)4
  • The identity of the business partner's significant third party relationships, e.g. suppliers, distributors
  • The extent to which agents and consultants are used in foreign locations to represent the business partner's interests and whether anti-corruption clauses and warranties are included in their agreements with those agents and consultants.

4 Information gathering

So, how do you establish the relevant information required to make a decision about engaging with a potential business partner?

One of the first steps should be to ask direct questions of the business partner that cover what you believe to be the key risk areas. You should also request evidence supporting any representations made, such as a copy of relevant policies or a code of conduct.

The responses to questions and evidence supplied (or not supplied!) can then be used to determine an initial risk rating of the business partner, e.g. Low, Medium or High risk. Once that risk is established, we suggest making enquiries using the following approaches:

Regardless of the detail or the research conducted, a report should be prepared which sets out the background to your enquiries and your findings. If a regulator did require evidence of your due diligence efforts, this report could then be produced.

A deeper-dive

Depending on the information obtained from desktop research (Level 1), it may be worth considering 'a deeper dive' (Level 2). Often, the best results for a deeper dive, particularly in foreign locations, will be achieved by engaging a third party provider who knows the local business environment and available sources of information.

After the deeper dive, if any of the representations made by the business partner appear to be inconsistent with other information, misleading or not completely accurate, then this may be an indication that the business partner has something to hide. Where this is the case, a decision not to pursue the relationship could be well justified.

Follow-up

Once a decision is made to engage with a particular business partner, it should not be a case of set and forget. It is important that monitoring processes are in place to periodically conduct some form of updated due diligence to ensure that problems have not developed over time that may negatively impact your business and its reputation.

5 Conclusion

One thing in life is certain - the world is a very uncertain place. In order to protect your company from third party regulatory and reputational risk, a deeper knowledge of your business partner's background and operations should be a priority.

Integrity due diligence activities should be included as part of traditional due diligence activities so that the 'known unknowns' and 'unknown unknowns' have a better chance of becoming known.

Footnotes

1 At a US Department Defence news briefing in February 2002
2 http://www.justice.gov/opa/pr/alcatel-lucent-sa-and-three-subsidiaries-agree-pay-92-million-resolve-foreign-corrupt
3 The Corruption Perception Index 2014 measures the perceived levels of public sector corruption in countries worldwide, scoring them from 0 (highly corrupt) to 100 (very clean). (http://www.transparency.org/whatwedo/pub/cpi_2014 )
4 Article 52 of the UNCAC defines PEPs as "individuals who are, or have been, entrusted with prominent public functions and their family members and close associates", and includes both domestic and foreign PEPs. (FATF Guidance: Politically Exposed Persons (Recommendations 12 and 22))

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.