[Type text] [Type text] [Type text]

RANE Interview | www.ranenetwork.com | insight@ranenetwork.com

Conducting FCPA Transactional Diligence

Hugo Williamson, IPSA International

The Department of Justice and Securities and Exchange Commission (SEC) have

emphasized the importance of companies conducting FCPA due diligence before

entering into transactions with third parties or buying another company. Both

regulators have imposed heavy fines on companies once violations of the FCPA have

been discovered. So how should a company go about conducting effective FCPA due

diligence before a transaction is completed? To help shed light on the issue, RANE

recently spoke with Hugo Williamson, a Senior Managing Director at IPSA International

with oversight for the firm’s EMEA region. Williamson has over 15 years of experience

running complex investigations and supporting senior corporate, finance and

government clients on major transactional and political risks in Europe, the Middle

East, Africa and Asia. Excerpts from the interview are featured below.

On understanding the risk profile of a target

When companies examine their FCPA risks prior to a transaction the first thing they

must do is to assess the significance of that particular relationship. The more

substantial the relationship, the higher proportion of due diligence resources should

be committed.

A good starting point in understanding the particular relationship is to look at the

corporate structure of the parties, their industry, relevant geographies and compliance

history. In a multinational transaction, the parties likely will want to concentrate their

efforts and perform a heighted level of due diligence on affiliates and subsidiaries

operating in countries with high perceived corruption risk. Similarly, parties operating

in industries that have been the focus of anti-corruption authorities such as oil and

gas, pharmaceuticals, construction, or engineering should account for potential

regulatory scrutiny in evaluating the risk profile of a transaction.

Ultimately, while due diligence can significantly minimize the risk of an FCPA problem,

it can never fully eliminate it. The question is always: can the entity demonstrate that

they went to all reasonable lengths, proportionate to the risks of the transaction, to

gain the necessary visibility and comfort in the integrity of the engagement?

On the internal struggle between compliance and the deal side

This well trodden duel exists in big global banks all the way down to SMEs. Often

times, the compliance side of an organization may determine a potential relationship

to have a much greater risk profile than others in the firm would be willing to admit.

Increasingly these days the compliance side is winning this battle, as fines for FCPA

violations have gotten bigger and the rules are getting clearer.

On the different levels of due diligence

Regardless of the level of due diligence that is required, an absolute starting point is

the screening of Politically Exposed Persons (PEPs) and sanctions databases.

“The question is always:

can the entity demonstrate

that they went to all

reasonable lengths,

proportionate to the risks

of the transaction, to gain

the necessary visibility and

comfort in the integrity of

the engagement?”

RANE Interview | June 14, 2016

RANE Interview | www.ranenetwork.com | insight@ranenetwork.com

Depending on how fleshed out the company is thinking about the potential risk,

monitoring negative news immediately becomes another good place to start.

The next level of compliance checks involves desk-based research of as much

information that can be found which can include negative media, online reviews of the

company, litigation history, solvency and bank issues, corporate records and corporate

holdings. This practice can throw up a large amount of information that can help an

organization determine ether not proceed any further with the transaction or to

launch a targeted inquiry to better understand specific issues that have come to light.

To further mitigate FCPA risks, companies can adopt a deeper level of compliance

checking that involves obtaining records from relevant registries in local countries.

These documents provide the most enhanced level of visibility to ensure that clients

are not dealing with individuals who are considered criminals or have compromising

backgrounds. However it is important to keep in mind that record keeping in emerging

markets is quite poor, and lags behind more developed markets.

The final component and deepest level to pre transactional due diligence in terms of

FCPA risk involves discreet human inquiries. This practice provides privileged insight

on specific areas of interests, which can include information on governance or integrity

concerns of a target company. Previous employees, former business partners, or

other firms within the industry can usually provide the best information. However it is

not worth doing this type of human intelligence work unless the risk posed by the new

potential relationship is proportionate.

On appropriate timing for due diligence

Very often the due diligence component of a deal is left to the last moment due to the

cost incurred. As a result the players involved usually want to make sure that all other

parts of the transaction are lined up before the due diligence phase is implemented.

Instead of waiting until the last moment, a better practice would be to conduct a very

high level screening early on in the process, which can identify major red flags and

concerns before a client gets too entrenched in a transaction. Then greater levels of

due diligence can be conducted as necessary.

On successor liability issues

Preventing FCPA successor liability in cross border deals requires an assessment of the

target’s overall risk profile in order to design and implement an appropriate response

to the identified red flags. The critical factor in this discussion is if those individuals

involved in a historical problem are still at the company and to what extent has the

company taken pro-active measures to address the sort of behavior so the incident

doesn’t occur again. One must also understand to what extent past issues were

isolated events versus systemic issues.

If there are historical issues and the deal does go through, certain controls can be

implemented to protect the acquirer from FCPA risk. Demanding audit rights, putting

an individual from the host company in the compliance department, or implementing

a training program for key individuals are all ways for an organization to defend itself

from issues of the past.

On third party and counter party risk

Another question many organizations face is how many degrees of separation to look

at when scrutinizing a company they are engaging with, and whether to conduct due

To regularly monitor the

functioning of the

arrangement there will be

an annual joint review,

which will also include the

issue of national security

access.

“Very often the due

diligence component of a

deal is left to the last

moment due to the cost

incurred.”

RANE Interview | www.ranenetwork.com | insight@ranenetwork.com

diligence into third parties of the target company. While it is often deemed

unnecessary in lower risk partners and targets the larger the deal or the more

significant the relationship, the greater inclination companies will have to understand

the network of ancillary business and individuals whose reputations and backgrounds

might negatively impact the reputation of the company in question.

Key concerns when looking at third party and counter party risks are issues connected

to the bribery of government officials in obtaining business deals, bid rigging to

influence tenders, the inappropriate diversion of business opportunities and assets,

and more generalized reputational risk.

On ownership

When conducting due diligence to mitigate FCPA/bribery issues, a key element is

confirming ownership, and assessing if there are any beneficial owners. In emerging

markets it is common for political figures and prominent business people to place

nominees on the board or among the shareholders. Sometimes these are high profile

people who are “known” to be fronts for political figures, and sometimes these are low

profile people, who can turn out to be distant family. Thus a common FCPA red flag

when conducting due diligence into companies, particularly in more emerging

economies, is having overly low profile people among the leadership or shareholders

of high value companies.

On proving bribery has occurred

When looking at bribery issues, it is often very hard to prove conclusively during the

due diligence process that bribery has occurred unless there have been legal

proceedings, as it is rarely a simple case of passing “brown envelopes”, and even if it is,

they are passed behind closed doors. Thus due diligence can throw up suggestions,

rumors, and allegations of bribery without providing 100 percent precise details.

Often times this becomes a frustration for clients, who want a binary answer to a

question that is often more analogue and opaque. One way to address this is by

filtering out baseless allegations, and being as explicit as possible about the sources of

the information or comment, ideally seeking to multisource the same insight. A

constant danger that poor due diligence practitioners can make is to inadvertently

legitimize propaganda – both good and bad, through either repeating as fact items

that are reported in the media from unreliable sources, or restating comments

delivered by human sources who are themselves biased or wrong in their assessment.

Quality due diligence requires having a methodology based on robust training to

address this, from scrutinizing the media sources and the journalists who write them

to ensure they are credible, to seeking multiple sources that converge on the same

finding to minimize the threat of bias.

On regulatory scrutiny of overseas hiring of relatives of foreign officials

For more than a decade, US companies, notably banks, have hired relatives and

associates of government officials in hope that these people can help open doors in

the relevant countries.

In recent years however, the SEC has started clamping down on this practice. The

most high profile of this has been their investigation into JP Morgan’s hiring of people

linked to members of the Chinese government. The SEC has shown its full willingness

to engage in this type of investigation viewing it as an extension of the FCPA, giving

“anything of value” to a foreign business official to win an “improper advantage”.

“When conducting due

diligence to mitigate

FCPA/bribery issues, a key

element is confirming

ownership, and assessing if

there are any beneficial

owners.”

RANE Interview | www.ranenetwork.com | insight@ranenetwork.com

While banks have argued in their defense that as their business is built on

relationships, these people are well connected and thus in their own right legitimate,

the SEC is increasing the pressure, and senior figures at JP Morgan have had to leave

the bank due to their association with the hirings.

The message to banks and business now is that the SEC views hiring relatives of

government figures as fair game, and unless there is a very robust argument for

brining them on board in their own right, doing so may open the bank or company up

to investigation.

ABOUT THE EXPERT

Hugo Williamson joined IPSA International in September 2014, as Senior Managing Director in the

company’s London office. In his role at IPSA, Williamson is responsible for business growth

opportunities and client relations throughout Europe, the Middle East and Africa, and plays a key

advisory role on new emerging market opportunities and initiatives. He is an expert on FCPA and UK

Bribery Act compliance matters. He is widely published on the topic, and has worked with a number

of corporations to design proportionate anti-bribery and corruption process, and in-house due

diligence and risk assessment frameworks.

Williamson joined IPSA following the absorption by IPSA of Williamson’s previous company, the Risk

Resolution Group (R2G), an award winning emerging markets risk consultancy which he founded in

2011. Prior to founding R2G, Mr. Williamson spent over 8 years working for a global risk consulting

firm, initially in their London offices, and then subsequently as deputy head of their South Africa office,

and finally as a Director in their Asia region, spending 4 years living and working in Hong Kong,

Singapore and Indonesia.

ABOUT IPSA International

IPSA International, a root9B Technologies, Inc. company, provides valued services that help our clients

mitigate risks and assist them in making better decisions affecting business opportunity, corporate

consequence and corporate or individual litigation strategy.

ABOUT RANE

RANE is an information services and advisory company serving the market for global enterprise risk

management. We provide access to, collaboration with, and unique insights from the largest global

network of credentialed risk experts covering over 200 categories of risk. Through our collective

insight, we help enterprises anticipate emerging threats and manage today’s most complex risks more

effectively.