ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
5 Questions to Ask FCPA Due Diligence Vendors
There are a lot of really good, longstanding, and professional firms providing due diligence services to corporations working with third parties worldwide (my company, TRACE, is one). The compliance community has also seen a rapid proliferation of newcomers, however, and without a track record their bona fides can be difficult to assess. Here are five basic questions to ask to begin your own vetting process:
1. How and where is your company organized?
Few companies would undertake a due diligence review of a commercial third party without asking this question, but surprisingly few ask it of their due diligence service providers. Due diligence providers should be held to at least the standard that sales and marketing agents are held to. Is the company publicly traded? If it is privately held, who are the true, beneficial owners? Is there any ownership by a government official? Is it a nonprofit? If so, who is on the board and who are the members of the management team? Is the company or its affiliates incorporated in a known tax haven or a country known for banking secrecy?
2. Where are you (and your servers) based?
There are some locations in which the security of data is widely questioned. Many companies now go to great lengths to avoid having their data pass through China and its territories, for example, because of the risk that the government will access it. For most companies, their networks of third parties, channel partners, and suppliers are considered valuable proprietary information. The information is carefully protected from competitors, but may then be transferred to due diligence providers with inadequate security measures in place.
3. Who really does the work?
Due diligence entities keen to offer service “world-wide” typically cannot cost-effectively place employees in every country, although there are some that come close. For those that can’t, you should understand who is doing the work on the ground. Are they independent contractors? If they are, what sort of vetting process have they undergone? How are they compensated? How are they trained, and how are they able to communicate concerns back to headquarters? How is their work reviewed and evaluated? Do they have confidentiality agreements in place to safeguard your data?
4. What portion of the review process is automated, and what is reviewed by analysts?
The compliance community has made great strides lately in automating work that was once done manually. The best example of this is some of the vendors that provide databases for searching the many international watch lists. This process cannot generally be entirely automated, however. There are typically false “hits.” That is, someone with a name that matches one on the list, but who is actually a different person with a different nationality and birthdate. These require the review of real people to work through the analysis.
5. How do you obtain non-public information?
Some due diligence vendors purport to have access to records or other information that is not publicly available. What methods are used to obtain private records maintained by the government, including criminal records in most jurisdictions? Is a bureaucrat being “tipped” to provide this information? For information other than government records, is it simply rumor or can it be substantiated? If the vendor won’t reveal their source, how can credibility be assessed? Finally, while on the wane, some investigators still engage in “pretexting”—that is, lying to obtain information to which they wouldn’t otherwise have access; they may claim to represent law enforcement or foreign intelligence services, they may claim to have the target’s permission, etc.