Compliance due diligence: no longer just an FCPA issue
February 2016 | SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION
Financier Worldwide Magazine
There are many risks in today’s global and competitive M&A environment. The risk of bribery and corruption continues to increase along with more aggressive United States and international enforcement. The prohibition of bribery of foreign government officials has received a great deal of attention in recent years. According to a recent Trace International Global Enforcement Report, non-US enforcement of laws prohibiting the bribery of foreign government officials currently surpasses US enforcement. Specifically, notable international statutes prohibiting bribery include those in Germany, South Korea, Great Britain, Brazil and China. Increasingly, bribery investigations are multinational with multiple jurisdictions investigating a single entity.
The increased awareness of bribery and corruption issues as well as the rapid growth of anti-bribery enforcement has led to a corresponding increase in the number of acquirers conducting thorough compliance-focused pre-close due diligence. As forensic due diligence has increased, so has the focus on issues other than bribery. Against the backdrop of aggressive enforcement of anti-bribery laws, acquirers increasingly assess risks related to fraud, money laundering, sanctions violations and cyber crime in pre-close due diligence procedures. Acquirers often conduct these additional procedures in conjunction with their anti-bribery procedures in order to obtain a robust view of potential compliance related concerns in a streamlined and cost-efficient manner.
Specifically, pre-close forensic diligence seeks to address the following questions: What are the areas of potential compliance related risk? What resources and processes help manage and monitor these risks, including dedicated personnel, policies and procedures? Are these resources sufficient to adequately address the risks, particularly risks that are most likely to occur or have a high cost to the acquiring entity? What steps should be taken post-close to resolve outstanding compliance concerns? Are there sufficient resources to conform policies and procedures and to bring the target company in line with industry standards? If not, what resources are needed?
The fraud risks most commonly encountered during forensic due diligence include improper third-party relationships, risks related to gifts, travel and entertainment (GT&E), asset misappropriation and improper related-party transactions. Specific transactions are often selected from the target’s books and records for due diligence testing. These specific transactions may include GT&E, payments to third parties, such as consultants or vendors, or purchases made from related parties to ensure arm’s length transactions. Such transaction testing is also focused on identifying disguised illicit payments made to government officials. Although additional procedures may be performed in situations presenting heightened or specific risks, a review of transactions designed to detect general fraud schemes can often be completed using data collected for anti-bribery and the broader financial due diligence.
Financial institutions face compound challenges of abiding by rules that require the implementation of anti-money laundering (AML) and economic sanctions compliance programmes. Regulators have stepped up the enforcement of such rules, levying large fines and imposing independent monitors. AML requirements have historically applied only to traditional financial institutions, but forthcoming rules will obligate asset managers, hedge funds and private equity firms to implement such programmes. AML and sanctions risks must be addressed in today’s regulatory environment. Generally speaking, money laundering may be detected through an analysis of the patterns through which money enters or exits the target company. Transactions that present heightened concern may include those made through related-party transactions, offshore banks or in unusual patterns to consultants or vendors. Similar to the detection of general fraud schemes, additional procedures, including the use of forensic data analytics, can be performed to detect money laundering – especially where there are heightened indications of risk, such as specific allegations against the target company or generalised industry or geographic-specific risks.
In addition to transaction testing, an acquirer should conduct background checks related to the target and its key associated parties during the pre-close forensic due diligence. These key parties may include customers, vendors or management personnel. Background checks identify negative information, including previously imposed international sanctions, associated with these entities or individuals, and can potentially identify other commercial concerns with business partners, such as solvency issues. Background checks may help to mitigate risk through the identification of potential commercial or reputational concerns.
Targets with valuable intellectual property, including customer lists or customer specific data, may also be at risk for cyber crime. Cyber crime may include hacking, theft or loss of customer data, or theft or loss of other intellectual property, such as trade secrets or patents. Cyber security due diligence assesses the effectiveness of a target company’s cyber security programme, as well as the cyber-risk profile of a target company. Considerations related to the effectiveness of the programme include an assessment of the risk management governance, implementation of policies and standards, and internal control environment. The cyber risk profile includes information as to the assets and industry profile of the target company. A target company whose primary assets are intellectual property may not be as valuable to an acquirer if this information is already available in the public domain or for purchase illicitly. Similarly, a target company may be at risk for negative publicity or potential loss of reputational value where customer data has been compromised. Cyber due diligence can help protect an acquirer from these risks.
Findings from due diligence are typically taken into account in the purchase price, including the price adjustment mechanisms (e.g., working capital, earn-out), and/or contractual terms. Incorporating purchase price mechanisms in share purchase agreements (SPAs) is a way of ensuring that the parties’ ideas and expectations surrounding the value of the target are reflected in the contractual framework. An SPA review can assist the parties in defining a mechanism that is acceptable to both the buyer and the seller, while at the same time offering adequate protection against the risk of value changes during the sale process. For example, the target may pay out dividends or bonuses during the time between signing and closing – this may create value leakage if not addressed in the contract. The contractually agreed mechanisms will influence, among other things, the likelihood of post-closing disputes, the level of resources required to manage the closing process, the timing of risks assumed and exposure to the risk of value erosion.
Finally, post-close diligence is often undertaken to assist in the mitigation of potential risks (whether identified in the due diligence phase or as a separate confirmatory exercise). Post-close compliance focused diligence allows an acquiring entity to assess the current state of compliance-related resources, identify potential gaps in these resources, and remediate any identified areas of potential concern. Post-close, an acquiring entity has greater access to personnel and information than was available pre-close, particularly in competitive bidding situations. The confirmatory diligence process is similar to the diligence that is often completed pre-close, including interviews of senior level personnel, a review of policies and procedures, and a review of selected transactions, but with greater access to personnel, documentation and accounting records. This allows for a more comprehensive and efficient process, especially when supplemented with forensic technology tools.
In today’s competitive M&A environment, an acquirer faces a host of compliance-related concerns that must be addressed quickly and efficiently. Although bribery and corruption has and continues to receive a great deal of attention, there are many other compliance-related risks that acquirers face, including other types of fraud, money laundering, sanctions and cyber crime. The completion of targeted pre- and post-close due diligence procedures can help to identify the red flags associated with these risks. Pre-close procedures provide a framework for post-close due diligence reviews and, ultimately, compliance readiness, integration, and where applicable, investment exit preparedness.
Dan Dehner and Tony Hounshell are senior managers and Gregory E. Wolski is a partner at EY. Mr Dehner can be contacted on +44 (0)207 806 9266 or by email ddehner@uk.ey.com. Mr Hounshell can be contacted on +1 (212) 773 7100 or by email tony.hounshell@ey.com. Mr Wolski can be contacted on +1 (312) 879 3383 or by email gregory.wolski@ey.com.
© Financier Worldwide
BY
Dan Dehner, Tony Hounshell and Gregory E. Wolski
EY
FORUM: Fraud and corruption investigations in multilateral development banks
Compliance due diligence: no longer just an FCPA issue
‘Embedded’ – a new approach to corporate fraud
Real fraud in an increasingly cyber world
Litigation and insurance coverage for cyber fraud
DOJ’s ‘Yates Memo’ intensifies scrutiny of corporate management
Canada – no longer a fraudster’s playground
Deferred prosecution agreements – the gold rush
Searches and seizure of documents at a lawyer’s office