Anti-corruption due diligence can be vexing even in the best of conditions; it is often made more complicated by time and business pressures that arise in the context of a merger or acquisition or an urgent sales opportunity.  Anti-corruption compliance is always fact-intensive, and due diligence is no exception, requiring many judgment calls about what issues to prioritize and how to deploy limited resources.  This article aims to provide a basic outline of seven key steps to consider in anti-corruption due diligence.

Background.  As many readers know, the Foreign Corrupt Practices Act (“FCPA”) is a U.S. anti-corruption statute that prohibits U.S. persons from bribing or offering to bribe non-U.S. government officials.  The law contains anti-bribery provisions and, for Issuers on U.S. stock exchanges, books and records and internal controls provisions.  The FCPA is aggressively enforced by both the U.S. Securities and Exchange Commission (“SEC”) (for “Issuers”) and the U.S. Department of Justice (“DOJ”).  In recent years, monetary penalties for FCPA violations have been severe, regularly exceeding $100 million.

In this environment, it is essential to consider elements like the following:

1.  Pursue a Risk-Based Strategy

The U.S. government has explicitly recognized (for example, in the FCPA Resource Guide (the “Guide”) that the DOJ and SEC published jointly in November 2012) that companies have finite time and resources to expend on anti-corruption compliance due diligence. Thus, as a first step – and before commencing the actual diligence review – companies should think critically and holistically about factors such as general corruption risk in the relevant geographic area; the types and frequency of interactions the proposed transaction partner has / has had with government officials; the extent of the compliance program maintained by the potential transaction partner; and the importance of the prospective partner to the company’s bottom line or future development plans.  The due diligence plan and team – more on that below – should reflect those risks.

2.  Establish a Team

In many cases, companies that have a well-developed legal and/or compliance department can conduct due diligence internally.  In certain situations, however, outside counsel can play an important role in, or even manage, the diligence exercise.  For example, outside counsel can help overcome resource limitations or provide support such as geographic expertise.  In addition, outside counsel can serve as independent, impartial reviewers, which can give the review additional credibility if it ever is questioned, and cloak the diligence review in the attorney-client privilege.

3.  Make a Plan

A plan should be clear about the steps needed, with the understanding that additional steps may be warranted depending on what is learned during the diligence.  The plan establishes what is expected of team members and provides evidence that the company followed a well-defined, risk-driven process to conduct the diligence.  That evidence may be the best defense the company has if the U.S. government ever asks about why a particular diligence step was or was not taken.

4.  Collect Information

Information about the proposed transaction partner should be collected and analyzed from public records searches, reference checks, interviews, reviewing the proposed partners’ records, and other such steps.  But not every due diligence step is necessarily productive in every situation.  Thus, steps taken should, where possible, address the risks posed by a given transaction and set parameters for a productive future relationship.  You don’t want to win the battle (conduct robust diligence) but lose the war (so alienate an ethical potential business partner that you lose the chance of developing a relationship).

5.  Address Red Flags

The goal of due diligence is to identify and address potential red flags.  Red flags may be self-explanatory, but in many cases a red flag can create real questions.  How to address these shades of pink, burgundy, or other variations of red is probably the hardest judgment of all to make in due diligence.  Analysis of red flags requires a thoughtful, adult analysis about exactly what the risk is and the level of risk tolerance that your company has, and whether the benefits of the transaction outweigh its financial and logistical drawbacks.

6.  Craft a Commensurate Response

The appropriate response to a red flag will vary depending on the risk presented.  In targeting compliance measures, it is crucial to accurately understand the source of the issue so that an appropriate response can be developed.  First and foremost are measures to ensure that ongoing problems can be stopped immediately after the transaction; if not, the transaction should almost certainly not proceed, as problems identified through due diligence that are not subsequently stopped would be the basis for a knowing violation of law. After that, companies should consider whether the issue presented is individual or systemic, and respond accordingly.

7.  Follow Through

It is important to review whether the compliance measure introduced is in fact effective by conducting a follow-up review or audit.  In addition to formal reviews, personnel should be instructed to be vigilant in monitoring that the compliance measure really has worked.  This step can be difficult to implement without a structured format to facilitate review, as follow-up is generally conducted without the high-level attention given to major events like a merger or starting a significant agency relationship.

*          *          *

Due diligence can be challenging, particularly because it requires personnel to make subjective judgments of risk, and to leverage business decisions that respond to those compliance-based determinations.  But effective due diligence has real benefits.  The U.S. government has suggested that, for both mergers and agency relationships, in the event that due diligence misses problems because of willful misrepresentation by the target, but the diligence process is otherwise sound, companies will not themselves be held liable.  Taking the steps outlined here can help to facilitate that process.