The compliance function has been completely transformed over the past 10 years. Once a back-office role, it is now represented at the board level as organizations put risk management at the forefront. In a complex global environment, getting risk management and compliance right gives firms a significant strategic advantage. As a result, due diligence has been, and will remain, a central component of every successful compliance program. When you know who you are doing business with, your business is able to avoid financial exposure, unnecessary regulatory risk, and reputational damage.
Due diligence procedures have evolved significantly—from the demise of paper-based methods to an exponential growth in data and a growing focus on third parties. As we look ahead to the new decade, there are several factors compliance officers must keep in mind to lay the groundwork for long-term success. Here, we look at the situation, past and present, and forecast what the most successful due diligence programs will include to weather the regulatory and data whirlwind.
After the financial crisis of 2008, there was clear agreement that old practices needed to be changed to reduce the likelihood of a repeat occurrence. Regulations have since been overhauled to put greater emphasis on how businesses identify weak links in their compliance programs, including knowing more about customers, employees, third parties, and intermediaries. Regulators also have been upping their enforcement efforts, and penalties for firms that do not comply are steep. The year 2010 was record breaking for both SEC and DOJ enforcements and sets the tone for the decade ahead. Reports last year indicate that US fines for sanctions compliance have reached a decade high, and 2019 closed out with a blockbuster Foreign Corrupt Practices Act (FCPA) fine for a global telecoms company.
On top of additional and updated regulation, there has been a growing focus on global regulators coming together to reach settlements. Recent examples include Petrobras and Societe Generale in 2018. Both of these cases involved large fines in their home nations as well as in the US, showing that there is an increased desire for prosecution on all fronts.
The FCPA continues to be a significant piece of legislation, and has been duplicated internationally. The requirement to conduct rigorous FCPA-focused due diligence remains unchanged, and policies need to be continuously refreshed. Recent FCPA updates relate to voluntary disclosures, cooperation and remediation, and successor liability in mergers and acquisitions.
Sanctions compliance has also grown in importance in the last half of the decade, with updated guidance from OFAC issued in 2019. Improper due diligence was listed as one of the top 10 root causes of sanctions compliance program breakdowns. Other relevant regulatory developments in the last decade include the Customer Due Diligence Rule from FinCEN and a swath of anti-money laundering legislation, the latest being 6MLD in the EU.
Though there have been huge leaps in due diligence best practices and success rates, compliance teams and businesses are feeling the burden of regulatory demands. Compliance costs are soaring, and there are simply not enough analysts to keep up with the workload. Further progress can only be made when day-to-day issues are fully addressed, including the following:
- Unwieldy and complicated due diligence procedures that are difficult to maintain and lack a single point of ownership;
- A shortage of experienced staff who are able to, among other things, analyze and rule out false positives;
- Difficulty in accessing records in some foreign jurisdictions, which is exacerbated by GDPR constraints;
- Difficulty in securing resources to build a strong compliance program that reaps long-term financial benefits; and
- Slow turnaround times for more complicated high-risk cases that include international elements.
Key Lessons from the Last Decade
As we look forward, there are several key lessons businesses can learn and apply to their due diligence policies and procedures. Here are five strategies we think compliance officers should keep in mind.
- Due diligence procedures need to adapt: Procedures must be agile enough to respond to rapidly changing business and regulatory requirements without cutting corners.
- Due diligence is a journey: Onboarding checks signal the beginning, not the end, of risk-monitoring checks. Businesses need to be aware of new information about their partners and have the right policies in place to identify and respond to evolving risks.
- One size does not fit all: The best due diligence programs take a risk-based approach. Taking such an approach means that high-risk intermediaries and agents are subject to more in-depth due diligence checks. What that looks like for each business can vary, as long as care is taken to ensure that the right due diligence policies are consistently implemented.
- Taking it global can be complex: While there have been significant changes in the availability of data in the last 10 years, accuracy and transparency of data continues to be an issue in countries where there are substantial corruption risks. Obtaining context around data through in-country inquiries may allow businesses to close the gaps on third-party screening and reduce their exposure.
- Filter through the noise of data: New data sources are becoming available all the time, such as the newly accessible beneficial ownership registers. While there are clear benefits to accessing more information, the burden of sorting through it all falls on already overworked analysts. Businesses need to have established processes to properly filter and manage their data.
Looking Into the Crystal Ball – What Lies Ahead
As the decade draws to a close, where might priorities lie for compliance teams? What issues will continue to be of importance and what are new areas to consider? Here is what we see in our crystal ball.
Technology will have the most effect on low-risk due diligence.
The benefits of artificial intelligence, regtech, and advances we have yet to see will be most felt in low-risk tiers of due diligence as aggregated data sources and assimilation of global information provide high-quality results. Human interpretation, however, will remain essential for analysis of complex situations.
Businesses will need to look at extended supply chains.
Businesses will be required to go even further to close any gaps in screening. Reviewing not just third-party, but now fourth- and fifth-party risks, will become essential practice to reduce exposure.
Environmental, social, and governance (ESG) performance will grow in importance.
As resources become scarce and environmental standards grow, ESG risks will need to be given greater attention. Due diligence will need to incorporate social data, including how a business treats its staff, how diverse and inclusive it is, and how it engages with the communities it operates in.
Continuous, ongoing monitoring of all third parties will be a top priority.
Going forward, regulators will expect firms to know when circumstances change with their third parties almost as soon as the information is publicly available. Technology tools will help alert businesses of red flags as they emerge.
Interested in additional practical due diligence tips? Download our Enhanced Due Diligence Checklist. Or, contact us directly to discuss how IntegrityRisk can help you develop and implement comprehensive due diligence procedures built for the new decade.