CHEAT SHEET
- Enhance and adapt. A dynamic conflict check process will include a review of the existing relationship between the parties and any competing interests, such as the economic or business interests of an employee, board member, or department.
- Lines of defense. The three-lines-of-defense model is a comprehensive best practice for risk management and compliance. Under this model, the first line of defense is the business, which has the closest relationship to the client; the second line of defense is the risk management, legal, and compliance functions; and third line of defense is the auditors.
- Know your customer. Gathering information about your customer allows you to review essential facts about the customer or vendor and their affiliates or owners, as well as the underlying transaction itself. This process can help companies avoid unethical transactions by improving the understanding of their clients.
- Red flags. Performing due diligence helps identify and take additional steps to prevent potential issues before it is too late. In addition, a company can use a documented process as evidence that it practices regular reviews if their risk management procedures are called into question.
In the wake of the release of the Panama Papers, significant fines paid by global financial institutions for money laundering, and recent blockbuster Foreign Corrupt Practices Act (FCPA) settlements, in-house counsel should be increasingly attuned to their risks — particularly with regard to concerns relating to knowing their customer. Reforms enacted in response to the 2008 financial crisis have included stricter requirements for corporations to identify and effectively manage the risks arising from their operations. Companies’ relationships with non-US governments are capturing regulatory — as well as public and media — attention. Even multinationals’ direct or indirect interactions with government-owned entities are coming under scrutiny, as US enforcement agencies continue to interpret the FCPA’s applicability broadly. Both financial and reputational risks are historically high as a result.
The number of enforcement actions issued by regulators against wrongdoers, and the overall amounts paid to resolve them, has steadily increased. Last year, four significant FCPA settlements alone totaled US$1.7 billion. In-house counsel have the opportunity to play an increased, frontline role in identifying potential conflicts early and minimizing these financial and reputational risks.
Taking this into consideration, most firms stand to benefit from enhancements to their client intake process. In-house counsel can follow the law firm practice of performing comprehensive due diligence on clients — to assess the implications of interacting with a potential customer or vendor and determine whether to commence a relationship at all. In-house counsel can integrate an enhanced client intake process into a broader risk management program, while making minimal changes to procedures likely already occurring in the firm. In fact, not doing so amounts to a missed opportunity for legal departments to notch an easy win. Whatever the state of the client intake process, firms will benefit from identifying any gaps in controls as early as possible — and thereby help address risks and avoid crises.
Enhanced client intake process
A dynamic conflict check process will include a review of the existing relationship between the parties and any competing interests, such as the economic or business interests of an employee, board member, or department. A complete client review — including verification of identity and operating licenses, as well as an understanding of the proposed work — will aid in checking for reputational risks and potential violations of firm restrictions on taking new business or any regulatory requirements for independence. Lastly, a deeper dive looking for economic interest, government ties, or negative news is similarly important. Having a full grasp of the parties involved in a transaction can help identify areas of risk and dictate whether procedures should be instituted to help mitigate such concerns. Identifying potential conflicts early allows time to negotiate contract language, obtain all necessary licenses or added insurance, and perform any extra due diligence before work begins with a customer or vendor. In conjunction with compliance, in-house counsel may conduct additional training for the business team. Catching possible issues in advance allows in-house counsel to work with other back-office functions to quickly implement steps addressing areas of concern.
Firms face a number of potential pitfalls. There are reputational risks related to the potential client in question or the proposed transaction itself. The recent focus on perceived or inherent conflicts of interest will continue. Finding out basic information regarding the individual or company, any beneficial owners, and details about the transaction is good practice. It creates an opportunity to do further due diligence if the initial search yields any red flags. If the firm focuses on services and not goods, in-house counsel need to be aware of export controls and economic and trade sanctions. While it’s doubtful that any firms would condone outright bribery of foreign officials, in-house counsel should be concerned regarding FCPA violations by employees who may not know the rules of gift giving, particularly to entities owned by a government.
Conflicts of interest
Regulators have long focused on firms’ identification and handling of conflicts of interest when assessing the effectiveness of broader risk management and compliance programs. Former Securities and Exchange Commission (SEC) official Carlo V. di Florio said in a 2012 speech, “conflicts of interest, when not eliminated or properly mitigated, are a leading indicator of significant regulatory issues for individual firms, and sometimes even systemic risk for the entire financial system.” One can see from recent enforcement actions that, despite regulators’ increased focus on conflicts, they remain a problem. In October 2016, the SEC charged the founder of an asset manager with failing to disclose a conflict of interest when making an investment recommendation and making other misleading statements to his advisory clients. Similarly, another asset manager recently settled with the SEC, which found that three principals failed to disclose a financial interest in one of the firm’s service providers. Additionally, the financial services industry has had to make significant changes in anticipation of new rules that expand activities and account types covered by fiduciary standards, as well as requirements for documentation of disclosures.* These concerns do not apply to just the financial services industry as the issue of conflicts of interest is now front and center in the world of politics. Firms are expected to identify and manage conflicts on a consistent basis.
*These changes effect broker-dealers, wealth managers, insurers, and other key segments of financial services.
Avoiding conflicts of interest altogether is preferred, but not always practical or achievable. Risk management should be the goal. The SEC’s National Exam Program considers conflicts of interest a “key focus of its risk-based strategy.” Conflicts of interest have been one of the motivations for several financial regulations. More recently, the SEC and the Financial Industry Regulatory Authority (FINRA) have identified risk management as a recurring annual focus. The client intake process must be brought to the forefront to become part of an enterprise-wide risk culture by including a comprehensive conflict check process that can help compliance and legal departments identify potential conflicts and institute processes to mitigate them.
While in-house counsel should spearhead this effort, it will take a partnership with the business lines to help identify and mitigate potential issues. This approach fits into the three-lines-of-defense model, which is viewed as a best practice for risk management and compliance. Under this model, the first line of defense (in this case, the business line) owns and manages the operational risks. The first line has the closest relationship with the client and the most knowledge of the background and purpose of the transaction. The second line of defense consists of the risk management, legal, and compliance functions; finance may also get involved. Finally, auditors act as the third line of defense. The responsibilities are divided, but they are intended to work together to provide collective oversight. The first-line business teams are key, however, in collecting information regarding the identity of the client and scope of the transaction. A robust intake process will bolster this key function and assist in monitoring the effectiveness of the practice.
Reputational risks
The Panama Papers leak of millions of confidential documents identified the offshore bank accounts and shell companies of some of the world’s most powerful people, including the families and close associates of several heads of state. While there are legitimate reasons for establishing foreign shell companies and keeping money in offshore accounts, the secrecy surrounding these arrangements led to concerns relating to corruption, fraud, tax evasion, theft, and money laundering. Because of the huge public backlash, several of the people who were named in the leaks were forced to resign from their positions, and companies lost potential business contracts as others distanced themselves. The law firm at the center of the leak paid a fine and had nine of its offices closed and several members of its staff arrested. The law firm appears to have intentionally ignored international due diligence standards and attracted clients who wanted to skirt the rules. Nevertheless, if the firm had followed documented and comprehensive client intake procedures, it could have minimized some of its liability.
Corporations can use client intake to protect against reputational risks and avoid the sometimes insurmountable task of image rehabilitation later. In-house counsel can guide the process by identifying the opportunity source; any government involvement, which could point to heightened FCPA risks; and where additional targeted operational instructions, training, or controls may be required. Ignorance is not a defense. Identifying these possible conflicts or issues early gives in-house counsel the best chance to take steps to abate risks to their firm, which is preferable to corrective action after the fact.
Know-your-customer
Although know-your-customer compliance is a concept pioneered by financial firms as part of anti-money laundering (AML) compliance procedures, it need not be limited to a particular industry. Its core objective is to understand a company’s customers better and identify potentially suspicious behavior. At a minimum, reasonable diligence is expected from all companies. Companies that handle transactions for clients, or otherwise hold client money, should protect their reputations by implementing client due diligence measures starting with gathering basic customer information. Even if your firm is not subject to AML reporting requirements, in-house counsel should be aware of basic AML principles, as there are huge reputational risks if your firm’s services are misused to launder illicit funds.
While we understand that banks, investment firms, car dealers, and money transmitters, among others, have anti-money laundering and KYC requirements that are specific to their line of business, we believe the concept can be applied more broadly to provide insights for other industries.
Money laundering is a complex and diverse practice of processing criminal funds through a series of transactions to make funds appear to be from legal activities. Money laundering does not need to involve currency at every stage but generally involves transactions intended to hide the actual source or ultimate disposition of the funds, or to obscure the audit trail. The penalties related to money laundering can be significant. Fines have been levied against not only financial institutions but also individuals, casinos, accountants, lawyers, insurance and real estate agents, and merchants.
A person convicted of money laundering can face up to 20 years in prison and a fine of up to US$500,000. 18 USC 1956. The federal banking agencies and FinCEN can also bring civil money penalties.
Gathering information about your customer allows you to review essential facts not only about the customer or vendor and their affiliates or owners, but also about the underlying transaction. As part of customer due diligence, this process can help avoid illicit transactions by improving companies’ understanding of their clients and business relationships. Furthermore, knowing basic background information regarding your customer will help in-house counsel identify red flags regarding the company’s actions and relationships, as well as those of its vendors and clients.
Red flags
Certain red flags alert in-house counsel that extra due diligence is required. Examples include the involvement of a politically-exposed person, unverifiable basic information about client identity, unusual behavior such as ordering products incompatible with the relevant business, shipping products in a circuitous or economically illogical route, reluctance to provide end-use/user information, and the payment of cash for high-value items. Other red flags include requests for an unnecessary middleman, customers with affiliates in embargoed countries, and projects or customers relating to the military or an intelligence agency.
A politically exposed person is someone who has been entrusted with a prominent public function. PEPs generally present a higher risk for potential involvement in bribery and corruption by virtue of their position and influence.
In-house counsel can respond to these red flags by performing further due diligence and asking targeted questions. While firms must draw a line on how much information they obtain to make a reasonable assessment of a party, there are some specific questions that may be helpful to consider: Is the customer’s ownership structure complex? Is its headquarters or subsidiaries in a region subject to sanctions? Is the customer in a particularly regulated industry? In-house counsel should feel comfortable enough to assess the opportunity based on the information obtained. After further due diligence is performed, the information found in an investigation may warrant implementing certain risk-mitigation techniques, such as adding targeted training and putting specific additional controls in place around gifts, travel and entertainment expenses, and payments to third parties. A company can use a documented process as evidence that it practices regular reviews, if the company’s risk management procedures are called into question. Performing due diligence helps identify and take additional steps to prevent potential issues before it is too late.
Export controls and sanctions
Export controls and economic and trade sanctions are applicable to services, not just goods. The United States has detailed export-control laws that cover a range of activities, including the export of products, services, or information. Restrictions can take many forms, such as strict export controls, complete or impartial import/export embargoes, specific license requirements, prohibition on the provision of services, blocking of funds in a financial system, and immigration/visa bans. In particular, special controls are essential when dealing with defense, military, space, or government intelligence activities, as well as services provided to a government entity (either directly or indirectly) that are intended for surveillance purposes. Firms can run afoul of these laws if they do not have adequate upfront information regarding the transaction’s counterparty or do not follow up on due diligence based on the information they have. The penalties for violating export controls can be severe and include both criminal and civil penalties.
It is important to check whether there are specific export prohibitions or sanctions related to the client or one of its affiliates. The Treasury Department’s Office of Foreign Assets Control administers US sanctions against specific countries, regimes, companies, and people. US laws can apply even for entirely international transactions, as a US person cannot circumvent the laws by having a non-US person act on their behalf, regardless of where the transaction takes place. The list of sanctioned countries is not static and can change based on the political climate. Violations include indirect activities, such as supporting a customer’s business activities in a sanctioned country or region or transacting with an entity of a sanctioned country or region. The conflict checking process has to be dynamic enough to account for any new relevant information that may be material to the analysis. The laws relating to export controls and economic sanctions are complicated and include many exceptions. Even if a transaction is technically legal, in-house counsel should consider the potential reputational risks relating to the transaction and remain alert to other compliance risks.
FCPA
FCPA compliance is another area where in-house counsel should be concerned. Known primarily for two of its main provisions — one that addresses accounting transparency requirements and another concerning bribery of foreign officials — the FCPA has garnered recent press over the increase in the number of violations by companies. These violations could be minimized by a robust intake process. The anti-bribery provisions of the FCPA make it unlawful for a US person to make a payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, any person. It is important for in-house counsel to be aware that US enforcement agencies continue to interpret the FCPA’s applicability broadly and that the financial and reputational risks are high. US regulators may view what is considered standard operating procedure in one country entirely differently under US laws. The amounts paid to resolve FCPA violations have increased significantly over the years. Both the number of enforcement actions and the overall amounts paid to resolve them set records in 2016. FCPA enforcement efforts do not appear to have shifted dramatically under the Trump administration. Recent enforcement actions suggest instead that the SEC and DOJ will continue to pursue both corporate and individual cases. So long as the trend continues, the need remains to minimize risk exposure by having adequate information on client relationships upfront.
The FCPA defines a foreign official as “any officer or employee of a foreign government or department, agency, or instrumentality thereof, or of a public international organization, or any person acting in an official capacity for or on behalf of any such government or department, agency, or instrumentality, or for or on behalf of any such public organization.” 12 Section 30A(f )(1)(A) of the Exchange Act, 15 U.S.C. § 78dd-1(f )(1) (A); 15 U.S.C. §§ 78dd-2(h)(2)(A), 78dd-3(f )(2)(A).
Conclusion
All parties can help identify areas of concern to avoid the pitfalls discussed above. The conflict check is a way to incorporate a control point into a standard process for the firm. An expanded check can cover typical conflicts of interest in addition to other potential risks to the firm, such as export controls, economic sanctions, money laundering, corruption, fraud, regulatory requirements, or other firm-specific restrictions. Risk-mitigation techniques include instituting procedures to identify high-risk customer relationships and red flags and updating incomplete or outdated records. Failure to identify and mitigate conflicts of interest puts the firm’s reputation at risk and can expose the firm to legal and financial risks. Firms face civil or criminal liability — in addition to the risk of reputational damage, which could severely affect profitability. By undertaking a robust intake process prior to signing a contract with a client or vendor, in-house counsel help protect the bottom line by minimizing a larger range of risks to their firm.
Further Reading
Carlo V. di Florio, “Conflicts of Interest and Risk Governance.”
The Securities Act of 1933 and the Securities Exchange Act of 1934, the Glass-Steagall Banking Act of 1933 and the Investment Company Act of 1940, and the Investment Advisers Act of 1940.
The International Traffic in Arms Regulations (ITAR), 22 C.F.R. §§ 120-130.
The Foreign Corrupt Practices Act of 1977 (FCPA) (15 U.S.C. § 78dd-1, et seq.).