by Jodi L. Avergun, James A. Treanor, Christian N. Larson, William N. Simpson, and Tammy Tran

In the context of COVID-19, there are significant challenges involved in conducting due diligence: hard-copy documents are inaccessible, in-person meetings have moved online, and on-site visits may be impossible.  Companies nonetheless can and should continue to comply with the law by adjusting policies and procedures, mitigating new risks that arise through the use of alternative diligence methods, and by staying abreast of changing regulatory expectations.

For compliance professionals, applying “enhanced” reviews to higher-risk scenarios necessarily requires direct human involvement: an experienced hand to assess the universe of available information and make sometimes difficult judgment calls. Certain aspects of this work can, with varying degrees of difficulty, be completed from the (in)convenience of the myriad home offices that have sprouted in response to the COVID-19 pandemic—assuming that the compliance professional is in possession of all required information. However, compliance teams face a major challenge in gathering the detailed information upon which compliance decisions are based. Physical documents are not accessible, travel is impossible, and in many cases, key information must be obtained from third parties who are themselves struggling to navigate the pandemic. Below, we propose strategies that corporations and financial institutions can adopt to remain in compliance with the law during the pandemic.

The Way It Was

In the context of international business and finance, bodies of law that are top of mind for most compliance teams include the Foreign Corrupt Practices Act (“FCPA”), economic sanctions administered by the Office of Foreign Assets Control (“OFAC”), and anti-money laundering (“AML”) rules administered by the U.S. Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and other financial regulators.

While specific due diligence efforts are not legally mandated by the FCPA or OFAC, they nevertheless form a key part of a company’s system of internal controls. Companies routinely collect identifying and ownership information on business partners and other counterparties to understand any connections to government officials, sanctioned persons, and other potential risk factors. And companies often undertake more detailed reviews for higher-risk jurisdictions or activities including customs clearance, lobbying, and other interactions with government officials. These efforts may include background or reference checks that rely on local or regional networks for key business intelligence.

Indeed, risk assessments, monitoring of third parties, in-country audits, and a host of other internal controls are identified as best practices for assuring FCPA compliance in the U.S. Department of Justice’s (“DOJ’s”) Evaluation of Corporate Compliance Programs (PDF: 267 KB). Similarly, OFAC emphasized the importance of due diligence and understanding third party relationships in its May 2019 Framework for Compliance Commitments (PDF: 138 KB).

U.S. AML rules under the Bank Secrecy Act (“BSA”) require financial institutions to implement risk-based policies and procedures for identifying new customers and monitoring the transactions and other conduct of existing customers. Many financial institutions’ know-your-customer (“KYC”) policies and procedures, adopted pre-COVID-19, require enhanced due diligence for higher-risk customers. In addition, enhanced due diligence is mandated by regulation for foreign banks holding correspondent accounts with U.S. banks and for senior foreign political figures, or politically exposed persons (“PEPs”),[1] using private banking services at U.S. banks.

To conduct enhanced AML KYC due diligence, financial institutions typically collect additional information to confirm the identity, beneficial owner(s), source of wealth, source of funds, and reputation of a new, higher-risk customer. Financial institutions also conduct more extensive and more frequent monitoring of the customer relationship. Reviewing hard-copy documents, meeting in person, and traveling to customer locations overseas is (or was) not unusual, and regulations and regulatory guidance have cemented these “physical” practices as best practice.

The Challenges of Performing Due Diligence from Your Dining Room Table

As many compliance professionals can now attest, the sudden switch from a physical to virtual work environment is jarring. The specific challenges to conducting due diligence in a mostly virtual environment generally relate to trust, credibility, and the ability to verify information:

• Inability to obtain original documents. Many companies are currently unable to ensure that their employees personally view key original documents.
• Inability to conduct on-site visits. With borders closed and planes grounded, companies are unable to put head offices’ boots on the ground in far-flung locales. This challenge may prove particularly acute for companies in the midst or on the cusp of a merger or acquisition. The DOJ’s FCPA Enforcement Policy states that a company can earn the presumption of a declination from prosecution through timely due diligence of an acquisition target (among other requirements, including voluntary self-disclosure of identified misconduct). Historically, companies have sought to adhere to the aggressive 180-day due diligence review and self-reporting period prescribed in the DOJ’s Opinion Procedure Release 08-02 (PDF: 27 KB), often entailing a flurry of detailed site visits around the world.
• Inability to meet in person. In-person meetings of any type, including interviews and background or reference checks, currently are not an option.
• Risk of abuse by third parties. In addition to managing their usual workloads, compliance professionals must guard against efforts by unscrupulous customers or third parties to take advantage of the pandemic. In particular, some might dishonestly claim an inability to access identification papers, corporate documents, signed contracts, and other information in order to eschew costly or cumbersome due diligence requirements—possibly in furtherance of a scheme to engage in bribery, fraud, or other misconduct, or to hide the proceeds of their illegal activities.

Finding the New Normal

Regulators are not oblivious to the challenges posed by COVID-19, or the fact that diligence practices will change in response to the crisis. For example, the SEC’s Office of Compliance Inspections and Examinations announced that its normally on-site examinations will be conducted virtually.[2] At the same time, regulators are certainly not excusing companies from their compliance obligations. In fact, the SEC’s Division of Corporate Finance released guidance setting forth COVID-19-related disclosure expectations for public companies, and reemphasizing the prohibition on insider trading.[3]

In light of these expectations and risks, we offer the following suggestions for companies to adapt to the new normal of due diligence in the midst of the COVID-19 pandemic:

• Closely monitor updates. Companies should closely monitor regulatory pronouncements both to take advantage of available relief, and to step up efforts in areas that regulators prioritize for enforcement.
• Communicate with regulators. Companies should communicate with their regulators. If it is simply not possible to conduct legally required diligence under present circumstances, or if a company is unsure how a regulator might view a particular alternative procedure or other workaround, then a formal or informal inquiry may be warranted. For example, in July 2018, Deputy Assistant Attorney General Matthew Miner encouraged companies to make use of the Opinion Procedure Release process in connection with their FCPA compliance efforts.[4] If a company finds itself unable to meet the typical FCPA due diligence timeline for mergers and acquisitions due to the COVID-19 pandemic, requesting a DOJ opinion should be considered. Likewise, on March 16, 2020, FinCEN asked financial institutions that expect to miss filing or reporting deadlines due to the illness or unavailability of key staff to communicate those expectations to FinCEN as soon as possible.[5] When necessary, companies should take advantage of these invitations.
• Identify challenging procedures. Companies need to review their compliance policies and procedures to identify requirements that may prove challenging to satisfy under current circumstances. Increased reliance on digitized documents, e-signatures, and remote meetings is all but inevitable—but firms should ensure such measures are consistent with legal requirements.
• Revise policies and procedures. Companies should consider revising their policies and procedures to permit effective, alternative processes, at least in limited circumstances (e.g., a widespread health emergency). For example, methods of obtaining documents or conducting interviews may need to be broadened to include newer forms of technology. Of course, companies under a monitorship agreement should take care to comply with any terms of the monitorship that require notice or pre-approval for changes to compliance policies and procedures.
• Develop protocols for digital documents. If firms are unable to review original physical documents, they should develop a process to review secure and authentic digital versions. For example, banks have long accepted check deposits digitally scanned through the bank’s smartphone app. This technology is reliable in part because the bank’s control over the app, the camera, and increasingly, the device’s geolocation data provide the bank with sufficient assurances that the electronic image of the document has not been altered and that the user of the app is the customer. Companies could consider similar technology to remotely accept documents that previously needed to be viewed in person. Where the only copies of physical documents are located in an area subject to restrictions on movement, companies should consider whether anyone has safe access to the documents, whether suitable alternative documents or information are available, and whether an onboarding or transaction needs to be postponed. Similarly, contracts with third parties may need to be revised to allow identification, transactional, and other information to be provided electronically.
• Develop protocols for locally-staffed or digital site visits. While restrictions on international travel continue, companies planning site visits should consider whether local conditions may permit meetings to continue, either with local staff, or by partnering with a local, reputable provider of compliance or legal services. In some cases, video or telephonic meetings may be an adequate substitute.
• Replace in-person meetings with virtual meetings. Even local meetings may need to be conducted by phone or video call. Companies should bear in mind that one purpose of in-person meetings is to assess credibility; compliance personnel therefore will have to satisfy themselves that they can make credibility determinations in the context of virtual meetings.
• Prevent fraud and abuse. Some individuals or entities may attempt to manipulate new remote diligence protocols to enable fraud and abuse. Companies should be mindful of this risk and adopt appropriate mitigation measures. For example, where a higher-risk customer or third party is on-boarded with less than the full panoply of a company’s enhanced due diligence measures, companies should consider subjecting the relationship to transaction limits and/or more extensive monitoring. In addition, ensure that any ad hoc modifications to a company’s diligence of a higher risk customer or third party are fully documented and promptly reviewed once exigent circumstances abate.

Conclusion

Although there are significant challenges involved in conducting due diligence in the COVID-19 era, companies can and should continue to comply with their legal obligations. To do so, companies need to make nimble use of personnel, technology, and outside partners to fulfill their diligence requirements. Companies should also closely track shifts in regulatory relief and enforcement priorities. In addition, companies may need to adjust their policies and procedures to account for new information collection methods, or the involvement of new service providers in diligence processes. Finally, companies should document any new risks that arise due to the use of alternative diligence methods, engage in appropriate mitigation measures both now and after the crisis, and consider whether there is a need to communicate any specific diligence challenges to regulators.

Footnotes

[1]    A PEP is an individual with a high-profile political role who may be susceptible to bribery or corruption due to their position of influence.

[2]    Press Release, U.S. Sec. & Exch. Comm’n, OCIE Statement on Operations and Exams – Health, Safety, Investor Protection and Continued Operations Are Our Priorities (Mar. 23, 2020).

[3]    Coronavirus (COVID-19) – CF Disclosure Guidance: Topic No. 9, U.S. Sec. & Exchange Commission, Division of Corp. Fin. (Mar. 25, 2020).

[4]    Press Release, U.S. Dep’t of Justice, Deputy Assistant Attorney General Matthew S. Miner Remarks at the American Conference Institute 9th Global Forum on Anti-Corruption Compliance in High Risk Markets (July 25, 2018).

[5]    Press Release, Fin. Crimes Enf’t Network, The Financial Crimes Enforcement Network (FinCEN) Encourages Financial Institutions to Communicate Concerns Related to the Coronavirus Disease 2019 (COVID-19) and to Remain Alert to Related Illicit Financial Activity (Mar. 16, 2020).

Jodi L. Avergun is a partner, James A. Treanor is special counsel, Christian N. Larson and William N. Simpson are associates, and Tammy Tran is a law clerk, at Cadwalader, Wickersham & Taft LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.