I find myself quibbling with compliance terms – hyper focus on small issues is not a positive trait. I often urge clients and colleagues to focus on issue of more significance and leave the smaller ones for another day. Hence, my recent criticism over “due diligence” policies and procedures for third party intermediaries. A more appropriate title is “risk management.

A due diligence inquiry of a potential third party is not a one time review – in fact, risk management requires continuous monitoring and assessment of third parties starting with the onboarding, operations, renewals, and other important times needed to review a third party’s operations. Viewed in this context, third party due diligence is actually a continuous risk management loop that repeats itself over time.

Aside from continuous risk management functions, I also find that acquisitions or joint venture proposals present another important transaction subject to due diligence review. Even assuming the acquired party satisfies due diligence review for an acquisition, there is continuous monitoring requirements, especially when operating an ongoing business that is being integrated into the overall corporate fabric of the acquiring company.

FCPA enforcement is replete with numerous instances where due diligence of a new third party or of a target company for acquisition failed to meet basic requirements. Often, it is hard to define exactly what diligence is actually required in a given situation but one thing is for sure – it is easy to define when proper diligence is not conduct.

Two enforcement actions underscore this fairly obvious point. In the case of VimpelCom, the due diligence failure was basic and evident. The board of directors was required to consider the acquisition of two telecommunications companies in Uzbekistan – one was s mall company for which there was little business justification to support acquiring the company; and the other was a shell company that ultimately included the daughter of the Uzbekistan President. The board asked the right questions – why is VimpelCom acquiring the small company for which there is little justification, and who is the ultimate beneficial owner of the shell company that owns the Uzbekistan telecommunications company.

Not surprisingly, the answers to both of these questions were never resolved or confirmed. VimpelCom went on to purchase these two companies that had clear ties to a scheme to enrich the President’s daughter and the rest is history. In this case, due diligence did not even come close to being satisfied.

The talismanic test for due diligence is the imperative to resolve any and all red flags indicating a potential corruption risk. Of course, not all red flags are equal but in the VimpelCom case the red flags were not only significant, they were enormous and had to be dealt with directly and with clear analysis and resolution.

A second example in FCPA enforcement history is the Hitachi case in which a Hitachi subsidiary in South Africa retained a third party entity to assist in securing local power plant projects. Hitachi paid $19 million in penalties for expending $10 million in bribes to secure $5.6 billion in power contracts in South Africa.

Hitachi sold a part of its South African subsidiary to a local subsidiary of Chancellor House Trust, a front for the African National Congress, the ruling party in South Africa. This ownership structure was used to funnel bribes.

During the government’s investigation, Hitachi claimed that it conducted due diligence of Chancellor but was unable to produce any record of its due diligence. As pointed out in the SEC’s enforcement action, there were numerous red flags that were never resolved or even seriously reviewed. In fact, there were a number of significant red flags involving relationships between Chancellor and the state-owned energy company in South Africa, as well as the significant fact that Chancellor had no experience or expertise in the power industry in South Africa.

Hitachi’s due diligence effort was flawed, not documented, and reflected a post hoc attempt to mount a defense to an enforcement action. It was the best they could do under the circumstances but the truth was more damning – Hitachi did not conduct any due diligence and entered into a relationship to promote bribery and ensure that it could funnel bribes to key government officials in the African National Congress and the state-owned power company.