STUDY: FUNDAMENTALS OF PRACTICAL DUE DILIGENCE

4th March 2018, Bachir El Nakib (CAMS) Senior Consultant Compliance Alert LLC 

'It is a wise father that knows his own child' - William Shakespeare, The Merchant of Venice, Act 2, Scene 2.Shakespeare's sentiment on parenthood is applicable to due diligence because it is also true to say: 'it is a wise banker who knows his own customer'.

Due diligence is fundamental to the survival of any corporate risk-based business operation whether it operates in one or many jurisdictions. In fact, due diligence is essential for financial institutions that want to prevent or minimize losses from fraud and protect themselves from misuse by those with criminal intent.

Due diligence is an essential weapon in the arsenal of the banker to prevent or minimize losses from fraud and to help the bank protect itself from misuse by those with criminal intent. It is also a valuable tool to help prevent mistakes occurring through naiveté or bad judgment.

Experience has shown that some bankers believe that having a due diligence program in place is enough to remove the risk of commercial decision making from them; this is not the case. Due diligence is an advisory process and supplies information to assist in decision-making but it is not fail-safe. In essence, due diligence is a form of insurance fundamental to the survival of any corporate risk-based business operation whether it operates in one or many jurisdictions. A due diligence programme is only effective if used properly.

What is Due Diligence and Why is it Needed?

Due diligence is the 'insurance' program that, when properly administered, will introduce policy on automatic procedures that every bank employee should follow, whether a cash handler or not, whether a private banker or a trust officer, when new business relationships are entered into. This should prevent, among other problems, the establishment of accounts in fictitious names. The due diligence system will identify from the outset the requirements of the account thus establishing an account profile.

Due diligence should not apply to new customers only. Existing relationships in some jurisdictions are automatically 'grandfathered' in. Although this may be an acceptable norm, it is not satisfactory. Regular compliance examinations of existing accounts should take place where possible to ensure that the bank does not have a problem waiting to manifest itself.

Due diligence is required to set out common standards that establish an ethical culture and establish roots of sound corporate governance. The maxim of 'know your customer' is imperative and when bank staff ignore this principle, they do so at their peril.

What Legal Frameworks are Required?

Each jurisdiction has individual laws, rules and regulations concerning the requirements of bank secrecy and the reporting of suspected criminal transactions within that sovereign area. Although similarities may occur between some countries, historically many countries have strong bank and financial secrecy legislation with severe penalties for any person or organization breaching those rules.

As a guide to the legal frameworks in various jurisdictions, attention should be paid to the activities of The Financial Action Task Force (FATF). In 1989, the G-7 group of countries held an Economic Summit in Paris to examine the measures to combat money laundering. At this meeting, the FATF was formed and membership now comprises 28 jurisdictions and regional organizations representing the world's major financial centres.

In April 1990, the FATF issued a program of 40 recommendations, which were adopted in total or in part by the members. From this, legislation has been implemented in all the members' countries relating to money laundering and bank/information reporting requirements. The due diligence program instituted by banks and financial institutions will obviously be formulated in compliance with the legislation in that jurisdiction.

The Scope of Due Diligence

Appropriate development of a due diligence system or process fulfilling identified criteria will soon pay dividends. First of all, guidelines are created which may not be all encompassing parameters but suggestions to assist the bank or corporate officer. Each set of circumstances will be different, common sense and experience will assist this process together with supervisory support in areas of doubt. As new and different areas of concern are identified, so the program can be updated and improved. Although due diligence is not an exact science, it is essential.

Should due diligence start with the customer? To be a proper and effective tool, due diligence should start at the door of the personnel or human resources department of the bank or company. How many people are hired without references being requested? How many references are just accepted without verification? Many security, compliance and regulatory personnel would be horrified at the true figure. The excuses of 'we are understaffed' or 'the position is not one of responsibility' or 'the position does not include cash handling, risk areas or access to sensitive material' are not acceptable.

Rather like the small customer who is paid little attention over the years and is then suddenly found to be involved in fraudulent activities, the 'trusted and irreplaceable employee could turn out to be the enemy within. Checking references after problems occur is a pointless and possibly embarrassing pastime. As the small customer may grow, so the employee in the non-cash handling, non-sensitive area may apply for a transfer, promotion or both.

One only has to read recent headlines to see how employees, including CEOs and CFOs, have caused damage to company reputations and wrought havoc with share prices. How does this happen and, more importantly, how can it be prevented? The reality is that human nature being what it is, not every person is as honest as one would like. Although total prevention is impossible, minimizing the risk through stringent reference checks, for example, is a very practical solution.

What keeps you awake at night? A question often asked of senior bank and corporate executives. In your personal life, it could be your next mortgage payment or the problem of deciding where to take your next holiday. Professionally, it is the ultimate nightmare: waking up to find your company's name splashed across the newspaper headlines for all the wrong reasons - not because of the new and improved quarterly results but because an employee within your company has been acting fraudulently. It doesn't matter whether they were doing something illegal outside the workplace or in the workplace, the net result is much the same: bad publicity and potential damage to the company's reputation.

KYE - The Next Step from KYC

Although the first bank was founded by the Medici family in Italy over 600 years ago, know your customer (KYC) requirements were only introduced about 25 years ago to prevent and deter the use of international banking operations by narcotics traffickers. Recent events have also increased the pressure on KYC, such as anti-money laundering actions and fears about terrorist financing.

To return to the senior bank or corporate executive's nightmare, to avoid the threat of fraudulent action, effective KYC measures must be accompanied by an effective know your employee (KYE) policy as well. Few companies escape the reach of employee fraud. For example, typical losses due to employee fraud in the US average 6 per cent of annual revenues, that is $6.6bn a year. It is essential that financial institutions not only know their employees but also their agents, their vendors and their outsourcing companies. Prevention and detection should be the primary fraud and financial crime related goal of every business.

Prevention and Detection

Where should KYE begin? I suggest the perfect starting point should be just that:

-          at the beginning. To be effective, due diligence must start with human resources or personnel at the recruitment stage.

Check references

An important part of the verification process is references. What procedures are in place within your company for checking references? For example, who obtains them? Is there a check on the referee, i.e. address and other pertinent details? Are comparisons carried out with other references? Are you allowed to audit or check for yourself? Failure to check references properly can later cause severe embarrassment and reputational damage.

The following list provides some suggestions for checking references:

  • Do a criminal conviction search in jurisdictions where it is possible.
  • Credit checks - you do it before you offer a loan, why not before you hire?
  • Electoral register - does the prospective employee really live where they say?
  • Conduct a private investigation if it is thought necessary.
  • Do your own Internet check before you hire. In fact, a new term has entered the hiring lexicon: 'google them'. You may be amazed what you find that other enquiries, such as a criminal background check, do not.
  • Remember to check what is not there as well. The gap in the resume or CV that is glibly explained away and summarily dismissed as of no consequence is often not pursued as it may be considered bad manners or is just accepted as true by the interviewer. However, it may hide a criminal conviction or an episode in the candidate's life that, if explored, would totally exclude them from the company.
  • Do you do your own checks or do you rely on a vendor, agency or outsourcing organisation? If you do then you must ask yourself these questions: what standards do they apply? Are they maintained? What levels of verification do they achieve? Are their standards comparable to yours? What checks do they have in place? How often are spot checks carried out and by whom?

Know Your Employee

There can be potential problems once employment has commenced despite stringent reference checks. For example, it may be determined that a pattern of conduct is developing that may give cause for concern, i.e. customers defaulting early on major loans - this may mean you need to pursue customers but circumstances might suggest that you also look at the loans officer. It is also advisable to pay attention to bank or company officers who are closer to clients than is deemed reasonable or acceptable, or clients frequenting private bank or company functions.

One only has to read recent headlines to see how employees, including CEOs and CFOs, have caused damage to company reputations and wrought havoc with share prices. How does this happen and, more importantly, how can it be prevented? The reality is that human nature being what it is, not every person is as honest as one would like. Although total prevention is impossible, minimizing the risk through stringent reference checks, for example, is a very practical solution.

Processes, not police

While KYE should not entail the institution acting as a ‘police officer’ that constantly watches over employees, it is likely to involve increased and more consistent monitoring of certain activities. Many institutions have already taken steps in this regard.

In a recent webinar on KYC and KYE in Asia Pacific staged by Wolters Kluwer and the Risk Management Institution of Australasia (RMIA), 50% of 130 respondents to a live poll said they had a manual process in place that assessed employee activities related to personal trading, personal account dealing, compliance certification and potential conflicts of interest on a regular basis. Another 34% reported having an online system that performed such assessments; only 16% said their institution seldom conducted evaluations of these activities. More companies are likely to opt for automated solutions in the future as a means to formalize the monitoring process, and reduce room for inconsistencies or errors.

Do occasional random checks where necessary to see if an employee has recently moved 'up market' for no apparent reason, or acquired a fancy car, or started private education for children in expensive schools. The bottom line is: do they seem to be living beyond their known means and income? If they are, you might be the unwitting benefactor.

It is also important to be cautious of contacts introduced to your company from internal sources. In particular, beware of:

  • New business introductions from an unusual internal bank source.
  • New business introductions from new clients offering potential large deposits from other jurisdictions.
  • Promises of large future business through third parties from small business clients.

Employee-associated fraud can potentially devastate a business and destroy reputations. Don't take a chance with decisions based on assumptions - always check your facts so that you really do know your employee.

Who is Most Likely to Commit Fraud at Your Company?

Key findings about fraud perpetrators from the 84-page Report include: 

High-level perpetrators cause the greatest damage to their organizations. Frauds committed by owners/executives were more than three times as costly as frauds committed by managers, and more than nine times as costly as employee frauds. Executive-level frauds also took much longer to detect. 
Fraud offenders were likely to be found in one of six departments. More than 80 percent of the frauds in the study were committed by individuals in accounting, operations, sales, executive/upper management, customer service or purchasing. 
More than half of all cases in the study were committed by individuals between the ages of 31 and 45. Generally speaking, median losses tended to rise with the age of the perpetrator. 
Most of the fraudsters in the study had never been previously charged or convicted for a fraud-related offense. Only seven percent of the perpetrators had been previously convicted of a fraud offense. This finding is consistent with prior ACFE studies. 
Fraud perpetrators often display warning signs that they are engaging in illicit activity. The most common behavioral red flags displayed by the perpetrators in our study were living beyond their means (43 percent of cases) and experiencing financial difficulties (36 percent of cases). 
The information helps arm owners, managers, anti-fraud professionals, law enforcement and others with more insight into the risk factors of fraud

In its 2016 study, the Association of Certified Fraud Examiners (ACFE) report to the nation cited several factors that correlate with an employee's likelihood of committing occupational fraud and may indicate the size of the loss:

Position in the organization - As a fraud perpetrator's level of authority increases, so does the amount of the associated loss.

Annual income - The size of the fraud generally increases with the perpetrator's annual income. Fewer than 5 per cent of the cases in the ACFE study involved a perpetrator earning more than $200,000 per year, but in those cases the median loss exceeded $1m.

Tenure with the organization - The report found a direct correlation between a perpetrator's term of employment and the size of the loss. The ACFE attributes this to the fact that employees gain higher level positions over time and, perhaps more importantly, greater trust from supervisors and co-workers. The more an organization relies on an employee, the more authority that employee exercises, in turn increasing the opportunity to commit fraud.

Gender - Perpetrators in the study were almost evenly split between males and females, although the median loss was greater in schemes carried out by men.

Age - The ACFE found a direct link between the age of the perpetrator and the size of the loss. Forty-nine per cent of perpetrators were over 40 years of age, and only 17 per cent were under 30.

Education - About half of the perpetrators failed to go beyond high school, 42 per cent earned bachelor's degrees and only 9 per cent boasted postgraduate degrees. But as the perpetrators' education levels increased, so did the size of the fraud loss.

Number of perpetrators - About two-thirds of the cases in the ACFE study were committed by a single perpetrator. When multiple perpetrators participated in a scheme, the median loss rose dramatically.

Criminal history - Most of the perpetrators were first-time offenders, suggesting that employee fraudsters typically aren't career criminals.

 

A bank survives on a good customer base, which exists because of the bank's integrity and reputation. The threat of loss or loss of that reputation by an investigation, the threat of an investigation or just plain bad press does untold harm. It may take years for a bank to recover, if it ever does.

Due diligence is required to create awareness among ALL bank staff. It identifies the warning signs or red flags that there may be a problem or potential problem with a new business application or an existing relationship.

Problem Prevention

Attacks on, and misuse of, financial institutions are increasing and becoming more complex every day. Of these attacks, some are readily identified by those who have experienced them before; others are identified when it is too late and the damage done.

Experience is a great teacher; this is especially true if one can learn from the experiences and mistakes of others. The established financial institutions have suffered fraud and financial crime from within the organization and outside it. Many valuable lessons have been learnt - or have they? Due diligence is predominately preventative, highlighting the distinction between proactive and reactive investigations and research.

The buzzwords here are training and awareness. Constant training updates and review programs held by experienced and qualified trainers with practical experience in the areas of fraud, money laundering prevention and compliance are required for all staff. Substantial, real-time, objective training with practical demonstrations, although time consuming, are invaluable. The involvement of management in the training creates an understanding of potential problem areas.

Remember the benefits of effective due diligence: the reduction of risk and liability. The process benefits and strengthens a commercial relationship therefore encouraging further business. Most importantly, effective due diligence enhances a bank's or company's reputation.

Every part of banking - from recruitment to areas where there is the presence of a bank customer, contractor or temporary employee to acquisitions of other commercial organizations and companies - requires due diligence. In fact, this process is most essential when dealing with business involving foreign countries. How often do people, when presented with information, have that sneaking suspicion that things are not how they should be? Read also Protect Your Reputation; Do not take a Risk with Financial Crime.

Financial crime within the industry will never be stopped completely but the risk and damage caused can be minimised. Banks and other financial institutions must put in place effective measures and keep up-to-date with latest developments to stop themselves becoming victims of financial crime. The consequences of financial crime are severe and companies could face the risk of losing their most valuable asset: a good reputation. Ultimately, if its reputation is tarnished, it will always be remembered to the organisation's detriment.

The ethos of banking is a straightforward one. A bank is a repository of money either in cash form or other redeemable security, a lender of money and the supplier of a cornucopia of financial products and services. Primarily, the bank is a commercial operation relying on profit to survive, much the same way that lawyers and accountants do, with one exceptional difference. Banking is by definition a risk business.

Taking risks is perfectly acceptable as long as the risk factor is properly assessed. Most bank operations are risk associated, but identifying vulnerability in areas could identify possible conflict between the value of a particular product and how a potential customer might wish to use it.

Recent actions by regulators and the courts in various jurisdictions have reinforced the need and requirement for good corporate governance. The thorough screening of those in key positions takes the 'know your customer' ideal to the next level of 'know your employee'. Management responsibility and accountability should be clearly defined and it is now a legal requirement under regulations, such as the US Sarbanes-Oxley Act. This means that combining operational roles (e.g. the initiator of the transaction being made responsible for record keeping, accounting and settlements at the same time as being the keeper of the transacted assets) is no longer an option for organisations, despite the obvious cost-cutting benefits.

Banks, as do all other financial organisations, must have preventative measures in place and keep abreast of new developments. This is particularly true in the area of money laundering.

Changing Dynamics of Money Laundering

New laws and money laundering directives passed by various governments, e.g. the EU Money Laundering Directives, have affected money laundering techniques and methodology. For example, activities have shifted from criminals using banks as their first place of depositing money to non-bank institutions or establishing their own import/export companies. Criminals now also legitimise their illegally obtained income through acquisition of domestic and international real estate, investment in securities, personal property, works of art or loans. In each case though, the money will eventually pass through the banking system whether as a deposit, collateral for a loan or maybe the purchase of a derivative product.

Banks are cautioned regularly to make sure that they do know their customers. They must make every reasonable effort to determine the customer's true identity and have effective procedures in place for verifying the bona fides of all new customers, whether they are borrowers or depositors.

The Basel Committee on Banking Regulations and Supervisory Practices has repeatedly made this clear and advised banks internationally that public confidence in them and hence their stability, can be undermined by adverse publicity as the result of inadvertent association by banks with criminals. In addition, banks may lay themselves open to direct losses from fraud, either through negligence in screening undesirable customers or where the integrity of their own officers has been undermined through association with criminals.

This has transformed the 'know your customer' practices and procedures from a 'friendly chat' in the bank manager's office and the production of acceptable identity to a modern day intelligence art form. It has also been recognised that launderers are professionals themselves. Not only professional in their methods of operation, but often professional, almost vocational, by calling.

The new customer entering a bank with the view to commence an association may be interviewed personally. What happens when a new customer is introduced by a solicitor from a respected firm or an accountant from an equally respected company both of which have overseas representation? The bank should still conduct its own due diligence process but has the introducing professional carried out his?

Let us hypothesise that the potential customer is a company based offshore. The bank has the responsibility to try to identify the beneficial owner. The introducer may not know because, for example, they are dealing through a 'trusted' agent operating under a power of attorney. How much information about the customer is the bank able to obtain from either? Possibly very little but ultimately it is the bank who will be held responsible. The marriage of what is reasonable with what is responsible could be determined an unholy alliance when it comes to due diligence. Even if a financial institution takes all reasonable steps to determine the veracity of a potential customer, it may still be held responsible if that customer is subsequently determined to be engaged in criminal or other illegal activities.

How can organisations ensure this does not happen to them? Most importantly, they must enforce a strict 'know your customer' policy as well as preventative measures against other forms of financial crime, such as identity theft and credit or debit card fraud.

What is 'Know Your Customer'?

In general terms it is:

  • Making every reasonable effort to determine the true identity and beneficial ownership of accounts.
  • Knowing the source of funds.
  • Knowing the nature of your customer's business.
  • Knowing what constitutes reasonable account activity.
  • Knowing who your customer's customers are.

How can this be done? General guidelines include:

  • The examination of financial statements.
  • The examination of the relevant credit history.
  • Obtaining bank and other references directly from the referee.

Reputation is Everything

The integrity of a bank and any other financial institution can be severely damaged by a failure to identify a problem area that enables the financial crime. This could lead to penalties for organisations, which in turn generates bad publicity with the ensuing loss of public confidence nationally and internationally.

Financial crime will never be stopped completely but the risk can be minimised. Organisations and their employees must be aware of this and take this issue seriously. Remember, the most valuable asset an organisation or individual can possess is a good reputation. If that reputation is dented or damaged, let alone destroyed, there is virtually no recovery and it will always be remembered to the organisation's detriment.

What is the Basis for Suspicion?

The perennial question: what is the definition of suspicion? Fortunately, over the centuries, no legislature or government has satisfactorily defined the word. For that we must be grateful because it leaves a broad scope, similar to that of a due diligence programme.

Suspicion arises when something appears out of the ordinary, wrong or out of place in the circumstances in which it is found. A common fault among people is not trusting their own judgment. There is a general misconception that because a person is suspicious of an action, person or circumstance, they have to be able to prove that fact before they voice that suspicion. Each individual does have a personal level of understanding and knowledge within their field of enterprise or responsibility and that should be trusted and, if needed, acted upon.

If activity occurs that does not pass an individual's own 'makes sense' test, then that alone is a good enough basis to consider the matter suspicious and report the circumstances to those responsible for the due diligence program within the organization.

What else can be grounds for suspicion? Due diligence will, with proper use, identify the negative. That means identifying the deliberate lie or the lie by omission. The discovery of areas not disclosed or covered over, facts relevant to the business or application that have not been satisfactorily answered. These scenarios are happily dismissed or justified by some bank officers hungry for new business or happy with continuing business even though he may have nagging doubts about the veracity of a client or customer's business. Indeed, under no circumstances should a due diligence report be edited for content, i.e. conveniently exclude certain negative material.

Due diligence is not just a search for the negative or what is 'suspicious'. It should also reveal positive factors that an astute banker can use to nurture business relationships.

Conclusion

Due diligence is an essential component in good business practice. To have a due diligence policy in place and not use it properly and consistently is a serious error that could be detrimental to the entire organization.

In the words of George Washington, 'timely disbursements to prepare for danger frequently prevent much greater disbursements to repel them', which translates to 'prevention is better than the cure (and much cheaper!)'.

Due diligence is fundamental to the survival of any corporate risk-based business operation whether it operates in one or many jurisdictions. What documentation and checks should companies have in place to make sure they perform effective due diligence?

Part one of this article discussed the scope of due diligence and why it is such an important area for financial institutions. This article will take a look at the documentation required to ensure an effective due diligence policy is in place.

Documentation Required for Due Diligence

The following is a checklist on what documentation should be obtained in order to fulfill due diligence requirements.

  • Full identification of the proposed customer should be accompanied by established documents of identification, certified copies of which should be obtained. This documentation will include passport, proof of residence, and proof of nationality of birth and/or proof of nationality by adoption, details of occupation including position held, name and address of company and photographic identification.
  • In company applications, originals of the memorandum and articles of incorporation should be inspected and certified copies obtained.
  • Full and complete details of directors and the company secretary should be obtained, including personal contact details.
  • Full identification of nominees and statement of requirement is also needed.
  • Proper indication of funds source, proposed frequency of transactions, transfer amounts in approximation is all required. This is an expected customer requirement of bank services.
  • In partnerships, all details of partners should be obtained together with notarized authorities from those partners.
  • Applications should not be accompanied by a personal cheque. It is not uncommon for immediate credit to be given by some banks or companies for a personal cheque. The problems start when the relationship has commenced and the first knowledge of anything amiss is when the item is returned.
  • Introduction by a known customer who has conducted satisfactory business for a period of at least 12 months must be accompanied by a separate signed form by that referee. Identification of the new customer is still required and should be certified by the referee.
  • Bank references should be requested (this is not acceptable by fax or from the customer). All bank references should be verified directly with the issuing bank.
  • References from law and accountancy firms should be accepted but not in the form of a financial or bank reference.
  • Occasional checks should be made on the status of the professional referee to ensure that they are not subject to investigation or other proceedings. It is important to ensure that the member or partner in the referee organization is not acting independently or with the applicant or applicant company.
  • Address information should include the physical address as well as the mailing address together with a telephone contact for that country and an offshore telephone contact point if the account holder is based outside that country. This applies to individuals, companies or other corporate entities.

There are some exceptions from the checklist of documentation required above for due diligence. For example, companies trading on a recognised and properly regulated stock exchange may be exempted from some of these requirements. Although these guidelines are not exhaustive, they do assist in the prevention of future problems where answers to direct questions about customers do not contain the statements 'we believe', 'we assume' or 'we think', but 'we know'.

Banking Offshore Customers

In banking, and certainly where the subject of due diligence is involved, there are those people who unfortunately suffer from that human flaw - ego.

When dealing with matters offshore or in another jurisdiction it must be remembered that different rules apply. Practices used as standard business behavior in one country may not be legal in another. There is great danger when ill-informed or inexperienced people start to meddle with situations outside their experience and field of expertise when dealing with international matters.

I am sure we have all met those who, for whatever reason, have an inflated opinion of themselves, their ability and judgment. To them I recommend the advice from the late Lord Denning, (former Master of the Rolls), of the High Court of England:
"There is a risk in dealing with a corporation registered in a country where the company law is so loose that nothing is known about it, where it does no work and has no officers and no assets. Nothing can be found out about the membership, its controls, its assets or the charges against them. Judgments cannot be enforced against it. There is no reciprocal enforcement of judgments. The corporation is nothing more than a name grasped from the air and as elusive. In such cases the very fact of incorporation there gives some ground for believing that there is a risk if it is only that should judgment need to be obtained or some award granted, it would go unsatisfied."

What Organizational Methods and Control should be Used?

The very nature of a due diligence operation requires a confidentiality that may only be found 'in house'. The formation of a due diligence research/investigative operation requires specialist expertise at the core of it. Many banks do not have this facility although they do have investigators. The additional skills required by a due diligence analyst or researcher include a sensitivity to the circumstances of the inquiry.

It is of primary importance that companies recognize that all information obtained by this research process is liable to discovery in judicial proceedings. Data legislation and regulations differ from one jurisdiction to another. Do not assume that because a company has multi-jurisdictional operations, that information obtained in one country can be absorbed as company property and distributed throughout the organization. Great care must be taken to safeguard the information and to ensure that the confidentiality is properly respected and that improper disclosure of that research is regarded as a breach of the company's code of ethics or conduct. Responsibility for the storage and retrieval of the information should be decided as part of the company policy.

Conclusion

 

The process of due diligence is an art form and not an exact science. To be effective it must be well planned and executed to provide sound corporate governance and form the foundation of a strong ethical culture. No organization should lose sight of the fact that valuable information from effective due diligence will save a company money, it can make a company money but, if misused, it will cost a company an irreplaceable commodity - their reputation.