The notion that financial institutions and other commercial actors should take reasonable precautions to avoid facilitating criminal activities—today commonly referred to as “due diligence”—has its origins in early twentieth-century efforts to combat money laundering in casinos by organized crime groups. Over time, that narrow duty has grown into an expensive set of regulatory requirements applicable to an increasingly broad set of economic sectors. Last year, financial firms alone were estimated to have spent over $180 billion in compliance costs relating to preventing financial crimes.
This transformation did not occur overnight. Key milestones include the Bank Secrecy Act (1970), the Foreign Corrupt Practices Act (1977), and the creation of the Financial Action Task Force (1989), which marked the first truly international effort to set anti-money laundering standards. These legal and regulatory innovations were accompanied by an enlargement of the substantive scope of due diligence review: covered institutions were expected not only to screen their current and prospective clients for signs of money laundering, but also drug trafficking, sanctions busting, proliferation of nuclear weapons, corruption, and connection to politically important persons.
The passage of the USA PATRIOT Act following the 9/11 attacks gave rise to a large-scale compliance culture both in the US and in many other major financial centres. Throughout the 2000s, this culture spread from financial services to other sectors such as natural resources, hospitality, and even professional sports, spawning an army of compliance officers, lawyers, analysts, and investigators.
Over the past decade, the character of due diligence review has undergone another evolution. Today, compliance departments and third-party due diligence providers are increasingly being asked to look beyond regulatory obligations to a broader set of issues that, while unlikely to trigger legal liability, nonetheless have implications for their clients’ reputations and bottom lines. In particular, the risk of reputation damage—traditionally fueled by print media, but today just as likely to originate in social media and other online venues—has grown exponentially.
Even economic actors that historically have not been subject to AML or anti-corruption regulations have shown a strong interest in these non-traditional forms of due diligence. In particular, the private equity industry has emerged as a key driver of strategic planning around what might be termed “modern risks”—typically fast-emerging, dynamic issues that can go from esoteric concerns to global questions in just weeks or even days. Examples of such modern risks include:
- Cyber: including the risk that cyber weakness in a target organization could lead to data loss or breach for the investor company.
- Climate change: a growing number of investors are measuring the environmental, social, and corporate governance (“ESG”) impact—with climate change at the forefront—of organizations and directing their investment only to those who score highly.
- Modern slavery: the use of force, coercion, abuse of vulnerability, deception, or other means to exploit the labor force. The US has recently been addressing allegations of forced labor in corporate supply chains. For example, US Customs and Border Protection has issued twelve withhold release orders under Section 307 of the Tariff Act in 2020 alone—a significant increase over earlier years.
- Pandemics: the extent to which an organization is liable to suffer damage—or even extinction—due to a pandemic, as well as a broad range of effects on a country’s economic, social, security, and political situations, its labor force, and healthcare provision. Previously low or medium risk investment destinations may now present a much higher level of risk.
- Data security: on top of compliance with legislation like the GDPR, increased home-working due to the Covid-19 pandemic means that staff are working with sensitive information in insecure locations.
- Diversity and inclusion: exposure to criticism or action due to policies or stances on diversity and inclusion issues.
- Management misconduct: issues such as sexual harassment, bullying, and toxic culture are in the public eye to an unprecedented level due to employees’ activity on social media.
- Political risk: an increasingly visible area given the recent rise of populism, nativism, and protectionism.
Planning for and mitigating such modern risks requires thinking beyond conventional due diligence. The box-ticking approach to due diligence found in most compliance departments, which involves a standardized and often superficial review that is tailored to well-defined regulatory requirements, is unlikely to accurately uncover a wide range of issues that should keep executives up at night. Modern risks call for modern due diligence—in other words, due diligence that is customized around obtaining the most relevant information to a particular risk rather than simply using the information that is easiest to obtain. Modern due diligence means looking beyond public lists and databases and engaging experienced investigators and analysts with deep geographic and sectoral knowledge. In some cases, it may require putting boots on the ground to collect documents and gather human intelligence that are beyond the reach of the average compliance officer or third-party due diligence provider.
Like Tolstoy’s unhappy families, every modern risk is unique, but there is no reason for firms to fly blind. With the right team, even the most complex and fluid risks can be tamed.