There have since been raids on the company’s offices by the Monaco police and the anti-bribery community fully expects to be hearing more about this story for years to come.
TRACE has been caught up in the story; we completed TRACEcertified due diligence reports on two of the fifteen or more Unaoil entities in this complicated group of companies.
The public may find these stories shocking, but the compliance community knows better. It’s a scary world out there. Companies are operating in challenging industries and in tough neighborhoods. Most are trying hard to get things right. Due diligence is part of a robust defense, but it’s far from a guarantee.
No compliance officer has the luxury of presiding over a community of “straight A” third parties. They generally have a fairly diverse collection of Bs and Cs, with an occasional, worrying, D. Each requires a judgment call. The closest calls require ongoing vigilance. Sometimes, those calls fall on the wrong side of a very sharp edge. But when an auditor misses something, no one suggests that the audit function has no value. When a prosecutor loses a case, few people cry out that we should end our pursuit of criminals.
Unaoil was cooperative and responsive throughout multiple due diligence reviews with at least four different due diligence companies. They provided information when asked. As part of their TRACEcertification due diligence review alone, they adopted a code of conduct and successfully completed online anti-bribery training.
They were screened against international watchlists on a daily basis. They were screened annually against multilingual international media. They provided TRACE with financial references and, over the years, business references from many different companies in different industries. Our due diligence reports contain an executive summary and the Unaoil summary included four red flags. They were far from an “A” candidate, but they weren’t a “D”, either.
The term “certification,” when discussing compliance credentials, can cause confusion. Certification, defined generally, is the process of publicly attesting or confirming that a standardized process has been completed or that specified requirements have been met. TRACEcertification seeks to do exactly that — to confirm that an entity has completed a rigorous due diligence process based on international standards. It does not mean that a company will never pose any compliance risk. An entity can never be certified “risk free”.
But compliance professionals don’t really need to be reminded of this. Due diligence is one aspect of a very difficult, judgment-laden process that they have to navigate every day. No company would argue that a due diligence report alone satisfies entirely their compliance responsibility. Good, well-run companies document the business justification for using a third party. They review the compensation for reasonableness. They require statements of work, describing what tasks the agent is undertaking in order to earn that compensation. They meet to discuss the details of specific deals. They often have at least a restricted audit clause that permits them to audit the agent’s books upon reasonable suspicion of misconduct.
Unaoil was adept at the screening process. If they paid bribes, they must have been good at that too. Their “big four” audit firm didn’t find any. An international law firm didn’t find any. Two expensive “boots on the ground” due diligence firms didn’t find any and a High Court judge in London didn’t find any, even when one party to the lawsuit was arguing that it was there. In that case, the judge concluded that evidence of corrupt payments was “at best tenuous.” Law enforcement, with all of the powerful tools available to it, didn’t find any. And, until a secret cache of emails was provided to the media, journalists didn’t find anything either. When asked what TRACE might have done differently in order to uncover the misconduct, one of The Age reporters said: “without access to the emails, there was no way to find this.”
Due diligence is a critically important and very challenging balancing act. Companies need to redouble their efforts to stay ahead of the wrong doers. They won’t always be able to do that, but this is a timely reminder to try. None of us is certifying the purity of heart of commercial intermediaries. Indeed, the enforcement agencies don’t require it. They require a robust, reasonable assessment of the risk, good judgment, and vigilance. With the benefit of hindsight and an extensive email record, we’re reviewing what clues might have tipped us off and what we can learn from this. As bribe payers grow more sophisticated, so too must compliance officers. We’ll share what we learn and we invite the compliance community to join in the effort.
Alexandra Wrage is president and founder of TRACE. She is the author of Bribery and Extortion: Undermining Business, Governments and Security, co-editor of How to Pay a Bribe: Thinking Like a Criminal to Thwart Bribery Schemes, and the host of the training DVD Toxic Transactions: Bribery, Extortion and the High Price of Bad Business, produced by NBC. She’s a former member of FIFA’s Independent Governance Committee and served on the 2015 B20 Taskforce on Anti-Corruption, which drafted recommendations to G20 leaders for consideration in their global economic policies. Prior to founding TRACE, she was international counsel at Northrop Grumman. She can be contacted here.