Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Scott Shaffer: Due diligence isn’t nice to have, it’s a must have

After reviewing the FCPA Blog’s post, “When do issuers disclose their FCPA problems?” which focused  on the seven resolved FCPA cases during the first half of 2018, I also examined each of the enforcement actions with a specific goal of determining the impact of due diligence in these cases.

Since I continually preach about the necessity of proper due diligence, I was not disappointed in my analysis.

Of the seven cases through the first half of this year, due diligence, or lack thereof, was a specific reference in five:

“There is no evidence to suggest that Plaza conducted any due diligence on the 2006 Consultant prior to entering into this agreement.”

“Kinross contracted with a politically-well-connected third-party consultant to facilitate contacts with high-level government officials without conducting the heightened due diligence required by the company’s policies and procedures.”

“PAC [Panasonic Avionics Corporation] recommended, but did not require, third-party due diligence reports concerning the consultants…While PAC historically conducted no meaningful due diligence on its sales agents, beginning in at least 1996, PAC started including audit rights in its contracts with sales agents.. . . However, PAC did not exercise its audit rights in order to avoid upsetting relationships with the agents. In early 2007, PAC began to put in place due diligence procedures for screening sales agents, including those agents with established relationships with PAC.”

“On or about November 8, 2012, the Libyan intermediary and an attorney representing him provided [Societe Generale] Employee 2 with answers they could use in responding to inquiries concerning Societe Generale’s engagement of the Panamanian Company, including repeating the false representation that the Panamanian Company met Societe Generale’s stringent due diligence requirements in effect in 2012.

“Legg Mason did not timely institute appropriate risk-based due diligence and compliance requirements pertaining to the retention and oversight of such agents and business partners.”

Lessons learned:

  • Due diligence is not a “nice to have”; it’s a “must have.”
  • Basic due diligence is not sufficient for high risk engagements.
  • Due diligence may not prevent the issue, but, at a minimum, should alert of possible red flags or risk in the engagement.
  • The DOJ and SEC consider due diligence (or lack thereof) when reviewing cases and determining punishments.
  • Proper due diligence is a fundamental step in a well-structured compliance program.


  • Proper due diligence takes time and money.
  • Determining the proper level of due diligence, given the situation.
  • There is no due diligence program that can perfectly address every possible scenario.
  • Due diligence is critical, but must be supplemented with other compliance initiatives and internal controls.


Scott Shaffer, pictured above, is the Managing Director for the Kreller Group in Cincinnati, Ohio. For the past 23 years he has consulted with clients to address due diligence objectives, customizing due diligence programs for new clients, and analyzing current trends regarding regulatory compliance.

Share this post


1 Comment

  1. Need for Continuous DD

    Terrific examples to prove a most valid premise, Scott. And Microsoft appeared to do no due diligence on its partner relationships in Hungary, terminating 4 of them after the SEC and DOJ investigation began. Your lists are spot on but I would like to add that it's important to keep monitoring throughout the lifecycle of the relationships, having a program which continuously picks up changes in third party risk triggering a risk reassessment and perhaps a change in the level and or intensity of the control activities undertaken. Am a firm believer of undertaking a complete third-party entity review on a risk based schedule. Given the PAC had the protagonists subbing for established intermediaries, it would have been interesting to see how questionnaires to those intermediaries would have been responded to, in regard to use of sub-contractors; had that activity been performed.

Comments are closed for this article!