The notion that financial institutions and other commercial actors should take reasonable precautions to avoid facilitating criminal activities—today commonly referred to as “due diligence”—has its origins in early twentieth-century efforts to combat money laundering in casinos by organized crime groups. Over time, that narrow duty has grown into an expensive set of regulatory requirements applicable to an increasingly broad set of economic sectors. Last year, financial firms alone were estimated to have spent over $180 billion in compliance costs relating to preventing financial crimes.
This transformation did not occur overnight. Key milestones include the Bank Secrecy Act (1970), the Foreign Corrupt Practices Act (1977), and the creation of the Financial Action Task Force (1989), which marked the first truly international effort to set anti-money laundering standards. These legal and regulatory innovations were accompanied by an enlargement of the substantive scope of due diligence review: covered institutions were expected not only to screen their current and prospective clients for signs of money laundering, but also drug trafficking, sanctions busting, proliferation of nuclear weapons, corruption, and connection to politically important persons.
The passage of the USA PATRIOT Act following the 9/11 attacks gave rise to a large-scale compliance culture both in the US and in many other major financial centres. Throughout the 2000s, this culture spread from financial services to other sectors such as natural resources, hospitality, and even professional sports, spawning an army of compliance officers, lawyers, analysts, and investigators.
Over the past decade, the character of due diligence review has undergone another evolution. Today, compliance departments and third-party due diligence providers are increasingly being asked to look beyond regulatory obligations to a broader set of issues that, while unlikely to trigger legal liability, nonetheless have implications for their clients’ reputations and bottom lines. In particular, the risk of reputation damage—traditionally fueled by print media, but today just as likely to originate in social media and other online venues—has grown exponentially.
Even economic actors that historically have not been subject to AML or anti-corruption regulations have shown a strong interest in these non-traditional forms of due diligence. In particular, the private equity industry has emerged as a key driver of strategic planning around what might be termed “modern risks”—typically fast-emerging, dynamic issues that can go from esoteric concerns to global questions in just weeks or even days. Examples of such modern risks include:
Planning for and mitigating such modern risks requires thinking beyond conventional due diligence. The box-ticking approach to due diligence found in most compliance departments, which involves a standardized and often superficial review that is tailored to well-defined regulatory requirements, is unlikely to accurately uncover a wide range of issues that should keep executives up at night. Modern risks call for modern due diligence—in other words, due diligence that is customized around obtaining the most relevant information to a particular risk rather than simply using the information that is easiest to obtain. Modern due diligence means looking beyond public lists and databases and engaging experienced investigators and analysts with deep geographic and sectoral knowledge. In some cases, it may require putting boots on the ground to collect documents and gather human intelligence that are beyond the reach of the average compliance officer or third-party due diligence provider.
Like Tolstoy’s unhappy families, every modern risk is unique, but there is no reason for firms to fly blind. With the right team, even the most complex and fluid risks can be tamed.