Most people have seen the movie “The Sting”, starring Robert Redford and Paul Newman, which tells the story of an older con man, Newman, who shows a younger man, Redford, how to run ‘the big con’ on a gangster played by Robert Shaw. It was fiction. However, on the front page of the Sunday Washington Post, on 10th June, was an article about Kevin Richard Halligen which showed that in the case of fraud and fraudsters, truth is often stranger than fiction.
In the article, entitled “A player, but what was his game?”, reporter Kevin Sullivan detailed the eventful life of Halligen in the fraud and swindler world, where, after leaving a trail of broken deals and broken hearts in England, he moved to Washington DC and set up shop all over again. In spite of numerous Red Flags from his prior life in the UK and his conduct in Washington, Halligen was able to persuade many people and companies to invest in his business ventures, where the contracted services to be delivered were negligible at best and outright fraud at the worst.
Halligen’s business was that of a somewhat murky ‘security consultant’ and having wormed his way into high powered Washington business circles, he proceeded to extract large sums of monies for services which were apparently never delivered and for investments where the money seems to have gone ‘poof’. During his run in Washington, he was successfully sued by several former clients and investors but this seemingly put no dent into his activities going forward. He even managed to woo and wed Maria Dybczak even though he claimed only days before the wedding that he could not sign the Marriage Certificate because “he was involved in undercover intelligence operations, he could not sign any public documents”. However, the real reason later turned out to be that he was already married at the time of his purported second marriage to Dybczak.
I thought about this cautionary tale in the context of third party due diligence under both the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act. Although the Bribery Act, Six Principles of an Adequate Procedures compliance program, specifically states that your company should only do business with other ethical companies, particularly those with similar best practices compliance programs, the FCPA does not have any such specific requirements. Nevertheless, both laws make it clear that a company should know with whom it is doing business.
The Halligen article reminded me that a company must understand that it can experience FCPA and Bribery Act risk through a wide variety of third party relationships, more than those simply in the sales end of the business. Such risks can come equally through the vendor side in the Supply Chain when a company might hire a business similar to those run by Kevin Richard Halligen.
An article in the June issue of the Harvard Business Review, entitled “Pricing to Create Shared Value”, authors Marco Bertini and John Gourville discussed a five point analysis for the questions they raised. Admittedly their article focused on a context outside of anti-corruption but I found these points very good touchstones when thinking about some of the assumptions which should underlie your third party compliance program.
Focus on Relationships. This should be a part of your initial analysis and risk assessment. What is the relationship between the third party and your company? In other words, what are they going to do for you? If they are in the sales channel and will provide commercial services and that is generally viewed as information which would put them into a higher risk category than vendors in the Supply Chain. However, that analysis may be too facile. What if the services are in the murky areas inhabited by persons such as Halligen? Clearly he offered to provide services of some type but is it self-evident that these services would or would not involve interactions with foreign governmental officials? You may need to take a more in-depth look at the entities that you are doing business with that are not traditionally thought of as impacting the FCPA or Bribery Act.
Be Proactive. Flowing from your more robust review of the third parties you do business with, you should engage the business unit which desires to sustain or retain the relationship to lead the relationship, not the Compliance Department. I say this because it is the business unit which needs to own not only the process but the relationship. While the Compliance Department can certainly provide guidance, if the business unit is invested with ownership, they will also take the responsibility. Here the business unit can also be the leader in talking to the third party about what information the company will ask for and why such information is critical in any FCPA or Bribery Act compliance program.
Put a Premium on Flexibility. While procedures and processes are, by their definition, fixed and thereby limiting, your program should have flexibility to address differences in compliance risk as they arise. Consider the services offered by Halligen’s company Red Defence. In one instance, Halligen was going to offer general market intelligence on security issues, in another instance it was going to provide tracking and hopefully retrieval services for a child’s kidnapping. Further, Halligen even had an investment vehicle company named Oakley International. All of these services present different risks so that your program needs to be ready to respond with different qualities of due diligence in different situations. Or as my This Week in FCPA colleague, Howard Sklar would term it, situational due diligence.
Promote Transparency. Transparency is the bane of fraudsters and corrupt entities of all types. They all seek the shelter of the shadows to plow their wares and Halligen was no different. It all starts with the initial request for information that you make via an application. If a potential third party refuses to answer any questions you need to have a serious discussion as to the reason why. If a proposed third party refuses to provide a banking reference then that certainly needs to be explored. And for anyone out there thinking about getting married; if the bride or bride-groom tells you they cannot sign the marriage certificate, a serious reappraisal is in order.
Manage the Requisite Standards. The UK Ministry of Justice (MOJ) has provided written guidance as to what may constitute sufficient due diligence in its Six Principles of an Adequate Procedures compliance program. The US Department of Justice (DOJ) has also promised written guidance, but I do not think that companies need to wait for governmental guidance. You can take the steps outlined in this article and use them as a basis to begin your third party relationship process. The key is to put a process in place and then follow it. And of course, document, document and document.
While the movie The Sting remains great entertainment, the tale of Kevin Richard Halligen is certainly one which should give you pause to think about your company’s own compliance program. Not all fraud begins or ends with the extravagant lifestyle of Kevin Richard Halligen as reported by Sullivan in the Post. However, his story does point up the need for a robust compliance program, the process of which should be specified in your procedures. Certainly, if the people who lost money to Kevin Richard Halligen had done their risk assessments they might not be mentioned on the front page of the Sunday Washington Post right about now.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2012