Key steps in corporate compliance due diligence

By Wei Jie and Xiong Xiaorong, Tiantai Law Firm

In the context of globalisation, enterprises face a patchwork of regulations and an increasing number of risks. To manage and control risk, the conduct of compliance due diligence is generally required. An enterprise should complete the following key steps in the course of due diligence.

Wei Jie
Tiantai Law Firm

Tease out the compliance details and accurately define the objectives of the due diligence

First, the enterprise’s due diligence objectives need to be aligned with its strategic, financing, management and reputational risks. Second, the enterprise’s routine operations usually move in lockstep with its products, services and funds, require the conduct of business transactions with various third parties such as raw material suppliers, distributors, logistics providers, project partners, joint bidders and end customers, and will result in the generation, collection and storage of relevant data revolving around its employees, products services and funds. So, in its day-to-day operations and co-operation with third parties, the enterprise needs to accurately grasp, guard against and control risks that could arise.

Furthermore, the subject matter of compliance and focal points vary relevant to different industries, different countries or regions, and business entities at different stages. With respect to an enterprise at a specific stage, in a specific industry where policies are undergoing revision, the subject matter of compliance that requires attention will change and be revised.

In particular, with respect to such business entities as multinational corporations and their subsidiaries, it is necessary to tease out the subject matter of compliance relating to stringent regulation, and the risk of serious penalties associated with anti-commercial bribery, export controls, data collection and storage, etc., that they may face in the course of their operations.

Xiong Xiaorong
Tiantai Law Firm

Collection of key information relevant to different entities

The key information that needs to be collected varies, depending on the entity with which co-operation is contemplated. With respect to a legal person, the basic information that needs to be collected usually includes the company’s or relevant organization’s establishment documents, detailed information on major shareholders and beneficiaries, group structure and board members, official background, and political factor references.

With respect to a natural person, his or her proof of identity, credit standing and potential political connections need to be collected. With respect to a potential third party, including an enterprise or individual, whether its, his or her connections could pose major risks can usually be rapidly determined through early observation, and a politically exposed person (PEP) check.

In addition, an enterprise should keep abreast, in real-time, of sanction lists, criminal entity law enforcement lists, and lists of barred or disqualified companies and individuals published by regulators in the relevant country or sector, or even those subject to policy control. Potential third parties can be identified by taking into consideration the key information initially screened, and in light of the specific co-operation matters and business needs.

Verification of the information collected, and conduct of a risk assessment

After the information has been collected, the enterprise should additionally verify such information, particularly third-party management and control, in the enterprise’s compliance management. For a low-risk third party, details can be verified and its, his or her creditworthiness checked using publicly available information. For a high-risk third party, enhanced due diligence on the entity itself, its affiliates, subsidiaries and other related entities should be conducted. Furthermore, information on the litigation that a potential customer or third party may be involved in, and its, his or her credit standing can be obtained through legal database searches and screenings, and potential reputational risks can be identified through any negative reporting appearing in the media.

Once initial information collection and verification have been completed, a risk assessment needs to be carried out. With respect to different co-operating third parties, the following aspects need to be specifically considered in light of the subject matter of compliance relevant to the enterprise.

(1) For country-specific or region-of-origin risks, bribery risks may be identified by referring to Transparency International’s Corruption Perceptions Index rating, as well as the current policy direction and the regulatory constraint risks in the country or region where the subject in question is located;

(2) Sector-specific risks, particularly bribery, regulatory and other such risks that could arise from such phenomena as numerous industry hidden rules, high levels of government intervention, or special reliance on local agents;

(3) Entity risks such as exposure to the risk of money laundering crimes from the use of intermediaries or joint venture partners in transactions; and

(4) Internal control risks, including deficiencies or inadequacies in employee training, skills and knowledge, an overly aggressive reward culture, or a lack of clear policies and procedures relating to hospitality and marketing.

Presentation of due diligence results and establishment of an ongoing monitoring plan

During the entire course of the due diligence, the enterprise needs to ensure that a complete record of the relevant documents, assessments and decisions is kept to, on the one hand, serve as the foundation and key basis for compliance risk control in its operations, and on the other hand assist, to a large extent, its business departments in making objective and accurate decisions when working with partners or third parties, so as to comprehensively and objectively bring out the specific subject matter of compliance and avoid the corresponding risks.

When the industry in which an enterprise is operating is subject to focused administration and control for a specific period of time, or it is determined in the course of the enterprise’s operations that it will continue to co-operate with a specific third party, or the specific third party with which it is co-operating is under review or has been penalized, the enterprise needs to set a high risk alert, and pay active and continuous attention to ensure that it timely guards against and controls potential risks before they arise.

A good corporate compliance due diligence procedure should satisfy an enterprise’s own requirements. In addition to formulating a compliance due diligence procedure that takes into account changes in the overall environment, industry policies and specific business needs, the enterprise additionally needs to regularly examine and update its own due diligence procedures in line with the changes in internal and external factors, so as to ensure that its due diligence procedure as a whole is tailored to its needs, and can help it to duly prevent and control risks at all times.

Wei Jie and Xiong Xiaorong are associates at Tiantai Law Firm

Frank Liu Jerry Huang Tiantai Law Firm domain name

29/F, T1 Building, Raffles City
No.1133 Changning Road, Changning District
Shanghai 200051, China


Tel: +86 21 5237 7006
Fax: +86 21 5237 7009