The layman understanding of due diligence is often as a narrow compliance mechanism, a means of ensuring observance with relevant laws and regulations, such as the Foreign Corrupt Practices Act (FCPA) or “Know Your Customer” requirements. However, the power of this tool extends beyond mere compliance; it can provide business with advanced warning of reputational and ethical risks, as well as intelligence on customers, competitors and trends. Integrity Due Diligence, a subset of due diligence, is a critical tool for the proper vetting of potential business partners for ethical issues prior to transactions. In no field is this more important than when it comes to defence related technologies. In an international system filled with increased asymmetric conflicts, it becomes all the more necessary to implement proper due diligence in regards to customers, suppliers, and third party contractors.
Defence technologies and systems have been proliferated beyond their original recipients to third party entities including terrorist organizations, sanctioned countries, and repressive regimes. One of the largest failures of adequate due diligence in the 21st century was the transfer of F-14 Tomcat components from the United States to Iran in the 2000s. According to a US Government Accountability Office investigation following the incident, a London-based Iranian front company called “Multicore LTD” purchased jet fighter and missile components for the F-14 from US Government surplus sales before further selling them to the Iranian Air Force. The US Government failed to identify that Multicore’s owner, Soroosh Homayouni, had been convicted in 1987 of violating arms export control laws.
The risks extend far beyond traditional military hardware as in the F-14 case. These adversities for defence firms are further complicated by the preponderance of dual use technologies. Companies not historically relevant to defence industry are now being pulled into the sector through the abuse of their technologies. Commercial drones designed for recreational hobbyists, as an example, have been retrofitted by members of the Islamic State (IS) as improvised ordnance delivery systems, resulting in the deaths of many coalition fighters. The acquisition of these drones by IS was typically done through normal commercial means, sometimes on a large scale, such as during the “IBACS Conspiracy” in which IS supporters used a number of cover IT, electronics, and web services companies in the UK, Bangladesh, and Spain to purchase and funnel drones and supporting material to the Islamic State. The companies were involved in business transactions in the United States, Australia, and Denmark.
The inadequacies shown in vetting of customers unfortunately is not an isolated trend. A 2019 report from Amnesty International titled “Outsourcing Responsibility: Human Rights Policies in the Defence Sector” asserted that international defence companies “are failing to conduct adequate human rights due diligence as defined by the UNGPs [UN Guiding Principles on Business and Human Rights]. This failure increases both reputational and legal risks for an industry that supplies high-risk products to dangerous environments.”
In the report, Amnesty International contacted 22 of the world’s major defence suppliers to provide information on how they conduct vetting for human rights and other integrity issues in their respective business lines. None of the 22 companies provided adequate human rights due diligence, according to the report.
What is illustrated above is an acute need for the proper vetting of customers, suppliers, and third party contractors in any technologies with possible security of defence implications, from large international defence exporters to small dual-use technology companies. Though risks abound, there are present solutions to the problems faced. As said in the Amnesty International report, these firms already “have at their disposal a range of measures to identify and address potential human rights risks before, during and after an arms transfer. These include vetting clients’ past performance against human rights benchmarks; building high expectations of compliance with international human rights law into contracts; continuous monitoring and periodic auditing of client performance; and using leverage to influence the behaviour of clients up to and including suspending or even ceasing the business relationship where risks cannot be adequately mitigated.” Pointedly, an adequately conducted integrity due diligence report in the Multicore case would have likely identified Homayouni’s prior conviction; likewise similar checks would have likely drawn attention to suspicious front company registrations in drone purchases in the IBACS case.
In our experience, clients need clear due diligence checks and analysis to mitigate such risks. To address their concerns, Level 1 Integrity Due Diligence reports include corporate intelligence checks on criminal records, sanctions, regulatory enforcements, and adverse media to identify potential dangers or liabilities. Checks such as these would have identified red flags based on hits on persons and corporations in the Multicore case. In cases where actors use front companies such as IBACS, our forensic team would have conducted asset tracing, financial reporting, and corporate ownership mapping to identify ultimate beneficial owners. In such cases, even the absence of material findings can provide insight, as a lack of corporate activity is an indicator of a possible shell company, which would warrant further scrutiny. Should further research be needed, Level 2 reports are recommended, which include the same services as a Level 1 with the added utility of reference checks and a review of the target company’s internal documentation. In cases requiring the utmost scrutiny, Level 3 reports will additionally include information gathered from PwC’s discreet sources which can uncover intelligence not otherwise available in open source media. All of these forensic checks can be performed and delivered in less than 2 weeks, making them an easy and necessary step that should be implemented prior to contracts. With stakes such as they are in defence related fields, proactive actions must be taken by these firms. The need for proper vetting of relevant parties is paramount in order to assure the safety, security, and moral integrity of the industry.
Jack is a Manager in PwC Forensics Norway conducting investigations, due diligence, corporate intelligence, and security consulting. Prior to his current role, Jack served in the United States Intelligence Community in Washington DC, working on international risk and security issues for the Department of Defense (DoD) and Federal Bureau of Investigation (FBI). Jack served on multiple FBI and DoD task forces conducting international security and investigation operations and is a subject matter expert in risk due diligence and intelligence issues.