Author: Paul Curwell
In a product development context, an ‘end user’ is defined as the person who ultimately uses, or is intended to use, a product. However, ‘end users’ are also captured under various laws, including Export Control Regulations, where they are defined as “the person that receives and ultimately uses a good, service or technology“. End Users pose a particular challenge for all IP Rights Owners and Manufacturers in that once a product has been sold in the global market, it is very hard to control what happens to it. Depending on the product and its attractiveness to an end user, a product could ultimately end up with criminal counterfeiters, gray marketers, and sanctioned parties.
Where sanctioned parties are concerned, if a proscribed end user obtains as little as one unit of a product, this event may constitute a criminal offence (for example, the supply of materiel to North Korea) and could result in enforcement action and reputation damage. In contrast, selling a substantially discounted bulk shipment of product to an Original Equipment Manufacturer (OEM) which then resells the consignment onto an unauthorised distributor has the effect of “flooding the market with cheap product, eroding profit margins and disrupting the distribution channel” (Post & Post, 2008). Whilst the potential impacts of regulatory and business risks associated with sales to unauthorised end users are materially different, the nature of any due diligence program to mitigate these risks is the same.
This post provides an overview of the concept of ‘End User Verification’, starting with a review of the regulatory and business risk drivers, before examining the process, identifying applicable red flags / data sources and threat patterns, before concluding with a discussion on what a good ‘End User Verification’ process looks like to enable the risks to be effectively managed.
Regulatory Drivers for End User Verification
A number of global regulations have a specific bearing on End Users, placing regulatory obligations on manufacturers and IP Rights Owners to understand who they are actually doing business with prior to closing a sale. Key regulations with an ‘end user verification’ obligation include:
- Export Control Regulations (aka ‘trade compliance’) – which require parties involved in the sale of military or ‘dual use goods‘ (those with both military and civilian applications) to obtain licenses or permits prior to a sale. Often, additional steps must also be taken from a supply chain integrity and security perspective to ensure such goods are not diverted before or after delivery.
- Economic and Trade Sanctions – can be applied by supranational bodies such as the United Nations Security Council, or individual countries (such as the United States Office of Foreign Asset Control). Very simply, sanctions laws can be breached if a product, financial transaction, or service (amongst other things) is provided to a sanctioned individual, entity, jurisdiction, or industry in a specified jurisdiction.
- Bribery & Corruption – the most far-reaching anti-bribery and corruption laws are the US Foreign & Corrupt Practices Act (FCPA) and the UK Bribery Act. The risk here for IP Rights Owners or Manufacturers is that one of their distributors may be paying bribes to public officials, for example, to purchase their products, for which they are liable. Associated red flags might include orders from commercial enterprises where the purchaser should actually be a government agency.
Business Drivers for End User Verification
Gray Markets & Parallel Imports arise where a company purchases product in bulk in a low cost jurisdiction, and ships them to a high cost jurisdiction for resale. Gray market operators can work in global syndicates and quickly cause harm to consumer trust in your brand, frustrate authorised distributors by eroding their market, and impact sales. The second business driver for End User Verification is Brand Protection and Anti-Counterfeiting. In some markets, is not uncommon for unscrupulous competitors or criminal counterfeiters to purchase products for reverse engineering.
A simple example might be where a buyer based in a country where you do not currently have a distribution arrangement purchasing samples of your product for counterfeiting and subsequent sale. Where products are in high demand from consumers in a given market, and that environment is conducive to counterfeiting, particular care should be taken to evaluate purchasers. Whilst it may be possible for counterfeiters to acquire your product from another market or a secondary market, this doesn’t mean you need to make life easy for them.
The End User Verification process
There are two elements of the End User Verification process which can be undertaken simultaneously or separately, being (1) due diligence on the customer (i.e. ‘know your customer’ steps), and (2) due diligence on the transaction. Knowing your customer involves understanding who they are and whether they are in your target demographic, as well as other factors such as their credit rating. Performing due diligence on the transaction involves understanding what the customer intends to do with your product, the viability of these claims, and the risks inherent in the transaction.
To give an example, a regional government education department purchases 100,000 computers, at a steep discount because of the volume. On the face of it, the government education department makes a good customer – they can afford to pay, they are not associated with any sort of illegal activity (e.g. named on a sanctions list) and they are the sort of customer a computer manufacturer might want to sell to, so they pass step 1, the ‘know your customer’ test. As you review the transaction, you find that that region only has the need for 50,000 computers based on student numbers. So why purchase 50,000 computers more than they could legitimately need? You reflect further and consider that bribery and corruption in that country is high – could the procurement officer be purchasing 50,000 more computers than the school requires so they can be sold to a reseller in the region at a steep discount, minus a kickback for their efforts? Clearly further investigation (End User Verification) is required.
With the ability to make or break a sale, it is essential that the End User Verification process be independent of the sales department. For a start, doing due diligence on your own deals, which you want desperately to succeed so you can earn your sales bonus, is a clear conflict of interest. Secondly, this is not the core job of a sales team – they are unlikely to have the specialist skills required to perform the work and perhaps worse, could even engineer the End User Verification process so that any red flags remain hidden until long after they have left the company.
Data Sources, Red Flags and Threat ‘Patterns’
In the context of a transaction involving a large purchase of product, End User Verification involves understanding who the customer is, why they want to purchase that volume of product and what they intend to do with it. This involves a number of steps such as:
- Determining whether the company is a going concern, and whether it has adequate financial, sales and distribution capabilities to actually execute against its stated intent
- Understanding whether the company’s characteristics, such as its date of registration, beneficial ownership, shareholders, market presence, business licensing, and other factors align with the seller’s expectations
- Understanding the track record of the business’ management team – can they execute against their stated intentions?
- Identifying what controls, if any, should or are in place to prevent the buyer (End User) reselling the product to an unauthorised third party
Due diligence teams typically compile their own lists of red flags as well as threat ‘patterns’ (aka ‘typologies’ or ‘fraud schemes’) as they relate to their respective organisations. These can be used to inform the basis of questionnaires sent to a prospective new customer or asked by the sales or compliance teams whilst reviewing and approving any sale or discount.
Managing the risks – what does a good End User Verification program look like?
Key elements of an EUV program
A robust due diligence program is essential to minimise the risk that a product shipment will be diverted to an unapproved end user. End User Verification typically forms part of a broader program that encompasses Supply Chain Integrity and Market Surveillance (Post & Post, 2008) which comprises elements such as:
- Knowing who your customer actually is
- Evaluating the transaction and its legitimacy
- Performing market surveillance to monitor the market for your product and the quality of any products being sold (i.e. authentic versus counterfeit)
- Identifying the risks in supply and distribution chains and implementing effective internal controls, and,
- Implementing appropriate supply chain integrity mechanisms, including track and trace programs, to identify the source of any diverted product on the market
Who should perform the due diligence?
Some organisations make performing due diligence the responsibility of the Sales & Distribution teams, whilst in others this work may be performed by Risk & Compliance, Audit or Finance, or alternately it may be outsourced to a specialist service provider. When deciding who will undertake the due diligence, it is important to avoid any conflicts of interest. It goes without saying that the person making the sale is almost always incentivised to make sure a deal goes ahead. They are therefore conflicted when it comes to performing any due diligence, and should not be considered independent. A good End User Verification program involves someone else in the organisation, divested from the Sales process, performing the due diligence.
Hot Tip: Throughout my career, I have worked with Sales & Distribution or Corporate Strategy / Mergers & Acquisitions teams to perform due diligence on prospective business partners, customers or investments. I know there is nothing more frustrating for someone than to spend months, or even years, converting a deal only to have it killed at the last minute because the customer was not who they claimed to be.
To avoid this situation, I try to be proactive and conduct at least basic screening at the first available opportunity (i.e. as soon as the prospective client list is drawn up). There might be 100 prospects on a list, but performing some initial due diligence quickly identifies unsuitable opportunities which can be eliminated, leaving front-line teams to focus their efforts on deals likely to succeed. As a customer moves along the sales funnel, additional due diligence checkpoints can be added so that progressively more in-depth screening is performed (commensurate to the risk of the transaction, product, customer or jurisdiction), until the deal is done.
Knowledge & Training
In order to be effective in their role, employees performing End User Verification must understand what a legitimate business looks like when reviewing its footprint in the market. These employees mus be able to identify red flags and indicators in a variety of jurisdictions, business types (e.g. distributors, OEMs), understand public and financial records, be competent at performing internet investigations, and have good general investigative and analytical skills.
The task of End User Verification and other ‘know your customer’ activities is not always straightforward: It is quite easy for a ‘dodgy’ company to be made to look legitimate to outsiders. The news and proceedings of regulators around the world are full of examples of businesses (including those with professional Anti-Money Laundering and Sanctions Compliance staff in companies such as banks and government agencies) which have failed to identify such businesses through their diligence process. As such, it is essential that those performing the task possess the requisite knowledge and skills to effectively perform the role.
Access to Resources
Performing effective End User due diligence requires access to the right resources to identify red flags and other risk indicators. Depending on the extent of diligence performed, this can require access to a variety of free and paid information sources, including:
- Company, Director and Beneficial Owner records for the relevant jurisdiction
- Sanctions and other commercial watchlists, such as RDC or Refinitive’s WorldCheck
- News sources, including general media (e.g. Factiva) and specialised industry publications
- Biographical sources, such as LinkedIn and other business journals, which provide the ability to assess management’s track record in the industry
- Investment databases, such as Crunchbase, which can show cases where new funding sources have been obtained for growth, new market entry or innovation
Performing this sort of work requires a budget. If you are performing the due diligence yourself, you typically need to review multiple independent sources (many of which typically require an annual license subscription which doesn’t work for on-off purchases) to build the picture required to make your assessment on the End User’s validity – there is not such thing as a ‘universal database’ that will answer this for you. Further, for many sorts of due diligence inquiries databases and desktop research is only the first step in the process. You will often need access to specialist resources for tasks such as interviewing customers and competitors which cannot be replaced by a database or automated.
- Cornell Law School (n.d.). 22 U.S. Code § 8541 – Definitions, Legal Information Institute, https://www.law.cornell.edu/uscode/text/22/8541
- Department of Defence (n.d). Defence Export Controls, Australia, https://www.defence.gov.au/business-industry/export/controls
- Department of Justice (2015). FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, United States Government.
- FATF / GAFI (2014). Transparency and Beneficial Ownership, FATF Guidance, https://www.fatf-gafi.org/publications/fatfrecommendations/documents/transparency-and-beneficial-ownership.html
- Fox, T.R. (2013). Distributors under the FCPA, http://fcpacompliancereport.com/2013/02/distributors-under-the-fcpa/
- Heatherington, C. (2015). The Guide to Online Due Diligence Investigations: The Professional Approach on How to Use Traditional and Social Media Resources, Facts On Demand Press.
- Kurland, K. (2016). End Use Monitoring and Effective Export Compliance, Bureau of Industry and Security, U.S. Department of Commerce, https://www.bis.doc.gov/index.php/documents/pdfs/1593-end-user-verification-kurland/file
- Loughman, B. P, and Sibery, R. A. (2012). Bribery and Corruption: Navigating the global risks, Wiley, New Jersey.
- Office of Foreign Assets Control (n.d.). Sanctions Programs and Information, https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information
- Post, R. S. and Post, P.N. (2008). Global Brand Integrity Management: How to protect your product in today’s competitive environment, McGraw-Hill, New York.
- Sugden, D. R. (2009). Gray Markets: Prevention, Detection and Litigation, Oxford University Press, New York.
- Yong, K. P. (2013). Due Diligence in China: Beyond the checklists, Wiley, Singapore.
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.