The corporate compliance community was jolted this month by news that Michael Cohen, long-time legal counsel and fixer for President Donald Trump, received millions of dollars from corporations after the 2016 election, supposedly for consulting services on a wide range of matters.

That money — at least $4.4 million — landed in the coffers of Essential Consultants, the same Delaware shell company Cohen used in 2016 to pay hush money to Stormy Daniels about her encounters with Trump in the 2000s. One payment of $500,000 has been traced to a Russian oligarch under U.S. sanctions. Other payments came from corporations with business in front of the Trump Administration, from policy changes to regulatory reviews to bids on defense contracts.

The cynical interpretation is that companies were paying money to Cohen to curry favor with the Trump Administration. Since Cohen is under investigation by the U.S. attorney’s office in New York, in the fullness of time we learn how true that view is.

Political and legal dimensions aside, however — this news also provides compliance officers a refresher course in performing risk-based due diligence on consultants, intermediaries, and other parties with close ties to government officials.

First, companies need to ask probing, precise questions about why they need to hire a specific intermediary.

Consider guidance published by the U.S. Justice Department in 2012 on how to build an effective compliance program. Intermediaries had their own section (on Page 60) that had a list of points companies should be able to answer:

  • What service is this third party actually performing? Are those terms spelled out in the contract?
  • How is this third party being paid? What are the specific payment terms, and how do those terms compare to typical arrangements in that third party’s industry or country?
  • How will the company confirm that the third party is providing whatever services were promised in the contract?
  • Is the third party’s compensation commensurate with the work being provided?

In one form or another, those same points are raised in similar guidance for anti-bribery laws in Britain, France, and elsewhere. The overall goal is to force the company to ask: Why do we need this specific third party? What are we getting for our money? Are we paying a fair price for a standard service?

Second, companies must document their logic, especially if they decide to override standard policy or procedure.

A crucial question for companies that hire a high-risk third party is whether they deviated from their standard procedures for contracting with outside consultants — and if so, why they did.

For example, does the company have a policy about working with newly formed shell corporations with only one employee? Does the company have accounting controls that require multiple signatures for payments above a certain dollar amount? Are there procedures for exception requests if the company wants to override those policies and controls, or can key executives disregard those constraints when they choose?

What an effective compliance program wants to avoid (and what prosecutors look for, if they launch an investigation) are seemingly arbitrary decisions in favor of one third party over another. Such decisions raise the appearance of bribery or conflict of interest, and that alone can prompt an investigation or reputation harm.

As a practical matter, an inability to document payments and accounting controls can also expose a company to books-and-records violations of the FCPA or other accounting fraud charges from the SEC. That is a civil enforcement risk regardless of whether any bribes actually were paid via an intermediary. You need to be able to show your work.

Third, appearances matter — and the lack thereof costs time, money, and reputation.

We should note that so far, no law enforcement body has charged Michael Cohen with any misconduct. Nobody has alleged any specific quid pro quo, and criminal bribery is hard to prove in the United States because of Supreme Court rulings that define “official acts” of public officials quite broadly.

That said, future circumstances may put corporations in difficult spots for giving money to Cohen now. For example, state attorneys general may subpoena corporate records to see whether those contracts were attempts to influence policy. A future Congress under new political leadership might open its own investigation into Cohen’s business and those companies working with him.

We won’t pass judgment here on whether those scenarios would be justified or not. But if they do come to pass, affected corporations will need to endure the spotlight. Effective compliance programs — ones that exist on paper and are put into practice — make that glare a bit less harsh.