Lessons from the Unaoil scandal

By SCOTT LANE, Executive Chairman, The Red Flag Group

There is no doubt that every compliance officer has now seen the global media coverage over a company based in Monaco called Unaoil. Without repeating the details in full here, there are a few things that are strong learning for compliance officers and business people everywhere, including those in the oil industry or any industry for that matter.

If it is too good to be true, it probably is. If a business partner is offering great connections with government, and exceptionally good opportunities for a success fee, then it’s probably tainted with corruption. At the very least, it warrants significant review before engaging with that company. There were many warning signs with Unaoil, as there are with hundreds of other companies just like it providing services around the world. In the experience of The Red Flag Group, which has conducted due diligence on almost 100,000 intermediaries in 190 countries, Unaoil is just the tip of a large iceberg.

Just because a third party works for another company, it doesn’t mean it is ‘industry approved’ and that someone else in the industry in which they work has approved them. This is a common misconception: that ‘these guys work with four of our competitors, are you telling me that it is okay for them and not for us?’ The answer is ‘probably, yes’. Just because a company works with your competitors doesn’t give it a stamp of approval. Some of the largest companies in the oil and gas industry engaged Unaoil. Every one of those companies regularly does due diligence on intermediaries, and every one of them has compliance officers and compliance programmes. There might be many reasons, aside from sheer incompetence on the part of their due diligence process or provider, for not conducting due diligence.


Relying on questionnaires and industry certifications is a failure. The Red Flag Group has acted for several of the companies mentioned in the Unaoil scandal, but only one company – on one occasion – asked us to do due diligence on Unaoil. All of the others presumably decided that it was of no risk and skipped it entirely. Alternatively, they decided to do it themselves with a simple database check, relied on an industry anti-corruption certification, or they relied on data in a completed questionnaire and called that adequate ‘due diligence’. All of these approaches would have failed in this situation to truly identify the risk in this company. Simply relying on an industry validation or certification is not sufficient and companies should form their own view based on their own proposed engagement and their risk tolerance.


Compliance is often kept in the dark. Of course, it is also possible that the companies didn’t do any adequate due diligence because it was never raised with compliance. In most cases, there isn’t a closed loop process where systems actively stop an engagement until due diligence is completed. Most companies still don’t have closed loops. They simply do not use the due diligence process and avoid compliance. The other reason it was probably not done is because of the country. For some crazy reason, many companies rely on a list of countries that have perceived corruption risk and base their requirement to do due diligence on that single view. Monaco doesn’t rate as a high risk on that list, so it is possible that ‘all companies in Monaco’ received a pass from having to undergo due diligence. Again, an absurd concept, but one that is used daily in most large companies to determine the risk of a third party before spending time and money on due diligence.

Criminals lie. Criminals fill out questionnaires requested of them by companies and they lie. The companies just go through the motions and tick all the right boxes. You don’t need to be rocket scientists to know which ones to tick that appear to lower risk and turn away enquiring eyes. They are well experienced at knowing which questions are framed to raise further questions and how best to answer them. The questions on due diligence questionnaires are just so basic that most admin resources complete them.

Corruption is organised crime. People are paid well to look the part, play their role, and be a middleman for your company. They will be smooth, exciting, daring and often expert at tricking visitors to a country. Your job is to work out which ones are real and which ones are not. This requires skill and requires someone with real knowledge and experience.

Due diligence is not about ticking boxes – far from it. It is also not about checking basic questions around licences, approvals, and backgrounds. It is not about spending a few hundred dollars on a simple check. It’s not about checking media for evidence of corruption. Having said that, when The Red Flag Group conducted due diligence on Unaoil for a client several years ago, a basic review identified numerous media hits, which led us to concluding that the company was ‘very red’ under our nomenclature. In any event, too many companies are simply collecting information about an organisation – registration documents, ownership, certificates etc. – and not actually reading them. They are not piecing the story together. Rather, they are just seeing this as a process, and are collecting the data required with the aim of moving through the process as quickly as possible.

Due diligence is a skill and doesn’t always work. Even the best due diligence providers have a degree of luck in the research that they do – for example, luck in the sense that the person you talk to about a company tells you the truth; that the references you are given actually say something useful; and, that your contacts in that local market are having a bad day and actually tell you the real story. Of course, all of this work, effort and luck is balanced against a limited budget and time to complete the task. Most companies now spend a few hundred dollars and expect all this to be done in a day or two. The bottom line is due diligence on companies such as Unaoil is an art and skill. It’s not about box ticking and filling out forms. It is more investigative in nature than simply a process, and it takes time and that means money. The good news is that the hundreds or thousands of dollars spent on good (or even adequate) due diligence is a minute percentage of the deal size of a pending transaction.

People in business need to open their eyes about compliance. It is unacceptable for anyone in global business to think it is acceptable to rely on an external certification or even detailed due diligence to make a decision on a key business partner that is challenged with opening doors in a tough industry in a tough market. You can’t outsource your obligations to manage your business. While you should expect great information, accurate assessments, and guidance from your due diligence provider, hiding behind a certification isn’t probably the right model. Companies need to work with their due diligence provider to be part of the solution and assessment of risk.

Follow @TheRedFlagGroup