Commercial Transactions Due Diligence

AI in Client Acceptance and Continuance (A&C): What the PCAOB Thinks

Artificial intelligence is actively reshaping research, planning, and risk assessment. For audit quality and compliance leaders, the most pressing question is how to use AI in A&C without triggering inspection risks.

The PCAOB’s Stance: AI Is an Assistive Tool, Not an Auditor

The PCAOB does not prohibit the use of AI, but it is clear on one point: technology is not a replacement for professional judgment. There is no “AI exception” to professional responsibility.

In its July 2024 Spotlight, PCAOB staff observed that while firms are investing heavily in generative AI, the most effective implementations focus on administrative and research tasks, with human partners retaining responsibility for final conclusions. Because A&C sits at the intersection of independence, ethics, and firm risk, it remains a high‑judgment area subject to heightened inspection scrutiny.

Bridging the Gap with Qualified Third Parties

Many firms bridge the gap between AI-driven efficiency and human expertise by engaging qualified third parties to perform A&C due diligence. However, delegating the task does not delegate the responsibility.

  • Supervision Standards (AS 1201):
    Lead auditors must supervise auditor‑engaged specialists. Firms cannot simply file a third‑party report; they must evaluate the specialist’s methods and assess the sufficiency and appropriateness of the evidence obtained.
  • The QC 1000 Factor:
    The PCAOB’s new Quality Control standard (QC 1000), effective December 15, 2026, places greater emphasis on managing “external resources.” Firms must implement robust controls to ensure that third‑party providers and any AI tools they use meet the firm’s standards for competence, objectivity, and reliability.

Navigating Inspection Risks

When it comes to PCAOB inspections, how AI is used in A&C matters just as much as whether it is used at all. Here are the red-flags:

  • Allowing AI tools to automatically determine “accept” or “decline” decisions
  • Relying on AI outputs that are not explainable or cannot be defended
  • Treating third‑party reports as final without a meaningful review
  • Succumbing to automation bias by blindly trusting a software-generated score

The Documentation Mandate

From a PCAOB inspector’s perspective, “the system recommended it” is not a defensible rationale. Documentation must be audit‑ready and clearly demonstrate:

  1. The Role of AI:
    Whether AI was used for research, drafting, data analysis, or other support functions.
  2. The Inputs:
    The data, sources, and prompts provided to the AI tool or third party.
  3. The Challenge:
    How the engagement team evaluated, corroborated, or challenged the AI or third‑party output.
  4. Professional Skepticism:
    Evidence that a human partner applied judgment and took responsibility for the final A&C decision.

 

Disclaimer: This communication is for general informational purposes only and does not constitute legal advice. The summary provided in this alert does not, and cannot, cover in detail what employers need to know about the amendments to the Philadelphia Fair Chance Law or how to incorporate its requirements into their hiring process. No recipient should act or refrain from acting based on any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.

April 23rd, 2026|Categories: Commercial Transactions Due Diligence|Tags: , , |

Bust Out Fraud: When a Legitimate Business Is Turned Into a Weapon

Bust‑out fraud is one of the most damaging forms of business fraud. Unlike schemes that rely on fictitious companies or obviously forged documentation, bust‑out fraud exploits real businesses with real credit histories, turning legitimacy itself into the fraudster’s most powerful tool.

We recently found records involving a bust‑out scheme while performing research in connection with a commercial lending transaction. While the specific circumstances are confidential, the pattern was familiar and increasingly common across industries.

What Is Bust‑Out Fraud?

Bust‑out fraud occurs when an individual or group gains control of an existing business, builds or exploits its creditworthiness, and then rapidly incurs debt with no intent to repay. Once the credit is exhausted, the perpetrators disappear, leaving lenders, vendors, and partners with the losses.

What makes bust‑out fraud especially dangerous is that it often looks like normal business activity, until it’s too late.

How Bust‑Out Fraud Typically Works

A classic bust‑out scheme unfolds in recognizable stages:

  1. Acquisition or Control
    The fraudster purchases a business, installs themselves as an officer, or otherwise gains operational control, sometimes through seemingly legitimate mergers, management changes, or filings.
  2. Quiet Period / Credit Grooming
    For months (or longer), the company operates normally. Bills are paid on time. Credit limits may even be modestly increased. The goal is to reinforce trust.
  3. Rapid Credit Expansion
    Once confidence is established, the business applies for additional loans, vendor credit, leases, or financing, often simultaneously and across jurisdictions.
  4. Cash‑Out Phase
    Assets, inventory, or loan proceeds are diverted. Payments suddenly stop. Executives resign or become unreachable.
  5. Collapse
    The company folds, files for bankruptcy, or simply goes dark, leaving creditors scrambling to unwind what happened.

Real‑World Examples of Bust‑Out Fraud

While every scheme differs in execution, the following examples illustrate common variants.

  • Example 1: The “Too Smooth” Acquisition

A mid‑sized services firm is acquired by a new holding company. The new leadership existing staff and contracts in place, pays vendors promptly, and even invests modestly in marketing. Within a year, the company secures multiple six‑figure credit lines, followed by a sudden wave of equipment purchases and short‑term loans. Three months later, the business defaults across the board and leadership vanishes.

  • Example 2: Vendor Credit Exploitation

A long‑standing distributor with excellent payment history begins placing unusually large orders with multiple suppliers at once, negotiating extended terms. The inventory is resold quickly, often below market, to generate immediate cash. Vendors discover the fraud only after invoices go unpaid and bankruptcy filings appear.

  • Example 3: Identity Leverage Across Borders

A legitimate company with international operations is acquired by new principals. Corporate records are updated in multiple jurisdictions. The firm then secures financing in countries where credit checks rely heavily on corporate registration rather than beneficial ownership. The debt accumulates rapidly and enforcement becomes complicated once the entity dissolves.

Why Bust‑Out Fraud Is Hard to Detect

Bust‑out fraud often evades traditional fraud controls because:

  • The business already exists
  • Credit histories appear legitimate
  • Documentation is often technically correct
  • Early behavior reinforces trust rather than raising alarms

In many cases, the change in intent, not the change in structure, is what transforms a normal business into a fraud vehicle.

Final Thoughts

Bust‑out fraud exploits legitimate businesses and may remain concealed without thorough due diligence. In this instance, background screening identified prior involvement by the loan applicants in a bust‑out scheme, underscoring the value of a risk‑based review in identifying fraud risks before material exposure occurs.

 

Disclaimer: This communication is for general informational purposes only and does not constitute legal advice. The summary provided in this alert does not, and cannot, cover in detail what employers need to know about the amendments to the Philadelphia Fair Chance Law or how to incorporate its requirements into their hiring process. No recipient should act or refrain from acting based on any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.

April 6th, 2026|Categories: Commercial Transactions Due Diligence|Tags: , , |

The Fair Credit Reporting Act and Commercial Transactions

Does the Fair Credit Reporting Act (FCRA) apply to commercial transactions?

Although the FCRA is generally limited to consumer-purpose transactions (e.g., those primarily for personal, family, or household purposes), there is no straightforward answer regarding commercial transactions. This is because the FCRA defines a “consumer” as just an “individual.” The FCRA does not require the consumer/individual to obtain the loan specifically for a consumer purpose. Whether and how the FCRA applies depends on the facts and circumstances regarding the commercial transaction.

Commercial Loans, Personal Liability, and the Permissible Purpose Requirement

When an individual applies for a loan primarily for personal, family, or household purposes, the lender has a permissible purpose under the FCRA to obtain the individual’s consumer report.

However, a commercial transaction does not give rise to a permissible purpose except for a report on an individual – such as a sole proprietor or principal of a company – who will be personally liable for the debt. In a Federal Trade Commission (FTC) staff opinion letter dated in 2001, the FTC stated that “it is reasonable to view a business transaction in which an individual has accepted personal liability for the business debt as involving the consumer, thus providing a permissible purpose for the lender to obtain a consumer report under Section 604(a)(3)(A).”

A follow-up question is whether the commercial loan application itself is enough of a permissible purpose when the individual is only a guarantor and not otherwise related to the transaction or debtor. Another 2001 FTC opinion letter concluded that if an individual has any personal liability on a business loan, including just a guarantee, there would be a permissible purpose by means of the application for credit.

These opinion letters have been reaffirmed in subsequent FTC publications.

As a caveat, however, it is important to remember that these opinion letters are merely informal guidance and are not binding on the FTC, the courts, or other governmental regulators. That is why we think the best practice is to get written authorization from the individual (another form of permissible purpose under the FCRA) before preparing the report.

Reporting Adverse Information

When the FCRA applies to a commercial transaction, the restrictions for reporting adverse information should be followed. The restrictions generally prohibit reporting adverse information that pre-dates the report by seven years. Bankruptcies that pre-date the report by 10 years cannot be reported. Criminal convictions can be reported regardless of the date.

The FCRA also provides an important exemption to these reporting restrictions. If a credit transaction involves, or may reasonably be expected to involve, a principal amount of $150,000 or more, the restrictions on reporting adverse information do not apply.

Adverse Action Notice

When the FCRA applies to a commercial transaction, does the adverse action notice requirement apply? The general rule in the FCRA is that if the lender obtains a consumer report and takes adverse action based, in whole or in part, on any information in the report, the lender must give the consumer an adverse action notice. Therefore, in the commercial context, the lender should give the consumer an adverse action notice if the loan application is denied.

What about guarantors? Although the FCRA is silent on whether guarantors are included for purposes of an adverse action notice, the FTC clarified the issue in a 2000 advisory letter. If the consumer is only a guarantor (i.e., secondarily liable on the loan), then an adverse action notice would not be required to be provided to the guarantor. This is true even if the application is denied based on information in the guarantor’s consumer report.

February 13th, 2025|Categories: Commercial Transactions Due Diligence|Tags: , |

Civil Judgments v. Judgment Liens: What is the Difference?

A civil judgment and a judgment lien are not the same things, although they do relate to the same debt.

A civil judgment is an official decision by the court regarding a civil lawsuit. If the judgment is in favor of the plaintiff (the party filing the lawsuit), the judgment typically awards the plaintiff a sum of money that must be paid by the defendant (the party sued by the plaintiff). A civil judgment can be located in a search of civil court records.

If the judgment debtor (the defendant who lost the lawsuit) fails to voluntarily pay or “satisfy the judgment,” it is up to the judgment creditor (the plaintiff who won the lawsuit) to enforce or collect the judgment.

There are a variety of ways to enforce a civil judgment. A common method of enforcing a judgment is for the judgment creditor to file a judgment lien, which is also often referred to as an “abstract of judgment.” This is an involuntary lien that the judgment creditor files to attach to the judgment debtor’s property in the jurisdiction where the judgment lien is filed. The judgment lien is typically filed in the county recorder’s office but may also be filed at the courthouse in some jurisdictions. In general, the lien is satisfied from the sale proceeds when the judgment debtor sells the property or when a refinance occurs.

July 14th, 2022|Categories: Commercial Transactions Due Diligence|Tags: , |

Company Legal Name v. DBA

Every business has a “legal” or “true name.” When researching a company, it is important to identify its legal name. In the case of a corporation or limited liability company, the legal name is the one on its formation document — e.g., the articles of incorporation or articles of organization.  As an example, Scherzer International’s legal name is Scherzer International Corporation.

If the company does business under another name, it is commonly referred to as a DBA – which stands for “doing business as.” DBAs are also sometimes referred to as an “assumed name,” “fictitious business name,” or “trade name.” State and local laws generally require a company to register a DBA it is using; however, it is important to note that registering and doing business under a DBA name is not the same as forming a business or a business entity.

June 16th, 2022|Categories: Commercial Transactions Due Diligence|Tags: , |

Civil Cases and Garnishees

A common occurrence when searching civil case records for a company is to locate a record that identifies the company’s role in the case as a “garnishee.” What’s a garnishee and should these cases be included in background reports?

A garnishee can be any company (or person) who holds property (including money) owed to a debtor – that is, someone who has an unpaid judgment against them.

Employers often become a garnishee because they hold wages to be paid to an employee who is a debtor. A creditor can use a procedure called a wage garnishment, which is a court order, that requires the debtor’s employer to hold the debtor’s wages to pay the creditor. The employer as garnishee simply pays the employee-debtor’s wages to the court.

Because a garnishee’s involvement in a civil case is neither negative nor noteworthy, it typically should not be included in the report.

November 16th, 2021|Categories: Commercial Transactions Due Diligence|Tags: |

Client Alert: EU Court of Justice Invalidates the EU-US Privacy Shield

 

An important and unexpected ruling was handed down by the Court of Justice of the European Union (CJEU) on July 16, 2020, in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”) that invalidates the EU-U.S. Privacy Shield (“Privacy Shield”) arrangement. Since 2016, the Privacy Shield provided U.S. companies with a mechanism to comply with the General Data Protection Regulation (GDPR) requirements when transferring personal data from the European Union to the U.S.

What this means

Now companies that subscribed to the Privacy Shield must find another GDPR-compliant solution for the transfer of data. The European Data Protection Board indicated in its July 23, 2020 FAQs that it will not be providing a grace period as the authorities had done for the EU-U.S. Safe Harbor (“Safe Harbor”) framework following the “Schrems I” decision.

Notably, the CJEU’s decision expressly stated that the standard contractual clauses (SCCs) previously promulgated by the European Commission (EC) are still a valid tool for data transfers from the EU to the United States. The SCCs are sets of contractual terms and conditions that the controller and the processor of the data both execute to comply with GDPR’s requirements.  However, the CJEU’s decision does not give blanket approval to the SCCs–the decision acknowledged that future challenges to SCCs are permissible by the local data enforcement agency for any EU-member state. For example, an EU-member state might prohibit or suspend exports of personal data from its country under SCCs, if the member state concludes that the SCCs are not or cannot be complied with in the recipient third country (such as the U.S.) because of the member state’s local legal requirements.

The CJEU did not directly reference binding corporate rules (‘BCRs’) which are used for intragroup data transfers and require prior approval of the competent data protection authority. For now, this means that BCRs remain a valid transfer mechanism under the GDPR as BCRs are of a similar nature to  SCCs (both are considered an “appropriate safeguard” pursuant to Article 46 GDPR).

For some situations, an alternative is to look to the narrow derogations under Article 49 of the GDPR, such as to perform a contract or base the transfer on the subject’s explicit consent.  

What happens next

When the adequacy of the Safe Harbor was invalidated by the CJEU in 2015, the U.S. Department of Commerce (DOC) and the EC had already been negotiating for an updated trans-Atlantic program for many months. With Schrems II, and although the DOC and EC have indicated that lines of communication are open, the discussions are not nearly as advanced. And the issues cited by the CJEU in Schrems II may require some form of legislative and not merely an administrative action to address. As such, the process to revamp the Privacy Shield is unlikely to be concluded any time soon.  

The DOC, in a press release in response to the CJEU’s decision, and later in its updated Privacy Shield FAQs, stated that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification and maintaining the participants’ list. The DOC emphasized that the CJEU’s decision “does not relieve participating organizations of their Privacy Shield obligations.”

The UK’s Data Enforcement Agency also issued a statement advising companies to continue using the Privacy Shield until new guidance becomes available but added that companies “do not start using the Privacy Shield during this period.”

Stay tuned for more regulatory guidance and other developments in the next few weeks.

Disclaimer: This is not legal advice. The resources and information provided here are for educational purposes only. Consult your own counsel if you have legal questions related to your specific practices and compliance with applicable laws.

July 30th, 2020|Categories: Commercial Transactions Due Diligence|Tags: , , |

Business identity theft is alive and well

And it can happen to your business.

Criminals do not discriminate – any type of business or organization of any size or legal structure including sole proprietorships, partnerships, LLCs, trusts, non-profits, municipalities and county governments, school districts and corporations are all targets for business identity theft.

What exactly is business identity theft?  First, let’s clarify that we are not talking about an information security breach or an incident involving the loss or theft of confidential consumer information. Rather, business identity theft discussed here involves the actual impersonation of the business itself.

It happens when criminals pose as owners, officers or employees of a business in order to get their hands on cash, credit or loans, leaving the business on the hook to deal with the debt. A favorite tactic of identity thieves involves the theft of the tax identification number (TIN) or employer identification number (EIN) of the company or the owners’ personal information to use that data to open new lines of credit or obtain a business loan based on the company’s identity.

Another common form of business identity theft occurs when criminals file fake documents with the Secretary of State’s office to change company information such as its registered address or the names of directors, officers or managers. Once the records have been changed, the identity thieves can establish lines of credit or new accounts with the false information.

Other examples of the fraudulent use of a company’s information include current or former employees making use of their access to financial documentation; establishing a temporary office space or merchant accounts in a company’s name; going through a business’s trash and recycling bins to find account numbers or other sensitive data; using phishing attacks or other scams to get the business’s banking or credit information from employees; and filing for tax credits with stolen EINs.

Businesses are an attractive target for identity thieves. Generally speaking, a company will have higher credit limits than an individual, so opening a new account or line of credit in a business’s name will yield more cash for a criminal and larger purchases will receive less scrutiny. Perhaps most frustrating, companies are required by law to report certain identifiers (an address, EIN/TIN, and names of directors in most states), meaning the information is publicly available and easily accessible to anyone.

The invoicing and payment terms typically available to businesses can also work against them. Identity thieves may have a window of up to 30 days after a purchase to disappear before a company detects a problem – and even longer if the thieves use a different address.

Unfortunately, business identity theft is an underreported crime for a variety of reasons. Companies often have no idea their identity has been compromised until they begin receiving unfamiliar bills and collection notices when it is already too late to stop the thieves. Government agencies receive frequent requests for changes to company information and an address change is unlikely to raise red flags. Some businesses aren’t paying close enough attention or fail to caution employees about the possibility of phishing scams, while others may be embarrassed or concerned about their reputation with customers and don’t want to report what happened.

Given the underreporting problem, statistics on business identity theft can be hard to come by. However, the Internal Revenue Service (IRS) said it has seen the number of corporate tax returns flagged for potential business identity theft increase exponentially in recent years, from 350 in 2015 to 4,000 in 2016 with a jump to 10,000 in only the first six months of 2017. The cost of the damage has also risen dramatically, from $122 million in 2015 to $268 million the following year and $137 million for just the first half of 2017.

Importantly, these numbers reflect just one of the many forms of business identity scams.

What can companies do to protect themselves? Click here for a checklist of the most important steps for prevention and what to do if your business becomes a victim.

April 12th, 2018|Categories: Commercial Transactions Due Diligence|Tags: , |

The Swiss-U.S. Privacy Shield Framework is approved

 

The Swiss-U.S. Privacy Shield Framework (the “Framework”) made its debut on January 12, 2017 without much fanfare when Swiss federal councillor Johann Schneider-Ammann announced the Framework’s approval as a valid legal mechanism to comply with Swiss requirements for transferring personal data from Switzerland to the United States. The Framework, designed by the U.S. Department of Commerce (the “DOC”) and the Swiss government to align with the EU-U.S. Privacy Shield, will immediately replace the U.S.-Swiss Safe Harbor. The DOC will begin accepting self-certifications starting April 12, 2017 to give organizations ample time to review the new Framework’s principles and compliance requirements. For more of Scherzer International’s coverage of the EU-U.S. Privacy Shield, click here.

February 2nd, 2017|Categories: Commercial Transactions Due Diligence|Tags: , , |

European Commission Adopts EU-US Privacy Shield as Replacement for EU-US Safe Harbor Framework

 

What this is about 
On July 12, 2016, the European Commission formally adopted the EU-US Privacy Shield (the “Privacy Shield”) which will provide organizations a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. This new privacy framework reflects the requirements set out by the European Court of Justice in its October 2015 landmark decision in Maximillian Schrems vs. Data Protection Commissioner, which declared the EU-US Safe Harbor privacy regime invalid.
Privacy Shield overview: The framework provides a set of robust and enforceable protections for the personal data of EU individuals, as well as transparency regarding the use of such data by participating companies, strong US government oversight, and increased cooperation with EU data protection authorities. For more information, see US Department of Commerce (“DOC”) factsheet and FAQs.
Joining the program: 
The DOC will start accepting self-certifications beginning August 1, 2016. Organizations must identify and register with an independent dispute resolution provider prior to submitting their self-certification.
About self-certification:
The decision to participate in the program is voluntary; however, once an organization publicly commits to comply with the framework’s principles through self-certification, that commitment is enforceable under US law by the relevant authority–either the US Federal Trade Commission or the Department of Transportation. To receive the Privacy Shield’s benefits, an organization must self-certify annually to the DOC that it agrees to adhere to the framework’s requirements, based on the privacy principles that include notice, choice, access, and transfer accountability. See the DOC’s guide for more information about participation and compliance requirements.
Disclaimer: This communication is for general informational purposes only, and does not constitute legal advice. No recipient should act, or refrain from acting, on the basis of any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.
For further information, please contact us at 1-866-723-2287.
July 14th, 2016|Categories: Commercial Transactions Due Diligence|Tags: , , |
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top