Article 5 min

Third-party due diligence: policies, screening and risk management

Third-party due diligence

Often, businesses rely on partners, suppliers, agents, contractors and various other third-party services. Third-party service providers are a great way to build a business, outsource tasks and manage fluctuating operational needs.

That is, of course, if you have properly vetted them and they’re a compliant, trustworthy entity. In the end, it’s your business these third parties are representing or servicing and it’s your business that will suffer regulatory fines or reputational damage if those third-parties are fraudulent or don’t implement best practices.

Effective third-party due diligence policies, screening and processes are necessary to protect your organization and manage risk. Systematically thinking about your business relationships, the potential exposures they could incur, what steps you need to implement, and then how you can operationalize and review those procedures is smart business — and proper compliance.

Compliance requirements

Depending on the countries and industries you operate in, numerous regulations require third-party checks. For those in various financial sectors, there are strict Anti-Money Laundering (AML) laws. Anti-corruption laws like the U.S. Foreign Corrupt Practices Act also come into play. After all, as financial companies are already dealing with vast sums of money, it’s often a short route for illicit or corrupted funds to become legitimatized.

There are multiple methods for bad actors to clean their money — and, unfortunately, many businesses unknowingly assist in the process. For example, payments can come from another source or numerous intermediaries, potentially obscuring the true source of funds. Or, questionable payments are hidden among numerous legitimate transactions.

So, what can you do to prevent these people and companies from cleaning their dirty money through your organization?

Know Your Customer’s Customer

Know Your Customer (KYC) laws are already in place and a standard business procedure for financial institutions. Thus, following the same processes is a clear way forward, extending those procedures to deeply analyze their customers, or Know Your Customer’s Customer (KYCC).

Taking the rules for KYC and expanding them to incorporate third parties, KYCC refers to the steps taken by a financial institution (or business) to:

  • Verify the identity of a third party
  • Understand the nature of a third party’s activities (primary goal is to satisfy that the source of funds is legitimate)
  • Assess money laundering risks associated with a third party

The first step to performing effective third-party due diligence is to identify and verify the third party – do you really know who you are doing business with? This step involves gathering accurate business registration information, including registration number, business name, business status, address, managing directors and date of incorporation.

It’s not enough to gather the information; you need to verify that the information is accurate and up to date. Generally, this involves checking the official records through a government register or public file to ensure the information matches.

Third-party screening

After verifying the third party, understanding their business activities provides insight into the level of risk involved in doing business with them. One action to take is to screen the identified parties against various lists of high-risk individuals, like politically exposed persons or entities. These include sanction lists (for example, OFAC, UN, HMT, EU, DFAT), law enforcement lists, and governing bodies (for example, financial and securities commissions) worldwide.

Besides screening, another effective risk management strategy is to determine how the third party acquires its funds. What industries do they do business in? What countries do the funds come from? What type of transactions, amounts and volumes do they deal with? What is the nature of their partners, suppliers and clients?

With that information in hand, you can then do the risk assessment. Of course, some industries, countries or third parties pose higher risks. It’s not to say that you must reject their business, but rather, you might determine that further scrutiny is necessary. It depends on your risk appetite and your policies.

Enhanced Due Diligence

Depending on the analysis of the initial assessment, Enhanced Due Diligence (EDD) procedures might be in order. Some EDD practical steps, suggested by the Financial Action Task Force (FATF), include:

  • Obtaining additional identifying information from a wider variety (or more robust) sources, and using this information to inform the individual customer risk assessment
  • Carrying out additional searches (for example, verifiable adverse media searches) to inform the individual customer risk assessment
  • Commissioning an intelligence report on the customer or beneficial owner to better understand the risk that the customer or beneficial owner may be involved in criminal activities
  • Verifying the source of funds or wealth involved in the business relationship to be satisfied that they don’t result from the proceeds from crime
  • Seeking additional information from the customer about the purpose and intended nature of the business relationship

A particular focus on the beneficial ownership of third parties is often necessary; according to a Stanford Law School analysis, nearly 90% of FCPA bribery allegations involve the use of third parties.

Third-party due diligence programs

It’s vital to understand that effective third-party due diligence requires ongoing efforts. Besides establishing the program and creating repeatable and robust processes, programs need:

  • An auditing plan to ensure the processes are valid and demonstratable to auditors or partners
  • Monitoring procedures to spot new potential risks
  • Ongoing review to consider changes in risk tolerance

The critical point is to have these systems in place so your compliance staff know what to look for, what to do when they spot it, how to report it, and how to monitor the process. With an effective third-party due diligence process, your staff can circumvent issues quicker, with less stress and reduced risk.

Forewarned is forearmed; truly knowing the third parties of your business connections will help protect your organization and potentially save it from compliance failures, reputational damage and financial losses.

This post was originally published November 15, 2017, updated to reflect the latest industry news, trends and insights.