Third-Party Due Diligence: Policies, Screening, & Risk Management
Oftentimes, businesses rely on partners, suppliers, agents, contractors and various other third-party services. Third-party service providers are a great way to build business, outsource tasks and manage fluctuating operational needs.
That is, of course, if you have properly vetted them and they’re a compliant, trustworthy entity. In the end though, it’s your business these third-parties are representing or servicing; it’s your business that will suffer if those third-party service providers are fraudulent or don’t implement best practices. It’s your business that will have to face the wrath of regulators or customers if there is exposure to issues.
To protect your organization and to manage risk, effective third-party due diligence policies, screening and processes are necessary. Systematically thinking about your business relationships, the potential exposure they incur, what steps you need to implement, and then how you can operationalize and review those procedures is smart business – and proper compliance.
Depending on the countries and industries you operate in, there are numerous regulations that require third-party checks. For those in various financial sectors, there are strict Anti-Money Laundering (AML) laws. After all, as financial companies are already dealing with vast sums of money, it is potentially a short route for illicit funds to become legitimatized.
Payments are potentially levelled up, or come from another source. The true source of funds is potentially obscured by numerous intermediaries. Questionable payments are hidden amongst numerous legit transactions. There are multiple methods for money launderers to clean their money and, unfortunately, many businesses that unknowingly assist in the process.
So, what can your business do to prevent these people and businesses from cycling their dirty money through your institution?
Know Your Customer’s Customer
Know Your Customer (KYC) laws are already in place and well-known by financial institutions. Thus, following the same processes is a clear way forward; extending those procedures to deeply analyze their customers, or Know Your Customer’s Customer (KYCC).
Taking the rules for KYC and expanding their use for third-parties, KYCC refers to the steps taken by a financial institution (or business) to:
- Verify a third-party’s identity
- Understand the nature of the third-party’s activities (primary goal is to satisfy that the source of the third-party’s funds is legitimate)
- Assess money laundering risks associated with that third-party
The first step to doing effective third-party due diligence is to identify and verify the third-party – Do you really know who you are doing business with? This step involves gathering accurate business registration information such as: Registration Number, Business Name, Business Status, Address, Managing Directors and Date of Incorporation.
It is not enough to simply gather the information; you need to check the information is accurate and up-to-date. Generally, this involves checking the official records through a government register or public file to ensure the information matches.
After verifying the third-party, understanding their business activities provides insight on the level of risk involved in doing business with them. One action to take is to screen the identified parties against various lists of high risk individuals or entities. These include sanction lists (such as OFAC, UN, HMT, EU, DFAT), law enforcement lists and governing regulatory bodies’ (financial and securities commissions) from around the world.
Besides screening, another effective risk management strategy is to determine how the third-party acquires its funds. What industries do they do business in? What countries do the funds come from? What type of transactions, amount and volume do they deal with? What are the nature of their partners, suppliers, clients, etc. (KYCCC?).
With that information in hand, you can then do the risk assessment. Of course, some industries, countries or third-parties are obviously higher risk. It’s not to say that you must reject their business, but rather, you might determine that further scrutiny is necessary. It depends on your appetite for risk and your policies.
The critical point is to have these systems in place, so your compliance staff knows what to look for, what to do when they spot it, how to report it, and how to monitor the process. With an effective third-party due diligence process, your staff is able to circumvent issues quicker, with less stress and less risk.
Forewarned is forearmed; truly knowing third-parties of your business connections will protect your organization and create better onboarding processes.Click to tweet
Trulioo Whitepaper: Who Are You Doing Business With?
Download our comprehensive guide to business verification and ultimate beneficial owners (UBOs). Learn the importance of verifying the identity of businesses that you interact with, and how advancements in digital technologies and virtual data sets can assist in solving verification challenges.