Third-party compliance in work aims to mitigate the risk related to your suppliers, distributors, customers, and any other party with which your company interacts. By interaction, we mean the existence of financial operations predominantly. Third-party compliance risk is one of the most significant and, at the same time, hard to indicate. To build third-party compliance, one should systemically approach this issue.
The three key components of a third-party compliance system are the following:
- Internal third-party data processing
- Compliance-related communication
- Third-party due diligence
Generally, all three points should be covered by a third-party compliance policy. We will not cover the policy as a document in this lesson but will highlight its key principles instead.
Compliance in Work: Internal Third-Party Data Processing
Since there may be different scenarios of third-party data processing in different organizations depending on their size, business specifics, and organizational structure, the key element within this point is identifying the risky areas within your entity regarding onboarding, communicating, and paying third parties. This is where you are supposed to build a transparent information processing system accessible by the compliance department or officer.
By transparent system, we mean the following two key aspects:
- A clear understanding of roles within the company and responsibility for third-party data processing;
- A clear data flow mechanism that implies information exchange, reporting, and logging.
Units responsible for initial interactions with third parties in some organizations share certain functions within the compliance system with compliance officers. In some, they are only responsible for proper reporting regarding third parties. As such, their role within the compliance system is limited. In the first case, they can be responsible for compliance-related communication and third-party due diligence. In the second case, the compliance department is responsible for those aspects.
A properly developed communication process is a good way of mitigating compliance risks related to third parties and includes two key elements:
- Anti-corruption clauses are included in contracts with your third parties
- Compliance questionnaires
Those documents are a documented obligation from your counterparty concerning their integrity and compliant behavior, which can reduce your responsibility to a certain extent in case of a violation.
This point could have been called «Compliance-related documentation,» which would have been relevant in developed compliance environments. Still, in other cases, the points mentioned earlier are subject to serious communication efforts that could be taken by the units involved in interactions with specific third parties or by the compliance department. Such efforts are required because anti-corruption clauses and compliance questionnaires are often seen as mistrust and pressure from the side of the company initiating their completion and signing.
The anti-corruption clauses are either included in the general contractor or are placed in the appendices to the general contractor. In some cases, it is a separate document, such as the non-disclosure agreement. Usually, by accepting the clauses, your counterparty usually confirms its zero tolerance for corruption in any business activities related to your business interactions and in general.
The compliance questionnaire is a document that your counterparty fills in during the onboarding process and is intended to reveal how strong your counterparty’scounterparty’s compliance system is. The questions are usually related to the existing documents such as the code of conduct and compliance policies, compliance-related processes description, and people responsible for the company’s integrity level. Some questions may directly ask about any corruption-related violations in the past or the presence of politically exposed persons or PEPs among the shareholders or managers of the company.
Such questionnaires have two aims:
- Responsibility reduction
- Prepare the ground for verifications
Third-Party Due Diligence
Integrity due diligence is probably the strongest tool in the third-party compliance risk mitigation system. It gives a real picture of the counterparty, verifies the information provided in the questionnaire, and satisfies the recommendations of legal acts such as the Foreign Corrupt Practices Act or FCPA.
First, it should be determined how deep the due diligence should be. The check’s scope depends on the risk level related to the third party.
It is suggested to use the following indicators:
- Country of operations of the counterparty
- Industry of operations
- Type of counterparty
- Volumes of payments
These indicators will let you divide the counterparties by three risk levels: green, yellow, and red. In the case of a green level, such as the entity operating in a developed European country and supplying some minor high-tech component of a well-known brand once in two years for a total of 4,000 euros, it is enough to make only a high-level screening on such an entity.
High-level screening could imply searches through specialized automated tools and databases regarding any sanctions, watch lists, etc. Or it could be a screening procedure involving all official data gathering, including:
- Corporate registers information
- Sanctions and watch lists
- Litigation checks
Unlike the first three points, the fourth requires manual search and analysis through court decision registers. The high-level screening, being quite a quick procedure, may be slowed down depending on the jurisdiction your counterparty operates in, as publicly available information is different across the globe. When in one country, you can easily access the corporate register online. In another, you might need to be logged in as a citizen of that country or even request the register extract offline.
In case of a yellow-level risk, it is not enough to screen through official information only, but it is recommended to run adverse media checks as well. It implies local and international media searches with potential red flags related to your counterparty. Such searches identify potential red flags related to non-transparent government dealings, PEP connections, other corrupt practices, fraud, offshore shareholding structures, money laundering activities, environmental breaches, human rights violations, etc.
An untrustworthy media environment complicates such searches, excessive information flows, and language in the case of searches in foreign jurisdictions.
When the risk level is red, or if you have identified some red flags that require further verification due to a lack of publicly available information, the method often used in third-party due diligence is interviewing. This method can also be used if the media environment is significantly affected by the state or a single influence group, for example.
For a solid interview report, first of all, you need to identify respondents who are informed enough about the issue you are investigating and, at the same time, are not biased. The respondents can be found among your counterparty’scounterparty’s clients, competitors, former employees, etc. While executing the interviews, it is important to stick to legal and ethical methods only.
Even though the red flags remain the same within all three levels of risk, the method of their identity is different. In the case of high-level screening, you rely purely on what the database has for you. Still, in case of deeper due diligence, you verify that data through media sources or interviews and, as such, touch upon initially unseen sides of the case. However, some negative reputational matters can still be hidden due to the screening method applied but not an in-depth approach.
In this context, it is worth mentioning such a method of due diligence as enhanced due diligence. This method applies to an exceptional counterparty exposed to the highest risk. Enhanced due diligence differs from the screening method mentioned earlier in the analysis level applied. Enhanced due diligence is invaluable in business environments characterized by non-transparent government-business relations, often violated sanction regimes, nominees among shareholders, many shell companies, imperfect banking systems, and so on.
As to the interviews, enhanced due diligence interviews are not limited to the basic compliance checklist or questions but are aimed at revealing hidden facts.
An important part of the due diligence procedure is reporting and storing information. When the check is complete, no matter who conducts it, or the compliance department, the compliance officer should approve it for further action.
The due diligence procedure should be performed once in three years for green-risk-level third parties and once a year for yellow and red-risk-level third parties. Due diligence can also be performed before making significant payments, entering into long-term contracts, or signing strategic partnership agreements. The due diligence reports should be stored and accessible by the compliance team.