The third parties your organization does business with can represent significant risk — on everything from bribery and corruption to human rights violations, sanctions, money laundering, and terrorist financing. To preserve your company’s values and ensure compliance with applicable laws and regulations, it’s critical to evaluate the potential reputational risks of working with outside companies. Third-party due diligence helps your organization make informed decisions about whether to engage with a particular third party and how to manage the risks involved if you do.
The U.S. Department of Justice (DOJ) has made it clear that while third-party due diligence is crucial, ensuring a risk-based approach is just as important: the higher the risk, the deeper the diligence required. Applying enhanced due diligence to third parties when your initial risk assessment indicates more scrutiny is needed or red flags have been raised in your initial screening will strengthen your program and allow you to focus on the top risks.
Let’s take a closer look at what enhanced due diligence involves and why it’s so important in protecting your organization and creating a strong ethics and compliance culture.
Download The CECO’s guide to managing third parties to learn more.
3 tiers of due diligence
To effectively manage third-party relationships, you need to evaluate and manage risk for all the organizations and people you work with — whether that’s your suppliers, vendors, agents, partners, contractors, distributors, or customers. There’s no one-size-fits-all approach to due diligence because third parties represent a wide variety of risk factors for the enterprise. A simple screening may suffice for some companies, while others necessitate a deeper dive.
We can break down third-party due diligence based on the risk priority level identified during your initial triage:
- Tier 1: Screening third parties against global watchlists, often including screening against adverse media and politically exposed persons. It's a baseline for medium- and high-risk third parties and usually sufficient for most low-risk third parties.
- Tier 2: Supplementing tier-1 screening with searches of the internet, newspapers, international media, in-country databases, and government records. Use tier-2 due diligence when there are no major red flags, but the third party is in a higher-risk jurisdiction.
- Tier 3: Reporting covering the full range of sources, including paid content and retrieval of records if necessary. Tier 3, enhanced due diligence, is the deepest dive and should be used when red flags come up in tiers 1 and 2 or when you’ve otherwise identified higher risk.
For every step in the due diligence process, keep thorough documentation on what you find. You’ll need these records should you have to disclose a violation or undergo an audit.
What’s the scope of enhanced due diligence?
As you can see, enhanced due diligence is the deepest level of third-party due diligence, and it requires a greater investment of time and resources on higher-risk parties. Indicators of high risk include the location of the third-party, its sector, the value of your contract, or whether an intermediary is involved, and whether there’s government interaction. For example, some countries involve a higher risk of terrorist financing, and some industries involve a higher risk of money laundering or financial crimes.
Enhanced due diligence may involve exploring the following factors for the third party in question:
- The ownership and management structure of the company
- The company’s financials
- Its personnel, especially executive leadership, politically exposed persons, and those with ties to government officials
- The company’s compliance regime and compliance training for employees
- Its other corporate relationships
- Interviews with local sources
This is by no means an exhaustive list. The scope of enhanced due diligence can be extensive since there may be numerous areas relevant for investigation.
Why enhanced due diligence is so important
The global regulations driving third-party due diligence are constantly evolving, with new regulatory requirements every year. Recent resolutions by the DOJ have specifically focused on third-party management, including the expectation that due diligence is not a one-time exercise and, indeed, must be updated during the length of the relationship. In October 2023, the DOJ announced that an acquiring company that discloses potential wrongdoing at a company being acquired within six months of the deal closing date — and fully cooperates and fixes the underlying problems within a year of closing – can presume it won’t be prosecuted by the DOJ.
Enhanced due diligence is critical to any acquisition to ensure you understand exactly what you’re buying. It also enables you to allocate resources more efficiently. The reality is most compliance professionals have limited resources. Being able to conduct the right amount of diligence to the right risk is key.
In addition to risk mitigation and building your reputation as an ethical company, there are clear incentives for conducting enhanced due diligence.
The DOJ National Security Division (NSD), the Department of Commerce’s Bureau of Industry and Security (BIS), and the Department of the Treasury’s Office of Foreign Assets Control (OFAC) have issued joint compliance communications that encourage companies to voluntarily disclose potentially criminal violations to reduce or even avoid their own criminal liability. The latest Tri-Seal Compliance Note describes the incentives and relief each department offers to urge companies to prevent, identify, and remediate potential violations. This includes reducing criminal liability and civil penalties.
In essence, these US departments have incentivized US companies to implement robust compliance programs and create a culture of compliance rooted in trust and ethical behavior. Enhanced due diligence for third parties is an important element of that culture since voluntarily reporting potential problems caused by third parties can limit your liability while helping to create a more ethical business ecosystem.
Identify and mitigate third-party risk
Third parties are undoubtedly an essential part of being a successful business today, but vetting third parties to ensure they won’t put your organization at risk or compromise on your company values is an indispensable step in creating an ethical and compliant culture. For organizations implementing risk-based third-party due diligence, enhanced due diligence is an important deep dive into your relationships. It provides you with a wealth of information so you can rule out parties that present too much risk, enter partnerships well informed, and continue monitoring those partnerships.
For a deep dive into third-party management, download the eBook The CECO’s guide to managing third parties.