An important part of the job duties of any compliance practitioner is clearing red flags that might appear for a proposed third-party relationship during the due diligence process. It is mandatory all red flags be cleared and that there is also evidence of the decision-making process to show if regulator comes knocking. What are some of the questions to ask?
How much is enough? Management should have a realistic process so that it can be effectively managed and still be of sufficient value for the decision makers.
How deep should management dig? How many tiers down should one go in managing third parties? Companies should manage direct contractual counterparties and down one tier. Data collection down the chain may not need to be as robust as first-tier reviews and risk assessments. For counterparties further down the chain, a list of actual and beneficial owners coupled with commitments to follow relevant anti-corruption legislation is probably enough.
What did you learn? Are there any red flags present? If so they must be cleared. If additional information is needed or points clarified, now is the time to do it and not wait until later in the process.
What next? After management has made a decision, it still needs to manage the relationship. This will entail continuing compliance communications with direct counterparties on an ongoing basis. Preferably the business unit sponsor will do this; but the compliance practitioner should also be mindful of checking in from time to time with third parties.
As a compliance program matures, the company must also reach the point where it must consider auditing of third parties from the compliance perspective. Finally, do not forget the three most important things about any compliance program: “Document, Document, and Document” the entire process.