Skip to content


Levels of third-party due diligence

By Matt Kelly

When conducting third-party due diligence, it’s essential to conduct the right amount of diligence. Some third parties will pose more risk than others, and there’s no need to waste resources performing extensive due diligence on low-risk parties.

Moreover, regulators have repeatedly said that they want companies to take a risk-based approach to due diligence — meaning, your company applies more due diligence to those parties that might pose more risk.

For example, say your organization wants to categorize third parties into three levels of due diligence based on risk. Those tiers might look something like the following.

Third-party due diligence - Level I


  • Gather new or revised third-party information for purposes of bribery and corruption risk, and possibly other risk areas.
  • Confirm whether the third parties and their key associated parties are on any global watchlists.
  • Determine appropriate actions to take if that third party is included on a watchlist.

How to execute

  1. Disseminate questionnaires to third parties and compile a risk score for each party based on results of responses and other support provided.
  2. Compare all third parties to relevant watchlists.
  3. Identify high-risk parties for extended screening.
  • Automate continuous watchlist screening.
  • Identify false positives manually and clear the with reasons codes.
  • Escalate especially difficult matches to Level II due diligence and the chief compliance officer for further review.
  • Perform due diligence and watchlist screening against any extended relationships with the third party (beneficial owners, family, directors, C-level executives).

Level I due diligence is essentially a matching exercise, and it depends on a blend of automation and human analysis to determine whether matches are legitimate or not. That is fine so long as the parties you review are, to the best of your understanding, low-risk third parties.

Some companies would classify watchlist screening as monitoring. Our view is that monitoring is part of due diligence. Since watchlists are created by both government and non-government organizations, and those lists are related to bribery, corruption, drug and human trafficking, money laundering, terrorist activity, and other legal violations; any match is essentially based on external research. So watchlist screening is part of due diligence, and it should be done on every third party you have.

Third-party due diligence - Level II

Level II due diligence is analyst driven and uses technology across a wider spectrum. This second level is designed to look wider and dig deeper to gather enough information to provide reasonable assurance that there are no red flags or issues that can or may lead to regulatory or reputational risk for your company.


  • Assure that third parties present no risk of bribery and corruption (most notably, no FCPA and UK Bribery Act risks), as well as no other regulatory risks, such as human trafficking or money laundering.
  • Issue a formal report to the compliance team (and the larger management team overall) for review.

How to execute

  • Engage in due diligence using open source and subscription services to conduct reasonable independent research and analysis on third parties on the basis of risk.

Effectively performing Level II due diligence requires skilled researchers, analysts, or paralegals who will use expert search software to aggregate vast global databases of free available and subscription-based public records. The goal is to conduct thorough (but not necessarily exhaustive) research for relationship assurance purposes.

We should not confuse Level II due diligence with enhanced due diligence, discussed further in this guide. The two concepts are related, but separate.

So how much due diligence is enough and what factors should we be looking at? Level II research consists of several primary components.

Company profile. Company name and known trade names are researched, as well as the company’s primary business and how that relates to the organization. Locations, employee base, and other fundamentals all factor into the overall risk assessment being compiled.

Corporate structure. This research should include a target company’s subsidiaries and even possible acquisitions. For example, an Australian company might be acquired by a U.S. parent. That might not change the Australian company’s FCPA risk profile, but it would change how that Australian business handles non-U.S. customers since the Australian firm is now subject to U.S. sanctions law. A compliance officer needs to know that level of detail and possible risk.

Beneficial ownership. One critical element when reviewing smaller, private firms is that an undisclosed beneficial owner might be involved in money-laundering or other corrupt activities. Ferreting out these characters might require looking at a corporate registry where the third party conducts business. Sometimes this can be done remotely via computer; other times it might require visiting a physical office. (This level of research also happens in enhanced due diligence.)

Corporate registry. A corporate registry can provide invaluable objective evidence about a third party — especially if that evidence contradicts what the third party has told you! It can also reveal ownership percentages and how corporations are organized. Some countries like China and Singapore are online, Hong Kong requires an online payment. Be warned: Indian sole proprietorships have no registration requirements.

Enforcement actions and litigation. This research lets you know whether the party has ever been in trouble with law enforcement (either civil or criminal misconduct). Some third parties might simply deny that they’ve ever had any issues with enforcement, but just about every regulatory agency does have detailed records that can disprove such claims.

Watchlist and PEP screening. Formal results are included in the Level II due diligence report for assurance purposes, but typically this screening is done even as part of Level I due diligence.

Adverse media reports. Unflattering media reports, including commentary on social media, can be suggestive of corruption. We recommend searching anywhere from one to five years back, paying close attention to media in any markets where the target company has a large operational presence. This can be a time-consuming exercise, especially if searching foreign-language media where translation services may be necessary. Social media reports are, of course, inherently untrustworthy; but they often can point to issues worth researching in traditional print or broadcast media.

Location and the Corruption Perception Index (CPI). Some countries are more corrupt than others. The CPI, published by Transparency International, is one reliable benchmark to help you understand which countries have higher corruption risk. (Other corruption benchmarks exist as well.) Although a target’s location often drives the preliminary overall risk rating higher, a Level II due diligence report could lead to a reassessment and even push the final risk score lower.

The due diligence report. The finished product is captured in a due diligence report, which demonstrates that a thorough review has been carried out using the best resources to capture available public data. The report will either give assurance that there are no concerns or it will raise red flags that require compliance and or business action.

Third-party due diligence - Level III


  • Assure that third parties do not present a risk of bribery and corruption or other regulator risks.

How to execute

  • Conduct enhanced due diligence consisting of local visits or other on-site validations of third party integrity, reputation, corporate registration, and compliance with anti-bribery requirements.

Level III due diligence covers essentially the same subjects as Level II, but relies to a greater extent on primary evidence and direct participation in:

  • Verifying local business registrations;
  • Obtaining references via related party interviews
  • Accessing information from Chamber of Commerce
  • Reviewing local legal records
  • Identifying local litigation or law enforcement issues
  • Searching and reviewing local open source records
  • On-site auditing of the target party.

Typically, one should engage a trained internal auditor or other professional who is skilled and experienced in conducting local research to do all this work. The goal is to create a defensible record in case regulators (or even angry customers) come knocking on your door accusing your company of turning a blind eye to corruption risk. If they do, you can demonstrate you took due care in taking more than reasonable steps to uncover red flags in your third-party relationships.

To learn more about how to risk rate your third parties, visit or watch our on demand webinar. These resources serve as a robust guide to understanding the risks your third parties present, creating a systematic and scalable approach to properly managing third parties, and discovering the valuable role automation plays in the process.

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution

View platform

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.