What is Enhanced Due Diligence?
Due diligence is such a big, crucial part of what corporate compliance functions do that lately we’ve even created a whole new branch of it: enhanced due diligence. So let’s continue our Compliance 101 series to explore exactly what enhanced due diligence is.
At its simplest, enhanced due diligence is the additional screening that a company should perform on high-risk third parties, to gain the best understanding possible of their identities and the compliance risks they might pose to your business.
The concept is useful across a wide range of industries. For example, any business partners who have close ties to foreign governments (“politically exposed persons,” or PEPs) would qualify as high risk under the Foreign Corrupt Practices Act. So performing enhanced due diligence on those persons or businesses would make a lot of sense. In financial services, customers who conduct transactions through shell companies or off-shore tax havens would also fit the description.
An important point for compliance professionals to understand, however, is that enhanced due diligence is the second phase of screening, for a specific subset of third parties.
That is, all third parties should undergo basic due diligence, where they provide sufficient biographical documentation that your company can independently prove the party’s identity. That first step helps your company to identify the high-risk third parties. Then comes enhanced due diligence, to understand exactly how high that risk is, and to understand what controls should be put in place to reduce the compliance risks that party might pose to your company—including, potentially, the control of not doing business with that customer at all.
The Foundation for Enhanced Due Diligence
First, a company needs to define the criteria that would qualify a third party as high risk. No authoritative list of those criteria exists, but most are common sense in the land of compliance officers. For example:
- Does the person come from a country at high risk of corruption generally, such as those countries flagged by the Corruption Perceptions Index?
- Does the person come from a country known to have weak rules against money laundering, labor standards, tax avoidance, or similar misconduct?
- If the party is a business rather than a person, are any of its senior officers or beneficial owners (anyone who owns or controls 25 percent or more of the firm) on any watch lists? Specially designated nationals, politically exposed persons, or so forth?
- Does the party (either a person or a business) conduct much banking through offshore financial centers or private banks, where transparency standards might be lower?
- Does the party work in a cash-intensive business: gold trading, fine art, legalized cannabis, and the like?
You get the idea. Enhanced due diligence should be risk-based, where a third party that hits more of those criteria gets more attention. Your organization might even have specific criteria unique to your industry or another variable that you screen for. It’s not any different than the due diligence companies have performed for years—just more of it, done more thoughtfully.
Enhanced Due Diligence in Practice
So what extra documentation should a company seek when performing enhanced due diligence? Again, there’s no definitive list. The better approach is to ask, “What evidence can help me verify this party’s true intentions, and the compliance risk he or she brings, given the transactions we want to do?” Then go about collecting those materials.
Some of that evidence can be found independently: corporate registration documents or articles of incorporation, for example, which ideally will be available through some public registry. You’ll always want to collect such evidence from trustworthy, independent sources, to confirm their authenticity. (This includes results from background checks done by outside service providers.) When performing enhanced due diligence on a specific person, you may also need to collect evidence from him or her directly: passports, birth certificates, marriage certificates, and related materials.
Throughout all of this, remember: your compliance program will need policies and procedures to gather this evidence, and a recordkeeping system to preserve it.
The goal with enhanced due diligence isn’t just to perform a one-time exercise in third-party onboarding and then forget about it. The goal is to develop a clear, documented understanding of the third party’s compliance risk, that you can use as a risk tool again and again in the future as your relationship with that party evolves.
Why Do This at All?
For several reasons. First, globalized business and companies’ constant quest for growth keeps pushing companies into new markets. That includes high-risk geographic markets and high-risk third parties all over the world. Your risk of brushing up against corruption is simply greater.
Second, enforcement against corporate corruption is growing around the world. Thankfully, at the same time, more regulators are giving companies a compliance defense: the ability to avoid criminal charges and severe penalties, if the company can demonstrate that it took proper steps to reduce its exposure to corruption.
That’s what enhanced due diligence is, really—taking proper steps to reduce corruption risk. The proper steps for a high-risk third party are very different than the proper steps for a low-risk third party. That’s what a risk-based approach to due diligence is all about.
If you apply basic due diligence to all third parties, but nothing more, that’s not a risk-based approach. That’s a compliance exercise to look good to regulators, who increasingly won’t fall for such a tap-dance routine.
On the other hand, if you apply enhanced due diligence to all third parties, you’ve performed more compliance than necessary. That’s a waste of resources, which will alienate business partners, coworkers, and senior executives approving your budget request.
Enhanced due diligence requires judgment. It’s a disciplined effort to collect the evidence you need, to identify the compliance risks a third party truly poses. It’s not always easy, but with proper foresight and the right tools, it’s a powerful way to get the risk assurance your company needs.