Routine due diligence of an organization’s third-party partners—be they counterparties to a contemplated transaction, vendors of tangible goods, suppliers of raw material, professional services providers, intermediaries, or other agents—is a critical first step in the onboarding process and part of a well-rounded third-party screening process.
As the U.S. Department of Justice (“DOJ”) cautions in its 2020 update to the Evaluation of Corporate Compliance Programs (“DOJ Guidelines”), ongoing and risk-based due diligence, both at the inception of the commercial relationship and periodically thereafter—is an essential component of a fully functioning corporate compliance program. Under the DOJ’s Guidelines, such due diligence must:
- Align with the nature and level of the total enterprise risk identified by the organization;
- Be paired with functioning internal controls that ensure that the services to be furnished are specifically identified, that payment terms are appropriate, and that compensation is commensurate with the services rendered;
- Incorporate audit and inspection rights that permit the organization to periodically examine the third-party’s books and records; and
- Appropriately and promptly identify and address any “red flags” that might arise from the use of third parties, including termination of the business relationship when circumstances so warrant.
The Importance of Third-Party Screening
Succinctly stated, the due diligence process begins with third-party screening. Generally speaking, third-party screening entails collecting basic information about a company to conduct an initial screening of the third party in either a commercially available database or the U.S. government’s Consolidated Screening List (“CSL”).
Although the breadth and scope of search capabilities vary considerably by a commercial product, virtually all commercially available sanctions screening tools screen against U.S.-based sanctions lists, including but not limited to, the U.S. Department of Treasury’s Office of Foreign Asset Control (“OFAC”) Specially Designated Nationals (“SDN”) and Foreign Sanctions Evaders lists; the U.S. Department of Commerce’s Bureau of Industry and Security‘s (“BIS”) Denied Person, Entity, and Unverified Lists; and the U.S. Department of State’s Arms Export Control Act (“AECA”) Debarred List, among others. Other commercial tools integrate international search capabilities such that a global organization operating in multiple foreign markets can have confidence that the third party is not subject to UN, EU or other jurisdictionally specific sanctions programs.
It should be noted that in such cases, however, the mere appearance of a third party on a sanctions list does not indicate that the organization must refuse to transact business with that entity or person. Appearances of even reputable U.S. organizations on international sanctions lists—like those administered by the Russian Federation for instance—are common. The key here is to remember that sanctions screening is the beginning of the third-party vetting and onboarding process. If the third party raises a proverbial sanctions “red flag” then additional due diligence is required by the organization before consummating any commercial transaction.
Conducting Third-Party Screening Correctly
As an essential component of an organization’s overall risk mitigation strategy, the screening of third parties should be taken seriously and conducted competently. For example, when utilizing commercially available databases, care should be taken to enter the exact name of the entity or individual with whom the organization proposes to contract. Additionally, so-called “fuzzy logic” or the ability of the screening tool to replicate (albeit imperfectly) the process of human thought to return near matches (and in some instances, distant matches too) should be enabled. On the rare occasion that multiple hits are received for the third-party subject to screening, it is relatively easy for a trained and knowledgeable compliance professional to assess whether the hit is a definitive match. In many instances, false hits can be identified and discounted immediately based on information about the company’s principal operating markets, ownership structure, director information, or other details that are disconsonant with the information furnished by the third party.
You’re Not Done Yet – The Importance of Ongoing Monitoring
The process of conducting initial screening—as important as it is—marks the beginning, not the end of the due diligence process expected by regulators of organizations generally. As the DOJ Guidelines emphasize, an essential question asked by prosecutors when confronted with a potential legal violation is whether the organization’s compliance program “works in practice.” A staple of a program that “works in practice” is a program that continually reviews third-party relationships by:
- Monitoring the performance of the third-party under any definitive agreement reached with the organization;
- Exercising contractually agreed upon rights to audit and inspect the third-party’s books and records for oddities or discrepancies;
- Periodically evaluating the incentive and compensation structure utilized to remunerate the third-party for its services;
- Promptly terminating agreements with organizations that refuse to abide by the organization’s ethical and legal norms; and
- Taking remedial action with respect to ineffective internal controls.
The latter requirement—the ability of the organization to respond swiftly when an unexpected situation with a third-party does arise—is perhaps the most important outcome of the monitoring process. The DOJ Guidelines are replete with references to internal improvements, enhanced controls, and continuous testing to ensure that the organization’s program “works in practice.”
When misconduct is uncovered that involves or otherwise implicates a third party the organization has previously vetted, it is crucial to conduct a root cause analysis to (a) determine where the failure occurred; and (b) what steps the organization must take to avoid repeating the same mistake again. Of course, it is entirely possible that the organization’s internal controls had no bearing on the third-party’s illegal or unethical activities, such as when an otherwise reputable intermediary engages in subterfuge and intentionally conceals the nature of that activity from the organization itself. In such instances, the organization should consider the appropriateness of making an immediate voluntary disclosure to the appropriate regulator(s) and implement steps to ensure that the business does not utilize the third-party’s services in the future. Additionally, organizations should ideally invest in sanctions screening solutions that actively and continuously screen an organization’s third parties against a multitude of domestic and international lists to prevent the possibility that a red flag arises of which an organization would otherwise not have been aware.
How GAN Integrity Simplifies Screening
GAN Integrity’s Third-Party Due Diligence Software streamlines the process of conducting screening by serving as a comprehensive platform for third-party onboarding and monitoring. The need for manual input and redundant administrative tasks—greatly diminishing the possibility of human error—are a core component of GAN Integrity’s screening solution. Significantly, GAN’s Third-Party Due Diligence Software corresponds precisely to regulatory guidance concerning the importance of risk-based due diligence by allowing the organization to set its own risk tolerance and customize workflows to ensure that potentially problematic relationships are identified from the outset. In combination with an integrated and continuous screening and monitoring solution, GAN’s due diligence application is one of the most efficient, user-friendly, and innovative screening solutions currently on the market.
Implement a bespoke Third-Party Risk Management solutionView platform