Look, I do not know how your company selects counterparties. But what if l told you that your company’s partners, vendors and even clients may be involved in really dirty behavior? In any developed jurisdiction, this would mean that your company risks facing interrogations, searches and even accusations of partnering crime. Nobody wants this scenario, right? However, not everybody does something about it. Hence if your job is to prevent this and protect your company from legal risks, below content should be of value for you.
Third party due diligence, know your partner program, third party management, background check, vendor verification – these all are different names of the same thing. In this post, I would like to provide a brief guidance on how to reduce risks of doing business with counterparties. In the end of this post, I will share a turnkey solution for this process.
Firstly, I would like to guide you through how historically third party due diligence was conducted in Ukraine. Probably as a heritage of USSR, during wild 90th, many local businesses had their own security service departments consisting of former law enforcement officials. These people checked counterparties and even employees for business risks of any kind. These departments were the companies’ own “investigators” if you will. Their primary function was to understand potential counterparties’ connections, level of influence and patterns of behavior in order to prevent attacks from other businesses or public authorities.
One can argue that this is still the best way to go. I tend to disagree. In my view, the problem with old-fashioned security service departments was that they completely disregarded anti-corruption and personal data protection legislation. One famous trick I heard they used was to pay public officials in law enforcement and other authorities monthly payments of somewhere around 200 USD for unofficial provision of any necessary information. Obviously, this practice cannot be sustained in a changing regulatory environment. Previously anti-corruption legislation was poorly enforced while open source information was few. Now it is opposite. The risk of enforcement is high, while due to increasing transparency more information becomes publicly available for business decision-making. This is why I think that checking third parties is the job for compliance department today and not for security service department.
Here is how I think compliance department shall run a third party check.
(1) Data Collection. This stage consists of filling out an internal questionnaire by company’s business department seeking to contract a third party and external questionnaire - by the potential counterparty. The first one is necessary to show the right intent of the company. The second is mostly a counterparty’s declaration based on its compliance health self-check.
One could raise a fair question: what shall I ask my potential counterparty? I recommend to ask general questions to see the counterparty’s general compliance understanding and attitude as well as specific questions. These shall be tied to risks, which may arise from the engagement.
(2) Verification and Validation of Data. The above data will need to be verified by either internal personnel (compliance, legal, finance), external providers, or both. This means that you have to check and validate the particulars from the information provided by the business unit and potential counterparty. This is where you may need to use public databases and even conduct phone interviews and site visits.
Nowadays the life of compliance professionals is relatively simpler. Multiple solutions are there for verification and validation of data. For Ukraine, I recommend you check at least such providers as: You Control, Kroll, Bureau Van Dijk, Cosa, Open data bot. You will get familiar with how they work and decide what suits you best.
(3) Identification of Red Flags and Mitigation of Risks. I would like to ruin a common misbelief that any red flag poses a risk. It is not. Red flag is just an indicator that requires additional scrutiny. Two examples of red flags I already analyzed here under points 4 and 5. For others you can see in the list of red flags that I will share as per instruction in the end.
The goal of this stage is of course to identify as many red flags as possible. But it is not only that. If, after a number of questions you realize that there is no logical explanation to address your concerns, you have to document a particular risk of engagement. This requires keeping a third party risk tracker and include respective risks identified. But not to leave the problem without solution, the identified risks require company’s business department and compliance to sit and discuss honestly what measures can be incorporated for risk mitigation, if mitigation is at all possible.
Finally, if you recall, I already shared anti-corruption clauses before. You can click here, follow the simple instuction and still get them if you want. Now, I would like to share another valuable tool - a complex solution for third party due diligence developed by a reputable public society.
So, save hours of work or company's budget needed to develop third party due diligence framework. Get (1) the model policy, (2) the internal and external questionnaires, along with (3) lists of red flags by doing the following 2 steps:
(2) complete a simple form in the Contact Us section on our web-site (type "DD" in the Subject field and "Yes" in the Message field).
I will send the above materials within 48 hours, so that you are well equipped to manage third party risks for your company.
I would like to conclude with the quote from World Economic Forum of 2013 still relevant today “Effective third-party due diligence should help organizations reach the following conclusion: I am confident that my agent, reseller, supplier etc. does not make corrupt payments, and that our business relationship is a normal, legitimate one. I can explain to, and convince others why my confidence is justified.”