16 Aug 2023
9 Steps For Better Third-Party Anti-Bribery and Corruption Due Diligence
Companies operating in today’s global business environment must navigate ever-strengthening anti-bribery and corruption regulations. Some of the most significant recent enforcement actions against companies arose from alleged due diligence failures, leading to fines, legal action, strategic risks and reputational damage. Meanwhile, there are growing expectations around companies’ understanding of their Environmental, Social and Governance (ESG) impact, including new legislation mandating them to carry out human rights and environmental due diligence. All this should prompt companies to carry out effective due diligence across your organization
As the complexity of organizations’ global third-party networks—it’s more critical than ever for you to have an effective strategy for evaluating and monitoring third-party risk, particularly if there is a risk of financial crime. Below we've outlined nine steps for a due diligence process based on guidance from regulators to help companies mitigate financial and reputational harm due to third-party relationships. Take a closer look.
STEP 1: Understand compliance concerns
The global nature of business today subjects your enterprise to a growing number of regulations and a greater need to mitigate risk exposure through partners and third parties—regardless of where your enterprise is located.
Many countries have implemented new legislation in the last decade that have made it even more important to ensure you and your partners remain compliant. While legislation like the United States Foreign Corrupt Practices Act have existed for nearly half a century, countries in the European Union have strengthened their requirements. Germany recently implemented the Supply Chain Due Diligence Act, which combats human rights violations in addition to the existing regulation of financial crimes.
Furthermore, many of these statutes have extra-territorial reach, so if you or a partner are operating in a country different than your headquarters, you need to comply by their laws as well. Otherwise, you run the risk of facing hefty penalties and enforcement actions from multiple governments.
Before you enter an agreement with a third-party supplier, understand the laws in the areas where they'll be operating and consider if they pose a compliance risk for any jurisdiction.
MORE: Key trends in risk and compliance 2023
STEP 2: Define corporate objectives for due diligence
Your due diligence process needs to align with the strategic, financial, regulatory, and reputational risks your organization may face. Define your objectives of your due diligence research by asking the right questions before you start. You'll want to consider the size of the organization, their publicity, and whether there could be any Politically Exposed Persons or legal risks associated with the potential partnership.
and the baseline risks you are unwilling to take. Any partnership will have a degree of risk, but there is a big difference between entering into a partnership with local businesses and suppliers versus a high-value, publicly scrutinized company. Decide on your goals and assess how much risk you're willing to assume.
STEP 3: Gather key information
Once you understand the regulatory landscape and have set your risk management goals, you can begin your due diligence research. While there are many topics you'll want to assess when evaluating a partnership, there's certain information that is crucial to your analysis. This will differ depending on whether you're working with a corporation or an individual.
For a corporate entity, organizations need to collect basic information including:
- Incorporation documents
- Details on key shareholders and beneficiaries
- Group structure, board members
- Political connections
- Official references
- Ultimate beneficial owners
Because a corporate entity will have many moving parts, it's important that you assess all the aspects of the organization to get a complete picture of the risk they present.
For an individual, organizations need to focus on gathering:
- Proof of identity
- Source of wealth and funds
- Potential political links
This is often more straightforward than a corporation because you are evaluating one variable. Regardless, it is important that you perform a due diligence check to ensure that an individual partner will not compromise your organization.
MORE: 4 ways that third-party data APIs can help you become more risk resilient
STEP 4: Screen prospective third parties against watchlists & PEPs
Once a basic level of vetting has taken place, prospective third parties—both companies and individuals—should be subjected to a watchlist screening process. By conducting watchlist and politically exposed persons (PEP) checks early in the process, you can quickly determine if the potential third-party relationship poses a significant risk. Names of companies, individuals, NGOs and, if applicable, assets such as vessels should be checked against:
- Global sanctions lists
- Law enforcement lists of known criminal entities
- Regulator-published lists of debarred or disqualified companies and individuals
- PEP lists to identify political connections
- SOEs to understand potential exposure from working with State-Owned Enterprises
STEP 5: Conduct a risk assessment
After preliminary information collection and watchlist screening has taken place, it’s time for you to perform a risk assessment. Considerations should include:
- Country of origin risks such as those identified by Transparency International’s Corruption Perceptions Index rating
- Specific sector risks like a high level of government involvement that might increase corruption risk in the defense industry or dependence on local agents that might increase bribery risk in the construction industry
- Entity risks such as the use of intermediaries in transactions, joint-venture partners and exposure to financial crime
- Essential internal factors related to financial risk including deficiencies in employee training, skills, and knowledge; a bonus culture that rewards excessive risk taking; lack of clear policies and procedures related to hospitality and promotional expenditure; and political or charitable contributions.
MORE: Why managing reputational risk is key to your business success
STEP 6: Validate the information collected
Following the risk assessment, your due diligence process should include multi-source verification of the information that has been accrued. This will involve a different degree of scrutiny depending on the level of risk the party presents.
- For low-risk third parties, this final screening involves corroborating details against public records, a credit check, and using specialized databases like CIFAS.
- High-risk third parties require an enhanced due diligence process of the entity itself, as well as known associates, subsidiaries, and other related entities. Negative news checks establish potential reputational risks from media archives. Additionally, checks against legal databases pull the litigation history of the prospective client or third party.
STEP 7: Audit your due diligence process
Throughout the due diligence process, your organization needs to maintain a comprehensive record of relevant documents, assessment, and decisions to ensure you can demonstrate ROI and prove that decisions to engage with partners or third parties were made in good faith. This is particularly important in case there is legal action and you need to prove that you performed adequate due diligence.
MORE: Safeguard your organization's reputation and monitor risk
STEP 8: Establish an ongoing monitoring plan
Once a third party has been vetted, you still need to conduct ongoing monitoring of the relationship to provide visibility into emerging red flags that could put your organization at risk. As regulation changes, it's important to ensure your partners maintain compliance with new legislation. Additionally, new leadership or negative news could compromise what an existing partnership, and ongoing monitoring will allow you to decide if and when it's time to cut ties.
STEP 9: Review your due diligence process regularly
Business needs change. Commit to periodic reviews with stakeholders to ensure that your due diligence process is always aligned with those needs over time. The best way to do this is by using intelligent technologies like Nexis Diligence+™ that enable comprehensive, risk-aligned due diligence without the manual effort. With our extensive, enriched data, you can feel confident that you are making decisions to keep your risks managed and your company compliant.
To get started on your due diligence strategy, check out our complete "Due Diligence Checklist" for everything you need to know about monitoring anti-bribery and corruption risks.