ENHANCED THIRD PARTY DUE DILIGENCE

R&C: In your experience, do companies pay enough attention to due diligence when beginning or renewing business relationships? What types of risks could third parties potentially pose?

Braine: Historically, only companies in the financial sector or other tightly regulated industries conducted systematic integrity due diligence on their third parties. Basic legal and financial due diligence to ensure an adequate level of contractual and commercial protection was considered enough in ‘business as usual’ situations. The introduction, and then increased enforcement, of anti-money laundering (AML), anti-bribery and corruption (ABC) and more recently supply chain regulation has meant that most companies are now really focused on regulatory and reputational due diligence at the point of onboarding. The area where many companies’ compliance programme falls apart is the ongoing monitoring of third-party risks. This is a hard regulatory requirement, for example for financial firms subject to the UK’s 2017 Money Laundering, Terrorist Financing and Transfer of Funds Regulation 28(11). Yet, many firms with an excellent initial third-party onboarding process fail to adequately conduct ongoing monitoring. This is problematic in a fast-moving sanctions environment or even simply when a third party changes ownership, geographic footprint or activity over time. The initial risk-based approach ceases to be relevant, and some now higher risk relationships continue to be considered benign.

Hollobone: How companies approach due diligence varies, but generally the increase in regulations in the last 10 years around ABC, AML, environmental, social and governance (ESG) and supply chain due diligence have seen increased scrutiny of a company’s approach to due diligence, to ensure it is effective and meaningful. Third parties can pose a number of risks; one of the key elements of a number of these ABC, ESG and supply chain regulations is that a third party’s activities are deemed an extension of the company’s, and therefore they need to set out what the expectations are in how they expect business to be conducted. Failure to have these practices and procedures in place can hit a company’s ability to win work, turn a profit, and attract new clients and staff. Previous transgressions have resulted in large fines, the burden of the cost of cooperating with a regulatory investigation, debarment from government and public tenders, and the reputational damage associated with all of this.

Apr-Jun 2025 Issue

Kroll