How Organisations Can Best Carry Out Enhanced Due Diligence for Third Party Suppliers

Due diligence and Enhanced Due Diligence (EDD) procedures to check third party suppliers are incredibly important for businesses to protect themselves against being the victim of fraud and to ensure their business maximises operational efficiency.  Deloitte (2021) draw a causal link between the efficacy of third-party risk management programmes and business success, yet Gartner (2019) found that eight in ten businesses discover issues with their suppliers following the due diligence and onboarding process.

Effective due diligence and enhanced due diligence checks are important for numerous reasons:

• You may be a regulated industry and subject to fines from the FCA. Dealing with suppliers means you are not directly receiving money from a customer, but rather paying it out to them; however, under Financial Action Task Force (FATF) recommendations, you are still responsible for ensuring you don’t work with suppliers who are engaged in criminal activity and looking to launder money. As mentioned above, you may not be directly receiving monies from ill-gotten gains, but your supplier may be paying their suppliers with money received from criminal activity, offering you very low prices and then receiving payment from you. In this process you have aided money laundering.
• Businesses have Environmental, Social and Governmental (ESG) commitments and many investors as well as the public as a whole will turn their back on a brand that is found to be linked to modern slavery or has bad environmental practices.
• Sanctions and Politically Exposed Persons (PEPs) – If a supplier is connected to a politically exposed person or a sanctioned individual or country this will have wide ranging implications to the stability and success of a business relationship. In this case you need to check third party suppliers against relevant sanctions lists, such as the OFAC list, the UK list, the EU list, and the UNSC Consolidated List.
• While not all businesses are regulated for money laundering and therefore subject to the possibility of being fined, it is still not in the best interests of an organisation to have laundered money flowing through it. Recent reports have shown that the education sector has become a target for money launderers, and while not regulated, the prospect of fake students coming to a campus only to dropout is not good for the long-term academic reputation of a university and the safety of other students.
• Businesses can often have hundreds of suppliers both domestically and abroad. At the same time, due diligence is becoming more complex. When due diligence is done manually it is incredibly time-consuming meaning organisations cannot onboard their suppliers at the right time and benefit from the business relationship with that supplier.
• Fraud and bad actors – Supply chains are extremely complex with many moving parts that need to be synced. If a supplier’s financials are not in order and it defaults on its commitments that will have serious repercussions for your own ability to fulfil orders and could result in your organisation not getting paid. In addition, your supplier may simply be trying to defraud you by receiving payment and not delivering goods.
• On a more positive note, EDD can lead to insights into your suppliers that help you work with them better and improve services and revenue.

However, without the right processes and expertise, due diligence – and in particular, enhanced due diligence – can become incredibly costly, time-consuming, impact business operations and leave your business open to reputational and financial damage. Read on to learn the best practices for cost-effectively carrying out enhanced due diligence whilst ensuring the maximum level of protection.

Enhanced Due Diligence Best Practices

Use a risk-based approach

Enhanced due diligence checks are, as the name states, additional, more thorough checks than basic third-party due diligence. They are more expensive and time-consuming when done manually, potentially causing problems with onboarding yet critically important to avoid reputational and financial loss. The cost to the business becomes even more acute when you consider you will likely need to carry out that enhanced due diligence over a range of risks – for example, modern slavery, business stability, AML, political stability, and environmental concerns.

As a business you want to minimise the amount of enhanced due diligence you need to do, but it can be extremely difficult to decide the right balance – Being unnecessarily thorough will prove to be costly and slow, while not enough checks will mean risk is missed negatively impacting your organisation.

The answer is to use a risk-based approach. This is mandated by the Financial Action Task Force (FATF) with respect to anti-money laundering but is applicable best practice no matter what kind of risk you need to do due diligence on.  In a risk-based approach if certain criteria are met then basic due diligence is sufficient, but if other triggers are set off then enhanced due diligence is necessary.

For example, when you go to the bank or register online to open a new account you will be asked to prove you are who you say you are, by showing a photo ID and usually a supporting bill verifying your address. Unless you set off a pre-defined risk trigger – unless around the size of the monies involved or whether you are on a government watchlist or sanctions list – the bank will carry out simple customer due diligence on you rather than enhanced due diligence.

This risk-based approach allows you to utilise your resources more efficiently and focus them on the more problematic cases.

Evaluating risk and deciding when to do EDD

Unfortunately, each category – modern slavery, money laundering etc – has different risk indicators and deciding which one of them should trigger enhanced due diligence is not always obvious or easy. For money laundering, FATF provides some guidelines that can be used as starting points to plan out your enhanced due diligence triggers across other risk areas. In Europe, under Article 18 of 4AMLD, any business located in a country on the High-Risk Third Countries list requires enhanced due diligence. Similarly, any politically exposed persons (PEPs) or their close associates or family members must also go through the more thorough examination process.

Additionally, it is a good idea to take the below into consideration:

Customer/Supplier Risk Factors

–    The supplier has a Politically Exposed Person (PEP) as a director

–    The supplier or customer is a Special Interest Person (SIP)

–    Any person or entity with a sanction

–    A large amount of adverse media or news

–    High net-worth

Geographical Risk Factors:

–    Supplier is from a country which have sanctions or embargoes levelled against them

–     High-risk third countries

–     A country on the FATF list of Other Monitored Jurisdictions (greylist)

–     A country on the FATF list of Call for Action Jurisdictions (blacklist)

–     Any countries which have proscribed terrorist organisations within them

In the case of a third-party supplier, the above indicators are extremely helpful; however, it is a much more complex situation compared to just checking on an individual as you will need to gather information around not just the business but the directors of the business. In addition, it might not be sufficient to say that the third-party supplier is in the UK or another country not on the sanctions list, therefore enhanced due diligence is unnecessary – Fraudulent activity is prevalent everywhere and businesses in low risk countries have connections with those in high-risk countries, meaning it is likely necessary to look for other indicators like the number of directorships any one of the suppliers’ directors holds, financials and adverse media in order to properly set your parameters for when basic and enhanced due diligence should be performed.

Use multiple data sources

As mentioned, the consequences of not correctly carry out enhanced due diligence can be gravely damaging for a business, making it is extremely important to make sure you have best-in-class processes for EDD investigations and checks. However, there are no official guidelines on what enhanced due diligence should entail, what the report should look like, and how much information on a customer it is necessary to collect. Still, there are a number of things you can do to help protect yourself whether you are audited by the relevant supervisory body for your industry or are preparing a report for your own internal business needs.

Following through with our example of using the volatility of directorships in third party suppliers as a risk indicator. It might well be you have decided that enhanced due diligence is necessary if one of a third party supplier’ directors is linked to five different companies or if he had three companies that shut down in the last 18 months. Now, neither of those things means that they are automatically a huge risk or fraudulent, but the point of enhanced due diligence is to examine in more detail by looking for the existence of other signs of risk – Is there adverse media on the individual in terms of court cases or failed businesses? Do they have a poor credit history? The discovery of that additional information should help prove either way. It might well be you that none of the other directors in that supplier has any issues, and that that director has an excellent credit rating and a history of previous achievements found online that enable you to say that the balance of risk is favourable. Similarly, for modern slavery, where initially an area of China indicates enhanced due diligence is required, it is not always the case that this supplier is involved and therefore enhanced due diligence will show that no evidence can be found to link them to the practice.

Without an official set of guidelines, and knowing you need to risk assess to a much more stringent standard, you should be demonstrating that you have looked for information on the person from across various different data sources. In the example of the flagged director above, we have used credit history data and open-source intelligence (OSINT) to look for additional information on our subject. But land registry documents, companies house, and financial data from Experian, TransUnion or Equifax can all reveal slightly different data on an individual.

For ESG issues like a supplier’s environmental record or modern slavery, adverse media, or open-source intelligence (OSINT), is particularly helpful to give a clearer picture of the business and the individuals behind the third-party supplier – Open-source intelligence (OSINT) is suggested component by FATF and also by The Gambling Commission for affordability checks. For example, search on the directors and the business can reveal details of previous bad publicity it has had, court cases, or even positive news that will prove to balance the risk in their favour.

Rigorous investigative methodology

It is not enough to just gather a lot of information from various sources if they don’t plausibly address the risk and show good investigative process. It is therefore essential for you to clearly state why you collected data from these sources above others and plan out and document a risk scoring methodology.

Your investigation should show that when false positives have arisen that those avenues have been thoroughly investigated and discounted rather than ignored.

Planning

To optimise the balance between due diligence and enhanced due diligence requirements, and to ensure not too much time is spent reinvestigating and updating reports, you should firstly decide on the risk topics – AML, modern slavery – and then take the time to map out what risk looks like for each one. This should be a collaborative process across your business.

Some of the information you will need to acquire includes:

• Company names, addresses, taxpayer references, and incorporation documents
• Names of company owners and beneficial ownership
• Company Cash flow and asset expenditure data
• Debts, liabilities, and other contingencies
• Employment status of company employees
• Historical financial data
• Internal business risk assessments and growth projections
• Historical AML compliance performance

Detailed documentation

Your entire process should be documented and all evidence and research auditable with sources attributed in a standardised report. This is not only important for regulated businesses that may be asked to provide a report a long period after it is initially written, but for all organisations to justify internally decisions and then work to improve processes. Organisations should also make sure all sources are still available, and your report is up-to-date.

Professional

Carrying out enhanced due diligence on third party suppliers is a complex process requiring expertise in identifying suspicious activity and links, made more difficult by the fact that this needs to be done for both individuals and businesses and for a multitude of different risk criteria. You should therefore ask yourself if your organisation has the in-house skills to carry out credible, professional due diligence and enhanced due diligence checks. If not, you should look to employ a consultant or business that has this expertise.

PEPs

Understand the level of risk and match it with more enhanced levels of due diligence. If you have a Politically Exposed Person (PEP), they are a higher risk because of the potential to be used for money laundering.

Re-engage your customer

Assume your customer is legitimate and ask them to help with the enhanced due diligence check by answering questions and providing further evidence.

Commercial monitoring

The status of a third party supplier can change at any time, meaning it shouldn’t be the case that you just do checks while onboarding. You should build ongoing monitoring into your processes to check for changes to your risk triggers. For example, to check on the stability of the directors in the business.

Employ technology

Manually doing these kinds of checks across multiple data sources is an extremely time-consuming, expensive exercise; it is fraught with human error as you have to login to multiple windows, and then copy and paste and explore suspicious activity red flags over numerous data sources – not to mention, manually weight risk triggers and compile reports. A software solution that can automate this process allows you to get the research done for an EDD check much faster, leaving you with more time to make the right decision. In addition, it will allow you to generate a standardised and auditable report to present to the relevant authorities when called upon to do so. However, not every solution for automating enhanced due diligence is the same and you need to understand if your solution can truly automate over multiple data sources.

Which Businesses Are Regulated for AML Compliance?

Not every business is bound by money laundering regulations – and AML compliance checks are not the only reason for doing due diligence – but the ones below are, and it extends beyond just financial institutions:

• Credit institutions
• Financial institutions
• Auditors, insolvency practitioners, external accountants and tax advisors
• Independent legal professionals
• Trust or company service providers
• Estate agents
• High value dealers
• Casinos

If you fit into one of the above sectors, then you must be monitored by a supervisory authority. In the case, of businesses authorised by the Financial Conduct Authority (FCA) or belonging to the Law Society, there will be supervision as a matter of course, but for the other sectors they will have to register with HMRC.

References

Deloitte. (2021, February 8). Third party governance and risk management, turning risk in to opportunity. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/audit/deloitte-uk-third-party-governance-risk-management-report.pdf

Gartner. (2019). More than eight in ten organisations discover third-party risks after due diligence period. Gartner. https://www.gartner.com/en/newsroom/press-releases/2019-08-15-gartner-says-more-than-eight-in-10-organizations-disc

About Synalogik

Synalogik’s software platform, Scout®, is a one-of-a-kind efficiency solution when multiple disparate data sources are needed for EDD checks and investigations. Scout is data agnostic, integrating internal, open source and out-of-the-box most 3rd party data providers, allowing you to seamlessly automate search and reporting across all the datasets you use, not just the ones included from your solution provider. Our 3rd party integrations include Equifax, W2 Global, LexisNexis, Creditsafe, TransUnion, GBG and many more.

Our open approach means it is possible to have more complete automation across all your datasets, delivering greater efficiency and insight.