Many businesses rely on partners, suppliers, agents, and various other third-party services. These services can be a great way to build a business, outsource tasks and manage fluctuating operational needs.
These can be an asset to your business as long as you have properly vetted them and they are compliant and trustworthy. However, it’s your business that is being represented and your business that could suffer regulatory fines or reputational damage if those third parties are fraudulent or don’t implement best practices.
To minimise this risk, you should have effective third-party due diligence policies, screening, and processes in place.
Depending on the countries and industries you operate in, there are numerous regulations that require third-party checks. For businesses in the financial sector, there are strict Anti-Money Laundering (AML) laws. There can also be anti-corruption laws such as the U.S. Foreign Corrupt Practices Act. This is because financial companies dealing with vast sums of money can become a short route for illicit or corrupted funds to become legitimised.
There are multiple methods bad actors can use to clean their money, many legitimate businesses unknowingly assist in this process. So what can you do to prevent these people and companies from cleaning their dirty money through your organisation?
Know Your Customer (KYC) laws are already in place and a standard business procedure for financial institutions. These procedures can be expanded on to deeply analyse their customers, also known as Know Your Customer’s Customer (KYCC).
Expanding the KYC rules so they incorporate third parties, KYCC refers to the steps taken by a financial institution (or business) to:
- Verify the identity of a third party
- Understand the nature of a third party’s activities (to satisfy that the source of the funds is legitimate)
- Assess money laundering risk associated with a third party
The first step to performing effective third-party due diligence is to identify and verify the third party. This involves gathering accurate business information such as their company number, business name, business status, address, directors, PSCs and date of incorporation.
It’s not enough to just gather the information, you need to verify the information is accurate and up to date. This can include checking the official records held with a government register such as Companies House to make sure the information matches.
After verifying the third party, understanding their business activities provides insight into the level of risk involved in doing business with them. The next action you can take is to screen the identified parties against lists of high-risk individuals, such as politically exposed persons (PEPs) or entities.
Besides screening, another effective risk management strategy is determining how the third party acquires its funds. Look at the industries they do business with, the countries the funds are coming from, and the types of transactions being done. Also, look at the nature of their partners, suppliers, and clients.
Once you know this information, you can carry out a risk assessment. Remember that some industries, countries, and third parties can carry higher risks, this doesn’t mean you have to reject doing business with them. Whether you feel it is necessary to carry out business with a higher risk business will depend on your risk appetite.
Depending on the analysis of the initial assessment, you might need to carry out Enhanced Due Diligence (EDD) procedures. Some practical EDD procedures can be:
- Obtaining information from a wider variety of sources
- Carrying out additional searches to inform the individual customer risk assessment
- Commissioning an intelligence report on the customer helps you to better understand the risk that they may be involved in criminal activities
- Verifying the source of funds or wealth involved in the business to be satisfied that they don’t result from the proceeds of crime
- Seeking additional information from the customer about the purpose and intended nature of the business relationship
It’s vital to understand that effective third-party due diligence requires ongoing efforts. Any program needs:
- An auditing plan to ensure the processes are valid
- Monitoring procedures to spot new potential risks
- Ongoing review to consider changes in risk tolerance
The critical point is to have these systems in place so your compliance staff knows what to look for, what to do when they see something, and how to monitor the process.
Knowing the third parties of your business connections will help protect your organisation and potentially save it from compliance failures and reputational damage.