Understanding Enhanced Due Diligence & When to Use It
Pavlo Verkhniatsky, Managing Partner at COSA
Pavlo is an expert in sophisticated integrity due diligence with an international component. He also leads research on country and political risks, conducts cross-border investigations and asset tracing for the benefit of global corporate players. Having experience of on-the-ground work with a focus on the FSU Pavlo provides COSA’s clients with in-depth understanding of behind-the-scenes particularities of business relations and country specifics.
The vast majority of the relationships necessary to do business in the modern landscape are mutually beneficial to customers and suppliers, however, entering into an agreement with a third party does not come without risk. To understand and mitigate potential risks, companies employ due diligence activities. The different types of due diligence practices and when to use them was the subject of two webinars conducted in partnership by Assent Compliance and COSA.
To mitigate the long-term damage from disruption or third-party misconduct, enhanced due diligence may be necessary. Enhanced due diligence goes beyond basic screen procedures typically employed with reliable third parties. It expands scrutiny to dealings below the surface, to gather comprehensive data sets to examine for a history of corruption or misdealings.
To gather this information, enhanced due diligence often leverages deep-dive scans of publicly-available media. This provides a broader context with which to weigh risks as opposed to a simple screen of government registries. Analysts review this information to disseminate fact from fiction and evaluate results. Human analysis is integral to enhanced due diligence as current artificial intelligence is unable to factor in regional biases, political climates, or other nuances that affect results.
Third-party due diligence is not one-size-fits all. For a better understanding of how and when to use it, consider these questions companies asked in our webinar with COSA Intelligence Solutions:
How wide of a scope should we consider for our suppliers due diligence screening?
There are different approaches that are typically based on the risk profile of the company and the risk related to the third party. In our practice, we divide into basic, moderate, and high and tailor our activities to that risk status.
Basic: We gather formal data such as sanction lists and government watch lists and screen the counterparty through this lens. This approach also gathers corporate data to evaluate the potential risks.
Moderate: With a moderate risk profile, we do a deep dive into the public domain, screening for adverse media mentions, litigation checks, and similar red flags.
High: Companies considered high-risk need human intelligence to confirm or refute findings from the public domain.
How do we know what government lists or media outlets we should be monitoring in our due diligence programs? There are so many that it is hard to keep up with.
It depends on where your counterparties are located. There are countries with a transparent media environment and others where the media is controlled by specific groups. There’s no recipe for this scenario, so the human analyst is important to evaluate data; IT tools won’t be able to determine truth from lies or assess the nature of what’s written. It requires human analytical skills.
If my company only does business with German suppliers, but one of the suppliers gets placed on an American government debarment list, does this directly put my company at risk?
This case poses reputational risks to your company. Your company does not breach compliance regulations and will not be fined by the U.S. government in this regard. However, there are high potential reputational and financial risks for your business in dealing with a supplier that has already been involved in non-compliance issues (e.g. fraud, abuse, etc.). If your supplier is on the U.S. government debarment list, there is no doubt that the U.S. government has already revealed and confirmed at least one of the aforementioned violations.
Debarred companies are excluded from federal procurement and non‐procurement programs throughout the U.S. government and cannot receive federal contracts, certain subcontracts, and certain types of federal financial and non-financial assistance and benefits.
It is inadvisable to work with suppliers that appear on the U.S. government debarment list since vendors that have been debarred or suspended from doing business with the federal government not only pose reputational risks to your company, but also impact your prospective participation in government procurements. Specifically, your company will be checked more thoroughly by the authorities when applying for federal contracts or federal funding through the System for Award Management (SAM). Doing business with a German supplier that was placed on the U.S. government debarment list might be viewed as a reason not to award a contract to your company.
Is screening my suppliers once per year enough to reduce our risk? Or should we screen them more often than that?
Screening your suppliers once per year is a good frequency. What matters is the depth of the screening. In the case of high-risk suppliers, make sure it is enhanced due diligence rather than a tick-the-box procedure. Additional screening can be made before large (up to you to decide on the sum) payments are issued in favor of the supplier in order to check for any changes in ownership structure, litigation cases, bankruptcy, sanctions, etc.
How are issues with certain suppliers communicated globally?
The general compliance practice definitely does not imply broadcasting such information. However, we have seen unofficial blacklists being created based on the information that has appeared in the media in relation to certain companies and individuals, or shared between internal corporate security professionals of different companies (but the latter one usually works on a national level, rather than internationally). One of the problems is that most episodes are either allegations or not possible to prove without a thorough investigation, and if such information is broadcasted, one might find himself sued by the subject. There are cases when whistleblowers inform the authorities about certain violations, but it is rarely initiated by companies as it means being heavily involved in further litigations, which is not a priority for most businesses.
At which point do we need to use enhanced due diligence methods instead of basic due diligence methods? Should we use enhanced due diligence methods only for suppliers in high-risk countries?
Basic due diligence is sufficient for many suppliers around the world. Enhanced due diligence is too expensive to use for all your third parties, however, so it should be employed when your supplier is itself a high risk, is located in a high-risk region, operates in a risky industry, or is potentially impacted by toxic entities and individuals. An example of such impact is when a company from a well-regulated jurisdiction within the European Union could be controlled through shell companies by oligarch groups and politically exposed persons (PEPs) from other regions such as the former Soviet Union. Your internal risk matrix should also be used to determine if your third party warrants enhanced measures.
Another scenario where enhanced due diligence measures are helpful is in investigating adverse media episodes related to your supplier identified through regular due diligence. This enables you to evaluate your third party in light of new events.
How far back in time should we consider negative news to be a serious risk for a tier 1 supplier?
It’s best to refer to your internal policy when evaluating scenarios, however, you should always seek to understand how the party you’re doing business with gained their wealth. For example, in the former Soviet Union, the 1990s were known to be rife with corruption and criminal activity. If your prospective third party was particularly active in the region at that time, you may want to exercise more due diligence for that time period. Since every region is different, your behavior will be dependent on the region your third party does business and the region’s history. Moreover, it is important to trace ownership changes throughout the history of the company’s operations, and analyze why it happened and what other events accompanied those changes.
If a Chinese supplier exists in a region that has a current U.S. government advisory but is not on a sanctions lists yet, am I at high risk?
We see this with regard to Russia, with some oligarchs close to President Vladimir Putin being on a watch list, but not yet sanctioned. It’s still legal to do business with these individuals for now, but they are likely some of the first sanctions to be ordered if relations between the U.S. and Russia deteriorate. Additionally, companies doing business with these individuals, while not legally prohibited, put themselves under more scrutiny.
The same would apply to certain suppliers in China, although companies should evaluate based on regional risk factors. As an example, the Xinjiang province was considered high-risk after numerous reports of human rights violations emerged and sanctions soon followed.