Third-party vendor screening allows compliance officers to weed out the corrupt, unreliable, unethical, or otherwise high-risk third parties in their extended enterprises. This requires an ability to screen your third-party vendors across any number of risk factors, using watch lists, databases, and other resources.
OK, let’s assume you have such screening capability — what comes next?
That is, how does a compliance officer wade through all that third-party vendor screening data? How can the data be organized to help the CCO reach decisions about which third parties are permissible, which ones need extra attention, and which ones should be sent packing?
Those are crucial questions for modern corporate compliance. Third-party screening is essential for an effective compliance program, but the data itself is only the raw material that helps compliance officers make wise decisions about third-party risk. So today let’s review third-party screening and how to put that data to work in a disciplined, strategic manner.
Third-Party Vendor Screening Is the First Step in Due Diligence
We can begin with a look at the larger picture. All businesses need an effective corporate compliance program. Regulators from the U.S. Justice Department to the U.K. Serious Fraud Office, and many more, have all said that due diligence capabilities are fundamental to those compliance programs. You cannot have an effective compliance program if your business can’t perform due diligence on its vendors, business partners, and other third parties. Full stop.
Well, third-party screening is the first step in due diligence. Screening collects and compares data about your third parties, so you can understand those parties’ characteristics: their ownership structure, past litigation history, adverse media reports, connections to politically exposed persons, and so forth. That data then helps you, the compliance team, to understand what risks might come from working with that third party — concerns that could range from corruption, to cybersecurity, to antitrust, to terrorism funding, to name only a few.
From there, the rest of your due diligence program can kick into motion. After all, your business can work with high-risk vendors and other third parties if that’s what you really want to do, providing that you exercise appropriate oversight over the high-risk party. For example, you might require extra approvals for certain transactions, or require more frequent audits and attestations. Developing and applying those extra precautions is part of what due diligence does.
None of that will work, however, without the preliminary information about the third party that screening provides. As we mentioned earlier, screening data is raw material for your due diligence and compliance program. If that raw material isn’t good, the rest of your compliance effort won’t be either.
Types of Third-Party Vendor Screening Data
A third-party screening program can search for a wide range of data. Many times the screening itself will involve comparing names and other corporate information the vendor has provided to you, against other databases of information to see how true the vendor’s information is — and to determine what else the vendor hasn’t told you.
So third-party screening data can include:
- Personal background checks, to see whether senior managers or owners of the vendor have ever had previous run-ins with the law; are on watch lists of possible terrorists, tax cheats, or money launderers; and so forth.
- Prior regulatory enforcement actions, to see whether the vendor has a history of non-compliance that resulted in some sort of sanction from regulators.
- Ties to politically exposed persons, to assess whether the vendor is really just a front for corrupt officials in foreign governments.
- Connected individuals and entities: to determine whether the third party you’re screening is connected to a sanctioned entity or individual.
- Previous business history, to determine whether the vendor (or its senior leaders) might be prone to financial troubles, supply chain disruptions, mergers that could suddenly make the vendor unavailable, and so forth.
- Other adverse media reports, to identify any other issues that might give you pause before signing a contract. For example, the vendor might have a reputation for poor customer service or harassment of female employees. Those aren’t compliance risks per se, but they can still justify moving on to an alternative supplier.
- Ownership information, to determine who really owns the vendor you’re considering. Or if the vendor is owned by another corporate entity (a partnership or a trust, say), screening can also determine who owns that second business.
Essentials of a Good Third-Party Vendor Screening Program
A good third-party vendor screening program requires more than access to lots of data (although that access is an important part of it). A good screening program depends on a compliance team’s ability to understand the company’s risks, and how to interpret the screening data you gather so you can make wise decisions about the vendor relationships you have.
In that case, several other steps are also crucial for a vendor screening program. Let’s consider them.
Understand the compliance risks your own organization faces. You cannot screen your vendors effectively if you don’t understand how your relationships with vendors might lead to a compliance lapse. So for example, understand whether your business seeks to outsource storage of customer data (a privacy risk), or is expanding into new geographic markets (sanctions and corruption risk), or is outsourcing production of new products (forced labor risk). A broad assessment of your organization’s potential risks is always the first step, so you can then ask: “And could our vendors contribute to that?”
Know who your third parties are, overall and specifically. The compliance team should understand the general categories of third-party vendors your business uses: data storage providers; outsourced HR functions; overseas resellers; raw materials suppliers; outside counsel; software vendors; and so forth. This means you need to talk with other operating units in the First and Second lines of defense, to know how their business processes work. Compliance also needs to be able to identify the exact third parties working with your business, even if that means asking accounts payable for a list of every vendor that receives a check from your company, but ideally, every third party working with your business, regardless of which department has initiated the relationship, should be stored in one centralized third party management system.
Tailor your screening thoughtfully. Understand what compliance risks your vendors might pose, and design screens accordingly. Search for company names, similar company names, variations on common spellings, and so forth. Know all the possible databases and watch lists you can screen against; check with regulatory agencies to see what lists they maintain (which can change often) and ensure that these are covered by the screening tool you’re using.
Use reliable screening partners and data. Vendor screening is not something most businesses can do by themselves; you will need dedicated partners. Use screening partners that have proven expertise at the task, whose technology can meet regulators’ expectations and who can stay current with the vast amount of data that might be used in screening.
Have policies and procedures in place to handle different levels of vendor risk. Successful vendor screening will result in a report of how much risk a specific vendor might pose. Then the business needs to decide whether to use that vendor, apply extra precautions, or cut ties with the party. Identify what levels of vendor risk your business is willing to accept, or what additional controls you want to put in place, before deciding on any specific vendor. Written policies and procedures for vendor risk force your company to consider its vendor and compliance risks thoughtfully and with rigor; that is what regulators want to see.
Audit the effectiveness of your program regularly. Once your vendor screening program is running, you’ll need to perform periodic audits to assure that (1) the program works as intended; and (2) that the program is keeping current with any new vendor risks you may be facing.
As you can see, vendor screening is no easy endeavor — but it can be done, and in modern business, it must be done. Vendors pose too many risks that could derail your business if you don’t.
Building a successful screening program takes discipline, planning, and data; but once you navigate all that screening data, you’ll be making decisions from a far more certain foundation.