With the uptick in sanctions enforcement related primarily to the global response against the Russian Federation for its unprovoked incursion into Ukraine, legal and compliance professionals across all economic sectors should be focusing on the current state of their third-party due diligence programs. Third-party due diligence—that is, the process of collecting and analyzing information on prospective customers, vendors, suppliers, service providers, intermediaries, and agents to assess the risk posed by engaging such parties—is a critical component of a truly effective compliance program as understood by global regulators (particularly the U.S. Department of Justice). Increasing international sanctions activity all but virtually necessitates that the legal and compliance functions of an organization evaluate—and enhance—their third-party due diligence programs to avoid the potential for a costly and damaging regulatory infraction. To that extent, organizations should take the following steps to ensure that their due diligence programs meet emerging expectations.
Assess and Automate Due Diligence Practices
The starting line for improving the organization’s due diligence practices is to objectively and honestly evaluate the state of the organization’s current efforts. Organizations that lack formal due diligence policies should move quickly utilizing industry best practices to implement a formal due diligence program. Similarly, organizations that conduct due diligence on an inconsistent basis should act now to implement policies and procedures that provide, among other things: (1) when due diligence is required; (2) what information is necessary from third-parties for the organization to effectively determine what risk the third-party poses; (3) how often due diligence should be updated; (4) what tools the organization should utilize to maximize efficiency in information gathering; and (5) how the organization will handle risk prioritization. While all five steps in the assessment process are of equal importance, companies focused on keeping pace with emerging regulatory developments (including sanctions exposure, financial risks, ESG disclosures, and other factors) should be keenly attuned to step four in the process.
To the extent a contemporary organization—especially sizable enterprises with multiple divisions operating in different jurisdictions—is still heavily reliant on manual screening processes (and ad hoc Internet searches), the organization must seriously evaluate whether automating screening processes is no longer a luxury but a necessity. While simple searches of individual sanctions databases (the U.S. government’s Consolidated Screening List (“CSL”), for example)) may have been sufficient in the past, the most effective organizations now rely on cutting-edge technology to generate a plethora of information concerning a third-party target including, but not limited to, the organization’s financial solvency, ultimate beneficial ownership structure, domestic and foreign sanctions activity, ESG practices, and overall reputational risk. The use of such technology—often bolstered by artificial intelligence and machine learning capabilities—exponentially reduces the time an organization and its compliance personnel must commit to evaluating an individual third party. While many organizations loathe investing in additional compliance resources due to current fiscal constraints, the use of an effective third-party screening tool should be viewed as a critical investment in the organization’s operational activities.
Prioritize Major Risk Factors
Automation of third-party due diligence will also assist legal and compliance professionals with conducting another critical component of the due diligence process—namely, prioritizing third-party risks from the least consequential to the most serious. As the DOJ Guidelines for the Evaluation of Corporate Compliance Programs (“DOJ Guidelines”) emphasize, effective corporate compliance programs must employ “risk-based due diligence to [their] third-party relationships.” While the nature and extent of the due diligence required for a particular third party may vary, the DOJ Guidelines are clear that the organization must understand both the business rationale for needing the third party in question and the totality of the risks posed by third-party partners (including potential associations with foreign government officials, where the anti-bribery and corruption risk may be considerable).
Contemporary screening systems often have the capability of generating risk scores based on pre-set or customizable factors. These risk scores, in turn, can be partially relied upon by the organization in assessing which third parties pose the most risk to the enterprise as a whole. While there is no substitute for the sound judgment and professional discretion of an experienced compliance professional—and automated risk scores themselves should not be determinative in ascertaining the precise risk posed by a third-party partner—these risk scores are generally reliable indicia of whether a third party may require additional scrutiny prior to being engaged by the organization.
Update Due Diligence on High-Risk Parties
Often overlooked, periodic updates to initial due diligence efforts are a crucial element of an effective corporate compliance program. As the DOJ Guidelines make clear, due diligence is not a static effort, but rather a dynamic process that involves re-evaluation of the risk posed by a particular third party to the overall enterprise. Initial and subsequent due diligence efforts also serve vastly different purposes. While initial screening and evaluation of a prospective third-party partner is often conducted at the pre-contractual stage of the business relationship with the express purpose of ascertaining whether the organization can engage the third party, periodic subsequent due diligence focuses on emerging developments that might escalate (or conversely, reduce) this risk. The need for periodic update due diligence also reflects the immutable fact that companies and organizations—like individuals—often change. While a company might have a stellar reputation at the inception of a business relationship, a major regulatory infraction (e.g., sanctions violation) might change the risk score originally assigned. This makes periodic updated due diligence an integral part of the organization’s compliance efforts. While there is no bright-line rule for when such due diligence should be conducted, higher-risk entities and individuals should be identified and targeted for periodic due diligence on at least a semi-annual basis, while lower-risk entities and individuals can be subject to less frequent scrutiny (ideally, on an annual or bi-annual basis).
Emerging Trends Supporting the Need for Due Diligence
In addition to sanctions against the Russian Federation, the United States—in concert with its allies in Europe and elsewhere—have implemented aggressive economic, trade, and other sanctions against nations as diverse as Venezuela and China (among others). Basic due diligence is a mandatory component of an organization’s compliance activities. Organizations that lack even a basic program of screening intentionally put themselves at risk of conducting business with a selectively or comprehensively sanctioned nation or region and/or designated individual (such as a U.S. Department of the Treasury Office of Foreign Asset Control (“OFAC”) Specially Designated National)). Beyond this basic requirement, however, recent legislation passed by the United States Congress and signed into law by President Joseph R. Biden in the form of the Uyghur Forced Labor Prevention Act (Pub.L. 117-78) (“Uyghur Act”) mandates that firms conduct due diligence to avoid importing products knowingly produced in the Xinjiang region of China using forced labor among ethnic minorities. Among other things, the Uyghur Act creates a presumption (albeit rebuttable) that goods manufactured in the Xinjiang region are made with forced labor. This makes it vitally important for organizations with potential exposure to the Chinese market (often the source of finished products) to scrutinize even the downstream suppliers and vendors of their Chinese business counterparts. This is virtually impossible without an organized, coherent, and consistent due diligence process. Adding to the urgency surrounding such due diligence is the fact that the European Commission recently introduced a draft directive outlining an organization’s corporate sustainability and due diligence responsibilities. While the draft directive has yet to be considered by the Council and Parliament of the European Union (“EU”), it is widely anticipated that some iteration of the draft directive will be codified into EU law—obligating all 27 member states to transpose the directive into their respective bodies of national law.
The key takeaway for businesses across economic sectors is that due diligence is here to stay. Organizations that resist implementing due diligence programs now will surely reap the consequences later, as due diligence becomes integrated into the core operational functions of the modern enterprise. As such due diligence becomes legislatively mandated, there is little excuse for businesses to sit on the sidelines. Organizations that choose to do so risk becoming the test case for regulators more focused than ever on the vigorous enforcement of statutes and regulations all requiring some measure of due diligence to avoid complicity with criminal and inhumane conduct.