Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward. The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.
A three-step approach was discussed in Opinion Release 10-02, in which the DOJ discussed the due diligence that the requesting entity performed. This Opinion Release sets out a clear break which every compliance practitioner should use in considering an appropriate level of due diligence to engage with your third-party risk management process or when considering the level of due diligence required on a potential business venture partner. A very good description of the three levels of due diligence was presented by Candice Tal, Founder and CEO of Infortal Worldwide, in an article entitled “Deep Level Due Diligence: What You Need to Know”
Three key takeaways:
- A Level I due diligence should only be used where there is a low risk of corruption.
- A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.
- Level III due diligence is deep dive, boots on the ground investigation.