An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. Not only must all red flags be cleared, but there must also be evidence of the decision-making process to show to a regulator if one comes knocking. Around third parties, consider what risks you face in both your sales and supply chain. Suppose there is a key player several tiers down the line which creates or builds a key component or delivers a critical service. In that case, you may want to put more management around that relationship from the compliance perspective.
For anything below tier 2, you may be able to manage your risks by having your direct tier one counterpart take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counterparty so that if the government comes knocking, you can show that you did not only contractually obligate your direct counterparty to do so but also provided them the tools and training to do so. Finally, you will need to be able to show that your direct counterpart did so.
Three key takeaways:
- There is no set formula for clearing red flags or the evaluation of due diligence.
- Know when to say enough has been done.
- You must “Document, Document, and Document” your evaluation of any red flags.