In each year of Kroll’s Anti-Bribery and Corruption (ABC) Benchmarking Survey, we have analyzed survey results and tracked a number of themes around the “when, why and how” compliance organizations conduct enhanced due diligence. With more than 85% of 2021 survey respondents having their third parties undergo some level of enhanced due diligence, most companies continue to rely on this process to develop risk profiles, ensure ABC compliance and protect their reputations around the globe.
In 2021, we took a closer look at the process-related challenges compliance organizations face when conducting enhanced due diligence externally. Data security (22%) was the top response, closely followed by costs (19%) and “lack of knowledge” (18%).
Data Security as the Top Enhanced Due Diligence Challenge
The new reality of remote working and increasing digital interconnectivity has created a multitude of risks for all aspects of an enterprise, and the compliance function has been no different. In addition to these evolving risks, compliance officers are challenged by various data protection regulations that require them to pay closer attention to their own cyber hygiene and to the exposure their organizations have to third-party cyber risk. The mismanagement of these risks results in costly fines and legal fees, lost revenue and stock value, and potential long-term reputational damage, adding to the number of challenges keeping compliance officers up at night.
From a due diligence perspective, data security is further challenged by remote work because, while many jurisdictions maintain online records that can be accessed remotely, many do not. In countries where one needs to conduct in-person checks of corporate registry or court records, the relevant government offices have been operating with a reduced staff if they are even open—leading to long wait times and even slower third-party onboardings.
How can effective due diligence be conducted on a third party when the compliance officer and the business have not been able to meet in person? Fortunately, there are many online screening databases, onboarding platforms, third-party data and virtual trainings on the market. But can companies effectively implement these new tools and processes to safeguard against risks?
Challenges to Decision Making
With the emergence of new challenges, ever-restricted compliance budgets, and expectations from regulators to take a risk-based approach, compliance organizations must also question if they are effectively making the right decision of when to conduct due diligence. When asked under what circumstance is enhanced due diligence conducted, survey respondents shared that red flags arising from a screening database or during onboarding (35%) and operations in high-risk jurisdictions (34%) are the leading catalysts. Red flags in screening databases or found during onboarding rarely have sufficient context to be able to decide to decline a third-party relationship, which is why they lead to enhanced due diligence more than any other factor. In many instances these screening databases do not sufficiently cover the multiplicity of third-party risks, whether sector-, transaction-, or relationship-specific, and deeper analysis can provide clarity beyond those limitations.
Given that 59% of respondents conduct enhanced due diligence on at least a quarter of their third parties, how do they decide to allocate their due diligence budget? Compliance professionals recognize that not all third parties should have the same level of due diligence conducted to ensure compliance with regulatory expectations and best practices. Deciding on an appropriate level of due diligence should be proportionate and based on potential risks that a third party poses to your organization. Conducting desktop research, including negative news screening into a third party, is often one of the first steps that compliance professionals perform when considering onboarding a new third party. Moreover, implementing a risk-based onboarding questionnaire is an optimal manner for collecting data, documentation and attesting an organization’s compliance policies and procedures as it relates to complying and acting in an ethical behavior. Furthermore, 17% of the respondents advised that they used risk scores from onboarding questionnaires to determine the level of due diligence needing to be conducted.
A Safeguard for Compliance Officers
Survey respondents reported that 31% of their organizations now conduct enhanced due diligence on more than half of their third parties, compared to only 12% in 2020. This approach could again be attributed to the COVID-19 pandemic and the limited direct access compliance professionals have to third parties and the risks they pose to their organizations. These factors balanced against commercial pressures to expedite the onboarding process necessitates proportional scrutiny. In these ever-changing times, the utilization of risk-based due diligence to ensure compliance with regulatory obligations and organizational requirements associated with third-party management must be the approach committed to by compliance professionals. While enhanced due diligence will continue to be rife with emerging and evolving challenge, we expect that it will be continued to be a primary line of defense for compliance officers.