AML Third-Party Risks: What Matters Most

The global nature of trade brings with it huge compliance risks, exposing businesses to a wide array of rules and regulations requiring them to mitigate their exposure to money laundering and other financial crimes.

One of the biggest risks that businesses face is employing third parties, be they suppliers, agents, distributors, lawyers, accountants or consultants. Hence, third-party due diligence has become an integral part of the whole supply chain process.

Third-party due diligence is the process a business undertakes whenever partnering with an external entity in order to detect and assess associated risks, such as vulnerabilities of money laundering, bribery and corruption practices and breach of sanction regulations. This is typically conducted not only before entering into an agreement, but also periodically, allowing active monitoring of the relationships.

It is of utmost importance that the due diligence process should be tailored to meet the financial, regulatory and reputational risks that a business is likely to face.

Here are some key points to consider:

Information gathering

Gathering key information on vendors and suppliers is a vital step in the due diligence process and should include reviews of the following:

• Incorporation documents
• Line of business
• Geographic locations
• Details on key shareholders and beneficiaries
• Board members
• Leadership teams
• Political connections
• Proof of identity
• Sources of wealth and funds

It is important to consolidate third-party information to account for financial standings, relevant certification, and associated business units, roles, and responsibilities, as this will help in performing background checks.

The validation process

It is crucial that the information gathered goes through a validation process. All the information sourced above should be validated using reliable and credible data sources. For example, if the preliminary information suggests that the entity might be a high risk, then enhanced due diligence is required to gather additional information and corroborate details against public records and specific databases such as CIFAS and filed reports and accounts.

Thorough risk assessment

Once the preliminary information has been validated, a thorough risk assessment should be performed. The risk assessment can be derived by scaling third parties based on segmentation scores that take into account the following:

• Geography
• Lines of business
• Percentages traded
• Purposes of business transactions
• Previous track records of the third-parties
• Turnover
• Stakeholders involved and their profiles

By defining explicit criteria for each type of third party, businesses can reduce their due diligence burdens and ensure that tracking is effective and efficient. As this process can be resource-intensive, businesses might also consider automation through the use of algorithms specific to each type of third party.

Leveraging external data sources 

Many businesses today prefer to validate third-parties via external data sources like credit ratings, sanctions lists and adverse media. Doing this early on can help flag potential signs of money laundering, financial fraud, drug trafficking, organised crime and financial terrorism, among other issues.

The information against which they are screened can include, but isn’t limited to:

• Law enforcement lists of known criminal entities
• Regulatory publications of debarred or disqualified companies and individuals
• Interpol/police records

Going forward

Throughout the third-party due diligence process, businesses are required to maintain a complete record of relevant documents, assessments, and decisions to ensure that contractual decisions are made in good faith. This may also be useful in case of any future legal implications or litigation, as these records can be a source of primary evidence. I believe the due diligence process should not be stopped after on-boarding the third party. In fact, businesses should actively monitor their relationships to ensure that they are aware of potential problems that pose a threat to the organisation.

To summarise, effective due diligence requires a holistic understanding of the third party.Organisations need to understand their risk appetites and continuously assess their compliance exposure.

About the author: Suresh Chavali is a subject-matter expert in the risk and compliance sector, focusing on know your customer (KYC), risk management, money laundering and terrorist financing schemes and trends. He has worked for various firms, including Barclays and Deutsche Bank.

This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.