Third-party due diligence is an obligation facing financial services when on-boarding and maintaining any supplier, agent, consultant, distributor or service provider to ensure they continue to comply with relevant regulations and consumer laws, protect confidential information, avoid unethical practices, protect data against identity theft, and mitigate operational risks. The risks of non-compliance are high but the risk-takers are still out there and operators should watch their supply chain carefully.

Recent high-profile cases of massive penalties being handed down to companies for bribery and corruption offences committed by a supplier clearly demonstrate that inadequate third-party due diligence systems are a high risk.

EY research indicates that nearly half (48%) of British firms are failing to vet their suppliers for compliance with the UK Bribery Act, and that only 6% would re-tender if they discovered their suppliers were not compliant.

Similarly, KPMG research indicates nearly 9 out of 10 reports identify some kind of risk associated with third parties that warrants review and 23% of reports analysed had an overall risk rating of red.

The recent record US$772 million Foreign Corruption Practices Act settlement between Alstom Grid Inc. and the US Department of Justice was a timely reminder of the risks of doing business in another country through a third party.

In this case, it was alleged bribes were paid to win powerplant contracts in Indonesia and the Middle East. From at least 2000 to 2011, Alstom was said to have paid tens of millions of dollars in bribes to win $4 billion in projects from state-owned companies in Indonesia, Egypt, Saudi Arabia, the Bahamas and Taiwan. The company is alleged to have earned about $300 million in profits from the scheme.

In suspected bribery and corruption cases, key “red flags” that could be signs of illegal conduct might be a third party’s involvement in a deal at the specific behest of a foreign official, a company’s refusal to allow an audit of its books, excessive commissions charged by agents or consultants, along with the use of third parties who are closely associated with a third-party official.

Sadly, high fines and the publicity around them do not seem to deter a lot of these cases. In some instances, senior managers and directors can be held accountable and face significant prison terms and large fines for non-compliance, even if the breach is caused by the actions of a third-party supplier. Again, in many instances this threat has had little impact.

In addition to thorough due diligence, avoiding liability also requires a company to have effective internal protocols for ensuring compliance. Even the best due diligence methods will not protect a company from risk if it does not conduct due diligence every time a third-party transaction raises red flags that indicate potential problems.

Having strong, up-to-date and effective anti-bribery policies and systems to identify suspicious activity and educating employees about compliance and individual responsibility to report suspicious behaviour are part of the solution.

Similarly, as bribery and corruption risk is now viewed as an operational risk capable of doing similar levels of damage to other risks such as fraud, organisations need to take the risk seriously and be prepared to invest in the processes and technology to protect themselves.