In your experience, do companies pay enough attention to due diligence when beginning or renewing business relationships? What types of risks could third parties potentially pose?
Kevin: Historically, only companies in the financial sector or other tightly regulated industries conducted systematic integrity due diligence on their third parties. Basic legal and financial due diligence to ensure an adequate level of contractual and commercial protection was considered enough in ‘business as usual’ situations. The introduction, and then increased enforcement, of anti-money laundering (AML), anti-bribery and corruption (ABC) and more recently supply chain regulation has meant that most companies are now really focused on regulatory and reputational due diligence at the point of onboarding. The area where many companies’ compliance programme falls apart is the ongoing monitoring of third-party risks. This is a hard regulatory requirement, for example for financial firms subject to the UK’s 2017 Money Laundering, Terrorist Financing and Transfer of Funds Regulation 28(11). Yet, many firms with an excellent initial third-party onboarding process fail to adequately conduct ongoing monitoring. This is problematic in a fast-moving sanctions environment or even simply when a third party changes ownership, geographic footprint or activity over time. The initial risk-based approach ceases to be relevant, and some now higher risk relationships continue to be considered benign.
Tom: How companies approach due diligence varies, but generally the increase in regulations in the last 10 years around ABC, AML, environmental, social and governance (ESG) and supply chain due diligence have seen increased scrutiny of a company’s approach to due diligence, to ensure it is effective and meaningful. Third parties can pose a number of risks; one of the key elements of a number of these ABC, ESG and supply chain regulations is that a third party’s activities are deemed an extension of the company, and therefore they need to set out what the expectations are in how they expect business to be conducted. Failure to have these practices and procedures in place can hit a company’s ability to win work, turn a profit, and attract new clients and staff. Previous transgressions have resulted in large fines, the burden of the cost of cooperating with a regulatory investigation, debarment from government and public tenders, and the reputational damage associated with all of this.
Mariellen: Third party due diligence is a critical step in safeguarding a company’s exposure to compliance, financial and reputational risks. However, it often lacks the necessary focus and financial support at the right time. Companies frequently conduct due diligence in the final stages of onboarding a third party, sometimes only to meet the bare minimum regulatory requirements. If done this way, it leaves the company scrambling to act if a potential risk is identified. Organizations are often tasked with ‘doing more with less’, and ensuring regulatory compliance can be costly, especially for companies operating in multiple jurisdictions. This often leads to a ‘check the box’ approach to due diligence, where cost considerations outweigh the quality or depth of the review. To balance costs, companies can adopt a risk-based approach to due diligence based on factors such as jurisdiction, industry and potential impact on the organization. For example, high-risk third parties may undergo comprehensive background checks, including public record reviews, adverse media searches and compliance database checks, while lower-risk entities might only require basic screening. This approach allows companies to set their own risk parameters and adjust the due diligence process according to their specific needs and risk appetite.
Michael: In my experience, the level of attention companies pay to due diligence varies significantly. Regulated entities are generally required to follow stringent processes for customer onboarding and renewals. However, multinational corporations can differ substantially in their approaches. Some rely solely on automated screening, while others adopt a risk-based approach where they apply more scrutiny to high-risk and high-impact relationships. Third parties can pose various types of risks to companies, which can significantly impact their operations and reputation. One major risk is legal and regulatory compliance. Third parties may not adhere to the same standards or regulations, potentially exposing the company to legal liabilities and fines. Corruption and bribery risks are also prevalent, especially in regions with less stringent anti-corruption laws. Companies must be vigilant in assessing these risks to ensure they maintain compliance and protect their reputation.
What considerations need to be made with respect to global anti-corruption compliance? To what extent are regulatory changes driving the need for more robust enhanced due diligence (EDD) processes?
Kevin: There are three main considerations to be made. Firstly, a robust enhanced due diligence (EDD) process is no longer optional. The introduction of increasingly stringent anti-modern slavery laws and ESG regulation – in Europe, acts like the Corporate Sustainability Due Diligence Directive (CS3D) and France’s Corporate Duty of Vigilance Act – have made EDD an obligation rather than just ‘best practice’. Secondly, the penalties for getting this wrong are higher than ever. National regulators are now regularly piggybacking off successful prosecutions and deferred prosecution agreements in other countries, resulting in fines across multiple jurisdictions for the same offence, and damage to both brand and bottom line is much greater than before as shareholders and consumers are increasingly unforgiving of actual or perceived anti-corruption failures. Lastly, a well thought out EDD process creates a commercial advantage. It enables firms to go and safely capture opportunities in higher risk situations, it allows firms to move faster than their competitors when engaging with new third parties, and it reassures partners, investors and clients that a broad range of risks are well managed.
Tom: The first place to start is to understand what the risks to your business are and where these risks present themselves. To understand this, you may need to conduct a number of risk assessments, bringing them together to get a holistic understanding of risk to a company. Once there is a clear understanding of which risks need to be mitigated and in what order, you can then design an anti-corruption compliance programme that meets regulatory requirements, and is tailored to that specific company. This tailoring also means that the programme is not merely a ‘box ticking’ exercise; it can actively generate value by identifying issues up front that could cause larger problems further down the line. A strong programme with effective due diligence can also identify third parties that can cause disruption to a company’s supply chain or activities, by identifying previous performance or quality issues or those that are financially unstable, for example. Regulatory changes are also forcing companies to look beyond anti-bribery and corruption and AML requirements, which traditionally sat in the ‘G’ category of ESG. In Europe, the Middle East and Africa, the introduction of acts such as the UK Modern Slavery Act, the German Corporate Due Diligence in Supply Chains Act, and the French Corporate Duty of Vigilance Act have forced companies to also look more closely at the ‘E’ and ‘S’ elements in their activities and supply chains. This has certainly resulted in more detailed and robust due diligence.
Mariellen: With ABC compliance, several considerations must be taken into account. The first is understanding the regulatory frameworks and standards of the regions where you will be operating. In the US, the Foreign Corrupt Practices Act (FCPA) has long served as a regulatory standard guiding the activities of American companies. However, knowledge of the frameworks in your home country alone is not sufficient. These regulations often have extraterritorial reach, meaning they can apply to companies operating outside their home countries. Therefore, companies must also understand and comply with the regulations of the countries in which they are working. Once the regulatory landscapes are understood, it is crucial to evaluate the risks you will be dealing with. A thorough risk assessment will identify potential risks in the different regions and sectors where the company operates, as well as the risks associated with third-party relationships and supply chains. Once these risks are identified, the company can decide on the appropriate steps to mitigate them in line with its internal risk appetite or tolerance. President Trump’s executive order to pause and revise the enforcement of the FCPA has several implications for the need for more robust EDD processes. The executive order includes a 180-day pause on all new FCPA actions. While this pause may lead to a temporary reduction in the immediate pressure on companies to comply with FCPA regulations, companies may still face risks from other extraterritorial anti-bribery laws and ongoing enforcement by non-US regulators. Firms should continue to maintain robust EDD processes to mitigate these risks and avoid potential fines in the future.
Michael: Global anti-corruption compliance requires a multifaceted approach, considering the societal and economic impacts of corruption, which undermines development, destabilizes governments and erodes trust. Compliance programmes must evolve to address the complexities of regulatory enforcement developments, such as the EU Anti-Corruption Directive, Singapore’s Corporate Service Providers Act, and continued anti-corruption initiatives driven by governments in Brazil, Mexico, Vietnam and Indonesia. Regulatory changes are driving the need for more robust EDD processes, as increased enforcement actions are anticipated globally. This includes integrating AML and ABC functions, investing in advanced technology and cyber security, and conducting frequent risk assessments to stay ahead of emerging risks. These measures ensure that compliance programmes remain effective and resilient in the face of evolving regulatory landscapes.
Given the current level of geopolitical tensions around the world, which have heightened the focus on sanctions evasion and compliance, what additional pressures does this place on supply chains and third-party relationships?
Kevin: The coronavirus (COVID-19) pandemic, and more mundane events such as the 2021 blockage of the Suez Canal by the Ever Given, had already brought the vulnerability of some supply chains into sharp relief. The current shadow of a trade war between the US and almost everyone – including longstanding allies – is creating an additional level of supply chain uncertainty. In this increasingly volatile environment, firms are facing twin pressures of ever greater regulatory compliance oversight, and the need of having the ability to quickly pivot to alternative suppliers to ensure operational resilience.
Tom: In EMEA, the invasion of Ukraine sparked a frenzied and regular change to sanctions lists. This created a number of problems for companies. Firstly, the list of sanctioned individuals and entities was changing on a regular basis and required constant monitoring. Secondly, it demonstrated the importance of knowing exactly who a company is doing business with, as the large number of individuals being sanctioned meant companies needed to fully understand the ownership structure of their material third parties, to ensure they were not in breach of sanctions. Thirdly, the withdraw of Western companies from Russia and the impact of the war on industry in Ukraine meant companies were having to very quicky pivot and identify alternative suppliers. When companies are forced to quickly vet and onboard new suppliers or partners, there is a higher risk of overlooking critical compliance and due diligence findings.
Mariellen: A main contributor to increased pressure on supply chains and third-party relationships is the growing complexity of sanctions. Following Russia’s invasion of Ukraine, American businesses have had to grapple with ever-expanding lists of restricted parties, such as the Specially Designated Nationals list, as well as the necessity to delve into complex ownership structures given the Office of Foreign Assets Control’s (OFAC’s) 50 percent rule, which automatically transfers sanctions to any entities in which sanctioned parties hold a direct or indirect ownership interest of 50 percent or more. Additionally, OFAC programmes targeting Russia and Iran have increasingly focused on international networks facilitating sanctions evasion. For example, in February 2025, OFAC sanctioned parties and vessels in multiple jurisdictions for their role in brokering the sale and transportation of Iranian petroleum-related products. These changes require that companies constantly update and monitor their compliance programmes to ensure they are not engaging with sanctioned entities.
Michael: There has been and there will continue to be significant noise in our industry about how either radical change or radical consistency in international trade policy will impact compliance programmes. Regardless of the direction of sanctions regimes or trade wars, many supply chain managers and compliance officers today feel prepared to face unknowns. Resilient organizations have either de-risked their supply chains or are nimble enough to move with the changing tides. This adaptability is crucial as it allows companies to respond swiftly to new regulations and geopolitical shifts, ensuring continuity and compliance in their operations. Moreover, the increased scrutiny on third-party relationships necessitates a more rigorous due diligence process to mitigate risks associated with sanctions evasion and ensure compliance with international trade laws.
Could you outline the growing need to include artificial intelligence (AI) and machine learning (ML) technologies in EDD reviews and processes? While doing so, how important is it to assess the reliability, bias and ethical implications of these systems?
Kevin: Five years ago, artificial intelligence (AI) was hailed by some as the answer to compliance departments’ main challenge – how to do more with less. In a regulatory environment demanding more due diligence on, and more stringent ongoing monitoring of, an ever-growing number of third parties, technology was viewed as the only way to conduct a huge volume of regulatory due diligence in a cost-effective manner. Many companies expected AI to play a significant role in the production of EDD reports and make them faster and cheaper. Fast forward to 2025 and most clients I support – typically chief compliance officers, financial crime compliance heads, money laundering reporting officers or general counsels – are instead seeking reassurance that AI has not replaced human-led analysis and expertise in due diligence reports. This is in part because we now have a much better understanding of AI-related risks such as hallucination, and ongoing resistance from many regulators to accept AI-driven analysis as adequate, and some high profile AI failures by large technology companies, such as Apple’s highly publicized withdrawal of its AI-enabled news summary tool.
Mariellen: EDD programmes will increasingly rely on AI-enhanced research tools and methods to sift through ever-growing open source datasets, particularly digital and social media. Tools leveraging large language models (LLMs) can ingest expansive, multilingual datasets, while ML capabilities can process results at a scale not possible by manual review. Currently, AI technologies are most appropriate for managing due diligence tasks, such as false positive adjudication, that are highly structured, involve fixed and controlled datasets, and are time-intensive for human analysts. In this manner, AI-driven processes can ‘clear the underbrush’ and allow analysts to focus on higher-value tasks. But let us be clear, AI technologies should add to but not replace human-led due diligence reviews. EDD programmes that primarily or exclusively rely on AI technologies to perform EDD without adequate human analysis and review expose themselves to significant risk. Going forward, EDD programmes that successfully harness AI will adopt an integrated approach that plays to the strengths of AI technologies while minimizing the risks. To offer a simplified framework, AI technologies can support three stages of EDD: finding, analyzing and summarizing information. In each of these stages, AI can expedite and refine human-led processes but cannot fully replicate or replace them. For instance, generative AI (GenAI) tools cannot access the full range of web-based sources, as they do not yet have intellectual property (IP) rights to all, or even most publications. They also often lack the ability to assess the credibility of sources and prioritize more authoritative sources over less reliable, potentially biased ones. For these reasons, GenAI is better suited to generate quick answers to specific research questions than to perform a comprehensive review and assessment of available information. As to the reliability, bias and ethical implications of these systems, organizations need to keep mind that LLMs are ‘educated’ from a vast corpus of internet-based data, so steps need to be taken to ensure balanced results are provided versus dominant narratives or beliefs. Similarly, ML can reflect the biases of those who ‘teach’ it. For these reasons, thoughtful human-led review of AI-generated results is critical to verifying accuracy and detecting or mitigating bias. Auditability and traceability are key attributes of any EDD process that uses AI technology. The ability to fact check and verify the origin of AI-generated results is essential.
In what ways do compliance programmes need to adjust to human rights due diligence-related regulations, such as the Corporate Sustainability Due Diligence Directive (CS3D), the Corporate Sustainability Reporting Directive (CSRD) and the EU Deforestation Directive?
Kevin: Compliance programmes must adapt to new human rights due diligence (HRDD) regulations like the CS3D, Corporate Sustainability Reporting Directive (CSRD), and the EU Deforestation Directive by integrating these into policies, identifying and assessing impacts, preventing and mitigating them, engaging stakeholders, establishing complaints procedures, and monitoring effectiveness. This will be relatively easy for firms with mature compliance programmes – it will just be a matter of adding a number of new topics to cover as part of initial onboarding due diligence and then doing the same for ongoing monitoring programmes.
Tom: While the CSRD defined the assessment and reporting requirements for companies subject to it, the CS3D is seen as the next logical step in what to do next with this information and assessing a company’s human rights and environmental impacts within their operations and value chains. Although the Omnibus Package published by the European Commission on 26 February 2025 proposed watering down some elements of CSRD and CS3D, this still needs to be agreed and adopted. When it comes to due diligence, companies need to ensure they are actively searching for instances or allegations of human rights breaches and labour issues, as well as adverse impacts to the environment such as contamination, disposal of waste, land use and displacement of people. For products that fall under the EU Deforestation Directive, companies need to ensure that they do not contribute to deforestation or forest degradation, they have been produced in accordance with the relevant legislation of the country of production and they are covered by a due diligence statement. They may need to verify some of these steps through independent due diligence, depending on the risks presented.
Michael: Companies need to adopt a structured and systematic approach to HRDD in response to these regulations. This involves developing comprehensive human rights policies, conducting regular risk assessments, and implementing preventive and mitigative measures. Companies must also continuously monitor and evaluate the effectiveness of their HRDD efforts, ensuring transparency in their reporting and providing remedies when violations occur. Preventive measures include revising supplier contracts to incorporate human rights clauses, providing training and resources to suppliers, conducting regular audits, establishing grievance mechanisms, engaging stakeholders, leveraging technology, and implementing ethical supply chain management. By integrating these practices, businesses can better manage legal, financial and reputational risks while promoting ethical business practices.
How should companies go about creating a robust supply chain screening programme which effectively monitors and manages third-party risk? What essential advice would you offer on assessing risk levels, identifying red flags and continuing to monitor third-party relationships over time?
Tom: Companies should look to the CS3D requirements as a blueprint for a connected and robust supply chain screening programme. The first step is to conduct materiality and risk assessments to identify impacts, risks and opportunities related to the company’s business activities and supply chain. This assessment can help to provide a structure for building a programme that addresses the key risks and opportunities presented. The next step is to conduct a review of the existing supply chain and third party compliance programme, to gauge effectiveness and identify potential gaps in the process. With this intelligence it is then possible to devise a strategy and programme which will identify and provide mitigation for those risks. Once a framework exists, it is time to follow a methodology of classifying, detecting and reacting to these risks. Classification entails collecting information from third parties to allow assessment against a company’s known risks. This usually involves using technology to help gather information in a structured, effective manner, reducing the strain on internal compliance teams. This usually takes the form of third party questionnaires, document collection and attestations on business conduct and reporting. Once a third-party has had its individual risks classified, a key tenet is understanding if there has been any historical instances of illegal or unethical behaviour by the third party or its employees. This should take the form of a risk-based approach to due diligence, based on points such as their responses to the questionnaire, the services they provide and the locations of operation. This due diligence can range from database-driven screening through to ‘boots on the ground’ enquiries to assess their activities. The responsibility does not stop there, and monitoring of third parties once they have been approved is a key requirement and mitigation tool for a company. Monitoring can allow a company to become aware of an event or allegation and act before it is picked up by a regulator, the press, the public or competitors, mitigating reputational damage and fallout. A company should have a clear plan in place to handle events or allegations. The CS3D mandates the need to have an effective whistleblower mechanism, to allow secure, confidential channels for the reporting of illegal or unethical behaviour, from both internal and external sources. Where reports are made or issues identified, thorough and effective investigation is essential to gather the facts, protect the company’s reputation and to ensure it meets regulatory requirements. This could mean working with third parties to put remedial measures in place, amending contracts and requirements, or termination of the third party and reporting to law enforcement or regulators. Lastly, the programme should be reviewed on a regular basis to test its effectiveness and to make changes where necessary. Like established ABC regulations, a reasonable, proportionate and risk-based approach to due diligence is required in order to demonstrate to regulators that effective measures are in place.
Mariellen: Needless to say, creating a robust supply chain screening programme that effectively monitors and manages third-party risk is essential for companies to mitigate potential threats and ensure compliance. President John F. Kennedy’s quote, “There are risks and costs to action. But they are far less than the long-range risks of comfortable inaction”, underscores the importance of proactive measures in this context. A proactive third party due diligence programme involves, at a minimum, setting internal risk tolerance, identifying red flags – preferably by utilizing technology for effective information gathering – and mitigating their potential impact. A more robust programme may also include due diligence checks customized to address specific concerns, a commitment to leverage various data sources, including internal data, questionnaires and external due diligence reports, and specialized checks such as ESG and social media reviews. By taking proactive action, companies can avoid the long-range risks of ‘comfortable inaction’. Implementing a solid third party risk management programme, even though it involves initial costs and efforts, is far less risky than facing the consequences of unmitigated third-party risks.
Michael: To create a robust supply chain screening programme, companies should implement a comprehensive approach that includes initial screening, ongoing monitoring, and risk-based EDD. Start by identifying and assessing potential risks such as compliance, regulatory, cyber security and data privacy risks. Utilize integrated digital solutions for third-party onboarding, risk scoring and sanctions screening. Regularly update and review compliance programmes to ensure they meet current regulations and best practices and are fit for purpose for the business. Continuously monitor third-party relationships to identify red flags such as fraud, corruption and other regulatory violations. By maintaining a proactive and thorough screening process, companies can effectively manage third-party risks and protect their supply chains from potential disruptions.
Going forward, how do you expect third party due diligence to evolve in the years ahead?
Kevin: Technology will play an ever-increasing part in helping firms manage the ongoing monitoring of very large and complex supply chains. Risk-based models will improve and firms will move away from ‘one size fits all’ or crude two or three tier due diligence processes. As the volume of both legitimate publicly available information and mass-produced misleading commentary and ‘Kompromat’ grows, the value of human commentary and opinions to support due diligence processes will rise. These things aside, I expect the fundamentals of third party due diligence will broadly remain the same.
Tom: Aside from the impact of AI and ML on due diligence, the differing approaches to regulation from the US and the EU will likely have a large impact on how third party due diligence is conducted worldwide. Companies that operate globally will need to navigate the various regulations that they are exposed to in a cost and time effective manner. To make due diligence exercises most effective, we would hope to see companies engaging meaningfully in the process and realizing the benefits that due diligence can bring. In addition to meeting regulatory requirements, third party due diligence and pre-transactional due diligence can also provide commercial insight that helps maximize the value of a contract, protect margin or protect the value of a transaction. It is more than a box-ticking exercise. Although we expect changes to CS3D in 2025, the EU is still committed to enshrining effective human rights and environmental impact due diligence into future regulations for large companies. We expect to see this being adopted as best practice, regardless of company size. Technological advancements mean monitoring third parties is becoming more manageable from an operational perspective, as well as from a cost perspective. We expect that ongoing monitoring will be more effectively utilized to get ongoing assurances around third parties’ activities. We believe this means there is more time and budget to ensure that more in-depth and specialized due diligence is conducted in relation to higher risk or higher impact activities.
Mariellen: Judging from current trends, third party due diligence will evolve significantly in the coming years due to advancements in AI and shifts in the global political landscape. AI technologies will continue to advance, and organizations will look to automate certain due diligence processes, enabling the processing of vast datasets and identification of risks more efficiently. This will allow the more complex, high-value tasks that require contextualization and analysis to be handled by people. Regulatory pressures will increase, leading to tighter compliance requirements. Geopolitical considerations will also impact due diligence strategies, requiring organizations to stay informed about political developments and adjust accordingly. Ethical and responsible AI use will be emphasized, with organizations establishing governance frameworks to manage transparency, biases and IP rights. Overall, third party due diligence will become more integrated, leveraging both AI and human expertise to navigate an increasingly complex and interconnected world.
Michael: The recent trends influencing both the ‘how and ‘why’ of third party due diligence are expected to continue evolving. The ‘how’ trends will likely develop in two significant directions: growing limitations in data access and breakthroughs in LLMs. Data access barriers are increasingly being raised due to national security interests or corporate privacy concerns, leading to worsening corporate transparency and creating challenges for third party due diligence. The largest driver for changes to the ‘why’ of third party due diligence is the growing connection by regulators between anti-corruption and sustainability laws. This connection will require minimal changes by companies with existing due diligence programmes and presents significant opportunities for knowledge exchange between the compliance and ESG communities.
This article was first published in the Apr-Jun 2025 issue of Risk & Compliance Magazine, please visit: https://riskandcompliancemagazine.com/enhanced-third-party-due-diligence
