“We finally got the budget to start a proper third-party program!” my client exclaimed. “Great!” I said, “How many third-parties will you be starting with?” “Ten thousand.” Alarm bells went off in my head. I could already see the problems. How would she find reliable data? How would she and her team of three deal with the hundreds, if not thousands, of immediate false positives that typically come from that volume of screening? And most importantly, how would she deal with the businesspeople already using those ten thousand third-parties inevitably pushing back saying “but we’ve used them for years!”
Whether implementing a third-party program for the first time or expanding an existing one, the issue of legacy third-parties inevitably brings up monumental challenges. A “legacy third-party” is one that is already in use by the business that has not undergone due diligence. Bringing in or expanding a third-party program is already difficult. Deciding what to do with legacy third-parties can be a nightmare.
In part one of this two-part series, we’ll review the issues to consider before deciding what to do with legacy third-parties. In part two, we’ll go over different approaches to managing this challenge to help you decide the best path forward.
There are several issues with legacy third-parties, each of which should be considered when determining the best path forward. These include…
The Team’s Capacity
The first consideration is you and your team’s capacity. There are usually many more currently used third-parties than there will be new third-parties that will need to undergo due diligence. Most third-party programs use some sort of electronic system to screen third-parties against sanctions lists, such as the OFAC Specially Designated Nationals (SDN) list. Depending on the size of your company and the jurisdictions in which it does business, thousands of different sanctioning laws and instruments may apply. Many third-party screening programs also review adverse media and screen for politically exposed people (PEP).
Third-party screening tends to result in numerous false positives, meaning that the name of the third-party is the same or similar to that of a problematic third-party – one that is potentially a sanctioned individual or company, a PEP, or the subject of adverse media. Potential sanctions hits must be investigated and cleared, or the third-party relationship must be terminated (and potentially reported to a government). Determining whether the third-party is indeed politically exposed or the subject of adverse media reports is critical to maintaining, mitigating, or terminating relationships. The process of determining whether a hit is a true match or a false positive can be lengthy and time-consuming.
If you screen ten thousand third-parties all at once, you may receive over 1,000 potential hits. Going through this kind of review can take days if not months and frustrate the business. It may also expose you to liability because if the software has identified a sanctioned third-party and you don’t review the record for months, an inference could be drawn that you should have known sooner.
Think about what’s really possible for you and your team before you begin or expand your program.
The second consideration is the amount of pushback you anticipate from the business. Pushback is likely to come in many forms. Objections will likely include:
We’ve been using this third-party for years and we’ve never had any problems.
They have a great reputation, so we don’t need to do any screening on them.
We’d already know if they were problematic.
We don’t have time to participate in the screening, especially if we need to assist in the clearing of red flags.
It is culturally offensive in our country to ask third-parties to fill in the information on a due diligence questionnaire.
We don’t want it to appear like we are questioning the third-party’s integrity.
Our contract is already in place. We won’t be able to change it even if something comes up.
I know them. They won’t fill out a due diligence questionnaire.
It is important to anticipate pushback. If you’ve already had a compliance program in place for some time, employees may be used to growing compliance obligations, and therefore less likely to complain. If, however, you have a relatively new program, you may want to consider how much disruption will be caused by the imposition of a third-party program that includes legacy third-parties.
Data Availability and Reliability
In a perfect world, your third-party software would use an Application Programming Interface (commonly known as an API) that could talk to your payment systems so you could draw out all the data you need to screen your third-parties immediately and seamlessly. Do some companies have such a system? Yes, and if you’re lucky enough to be working for one, congratulations. Most companies do not have centralized payment and procurement systems capable of sending data easily to and from other systems. Companies that have grown primarily through acquisition are particularly problematic, as many fail to integrate new companies’ financial systems into the parent’s.
It is easy to write a third-party due diligence policy stating that all new and legacy third-parties must go through the screening process. Getting that data is usually much harder than writing the policy. Before you publish the policy and roll out the program (or expand it), test whether the data is available and reliable. If the data isn’t readily available, consider the difficulty in obtaining it.
The Commitment from the C-suite and Board
Management funding a third-party program is not the same as management truly committing to supporting the project’s success. Rolling out or expanding a third-party program to capture new third-parties is relatively easy to get behind. Burdening the business with a legacy third-party due diligence review is a much bigger request. Before deciding to include legacy third-parties in your roll-out, consider just how committed the CEO, board members, and high-level management are to the program. If the answer is that they are lukewarm, you might want to rethink your plan.
Now that you know the considerations, it’s time to make a plan. In part 2 of this blog, we’ll discuss your options when deciding what to do with legacy third-parties.