Due Diligence and Compliance Adherence

Compliance programs vary significantly from company to company, region to region, and industry to industry. Many factors play a role in the development, deployment and ongoing management of a company’s compliance program including internal culture, market imperatives and executive leadership.

Prior to signing an agreement with a third party, your compliance team, or suitably qualified risk advisory firm, must complete the appropriate level of due diligence including a review of relevant business records to ensure that the company’s activities to date reflect your organization’s commitment to statutory laws. When your company enters into a business relationship with an agent, distributor, joint venture partner, or any third-party intermediary, compliance managers should ensure that the counter-parties as well as the attorney representing your interests in the negotiation clearly understand applicable laws.

A third-party due diligence program – however well intentioned – that only includes a review of sanction and embargo databases as well as basic internet searches will likely not meet regulator’s expectations. As stated earlier, government enforcement authorities expect companies to develop a due diligence program customized to reflect the organization’s unique risks and operating environment.

If not properly managed, the program can easily become cost-prohibitive and present a significant administrative burden. A well designed and executed compliance program can cost-effectively satisfy regulatory demands.

As noted earlier, many of the enforcement actions pursued by SEBI & RBI involves third parties, brokers consultants and distributors. Therefore, an effective compliance program must include vetting of third parties, which includes joint venture partners, international vendors, suppliers, distributors, agents and consultants providing marketing, sales, licensing, import/export or other services. Below listed are step by step way forward to create a robust third-party compliance program: -

Politically Exposed Persons - individuals that currently hold or recently held public positions or perform important public functions, such as senior diplomats, governmental officials, leaders of religious or political organizations, members of ruling royal families, military leaders or judges - are not always identified by global database checks, nor do they necessarily rise to the level of meriting media coverage. Further, it is important to understand that there are a finite number of databases and no single source is capable of a comprehensive search of international criminal convictions, real estate holdings or credit reports, etc.

Verifying the legitimacy or suitability of a potential partner inevitably requires investigation beyond the validation of self-reported information. A company’s websites and other internally generated data cannot replace independent verification of a third party’s legitimacy by a skilled investigator. Therefore, it is advisable to engage a reputable professional services firm that possesses the relevant experience conducting third-party due diligence investigations globally.

STEP 1: Creation of A Third-Party Risk Inventory

STEP 2: Conduct an Initial Risk Assessment and Create Third-Party Risk Profiles

STEP 3: Administer Investigative & Conduct Due Diligence

STEP 4: Resolve Red Flags

STEP 5: A Commitment to Ongoing Monitoring of Business Partners

The third-party selection process typically includes the following steps:

  • An on-site visit to validate the legitimacy of the company’s business operations & location.
  • Examination of corporate compliance records, including the investigation of previous corporate misconduct, litigation, and unreported government supervision or statutory actions.
  • An in-depth analysis of the network of related party transactions, business partnerships or affiliations, including the reputation of the company and its principals.
  • Criminal background checks performed using the appropriate law enforcement agency resources and publicly available records.
  • The company’s financial performance to date, including an understanding of the current sources of funding and list of significant customers.
  • A review of English language and local press to determine the company’s business reputation, major business activities, and other business relationships of social interest. This exercise typically includes reviewing local business reports and professional journals, industry, and mainstream media. Note: Special emphasis is placed on identifying relationships with governmental or political figures/families.
  • Existing or prior regulatory concerns associated with local laws and regulations.
  • At the conclusion, consider whether the subject fully cooperated and provided relevant disclosures/declarations when requested.


  • Deploy a technology platform that automates the entire process. (Several web-based options require minimal training and no investment in information technology infrastructure.)
  • Establish standard operational procedures such as:
    • Automated issuance of a standardized due diligence intake questionnaire for current and prospective third parties to complete.
    • Automated issuance of corporate antibribery policy and accompanying anti- bribery agreement letter to be signed by current or prospective third parties.
    • Review of “reject list” to ensure that a third party has not previously been associated with corruption related activities.
    • Selection of the appropriate tier of due diligence based on a comprehensive review that analyzes inherent risk based on the type of intermediary, geography and other appropriate factors.
    • Structured analysis of resulting “red flags” and a defined process to assess the risk in establishing a relationship with the third party under review.

Automation regarding the issuance of third party agreements, including the integration of relevant indemnity, warranties and representations.

Retention of all case files and supporting documentation in a secure, encrypted archive, which in turn supports the following activities:

  • Review of due diligence related metrics, such as case records by jurisdiction, departments, regional investigative activity, investigation timelines, and volume of completed reports by investigator.
  • Chain of custody including date and time stamped records that demonstrates a commitment to compliance should your program come under scrutiny by regulatory authorities.
  • Automated notification process to reengage with third-party intermediaries for purposes of recertification and reaffirmation of the company’s commitment to compliance with ABAC laws.