- 2 March 2023
Third-party due diligence used to mean simply assessing the financial and operational capacity of your third parties. Basic due diligence now includes assessing the cyber threat presented by your partners and suppliers, but even that does not go far enough: You also need to know if they are connected to individuals and entities who are either under sanctions, or are likely to be.
This poses a major challenge in today’s complex, globalised economy. Even an organisation that doesn’t have a sanctioned individual or entity as a majority shareholder cannot be confident that the same is true for all its third parties. And international firms with operations in blacklisted nation-states are particularly vulnerable.
The Magnitsky Act became US law at the end of 2012, and introduced the world to ‘Magnitsky sanctions’. They are designed to combat corruption and human rights abuses, and can be applied to anyone – whether an organisation, a nation-state, or a ‘natural person’ – and their assets, anywhere in the world. Many other jurisdictions (notably Canada, the UK and the EU) now also use Magnitsky-style sanctions.
Apart from reputational damage and falling short on environmental, social and governance obligations, there are legal consequences for failing to comply with sanctions lists. In the UK, it is a crime to breach the financial sanctions regime, and ignorance of the list is no defence. The US also imposes severe penalties, from fines to lengthy prison terms.
As of November 2022, Canada, the US, the UK and the EU have used Magnitsky-style sanctions to target individuals and entities in 46 countries across five continents.
With major trading and manufacturing hubs like China and Saudi Arabia featuring on this list, sanctions should be an integral part of the third-party due diligence process. This is easier said than done, especially because those under sanctions will usually go to great lengths to conceal their financial interests. However, there are steps you can take to:
(a) mitigate against the risk of engaging a sanctioned third party; and
(b) demonstrate to stakeholders and regulators that you are actively working to avoid breaking sanctions rules.
Key TPRM considerations
- Know who you’re dealing with: Selecting a third party requires more effort than a basic questionnaire and a spreadsheet. In some circumstances it may be wise to commission a specialist who can analyse the risk posed by your potential suppliers.
- Create an audit trail: Document every stage of all your third-party relationships, from selection through to offboarding and termination. Be scrupulous about keeping evidence of your due diligence and third-party risk management (TPRM) processes.
- Study your existing supply chain: It’s wise to audit every link in your supply chain. Where do your goods and services come from? Who owns shares in the firms you do business with? Perhaps there aren’t any sanctioned countries or entities in your supply chain right now, but is any part of your supply chain at risk of being sanctioned?
- Keep watch over your third parties: You will not be sent an alert if part of your supply chain is put on a sanctions list, so ongoing TPRM is vital. It’s just one of the reasons why adopting an automated process for continuously monitoring your third parties is advisable.
How we can help
At Thomas Murray, we have 30 years’ experience of working in the world’s most complex sectors to strengthen their due diligence and TPRM. Orbit Diligence is the scalable, comprehensive solution we created to meet those needs. Talk to us to find out how Orbit Diligence can protect your organisation in a fast-changing risk environment.