Third-party due diligence

Pursuant to Article 17 II 4° of the Sapin 2 Law, the chairs/presidents, chief executive officers, general managers and managers of companies targeted by said Law are required to implement!

“procedures for assessing the situation of customers, leading suppliers and intermediaries with regard to the risk map”.

Assessing the situation of third parties (also known internationally as Know Your Third Parties or “KYTP”) is one of the most important elements of the anti-corruption compliance program It aims at ensuring that third parties do not present a corruption risk for the company that is/will be doing business with them.

Schematically, the due diligence consists in the collection of information on a given third party, the identification of the corruption risks it presents and the assessment of the seriousness of these risks.

While the Sapin 2 Law requires companies to assess customers, leading suppliers and intermediaries, due diligence should also cover other categories of third parties with which the company may have or wish to initiate relationships, such as acquisition targets, and sponsorship and patronage recipients.

Third-party due diligence must be distinguished from other vigilance requirements concerning customers imposed on persons listed in Article L. 561-2 of the French Monetary and Financial Code as part of the fight against money laundering and terrorist financing.

Soulier Avocats assists its clients in the design and implementation of due diligence procedures to assess the situation of third parties, allowing them to decide whether or not to enter into a relationship with a third party, to maintain an existing relationship or to terminate it on the one hand, and to put in place adequate risk control measures to reduce the identified risks on the other hand.

In this context, our dedicated team has developed a multi-phase methodological approach inspired by the latest recommendations of the French Anti-Corruption Agency.

Step 1: Definition of the third-party due diligence process

The nature and thoroughness of the due diligence to be conducted and the information to be collected are determined with respect to the different uniform categories of third parties with comparable risk profiles, as identified in the risk map.

In each category of third parties identified as requiring an assessment, due diligence must be conducted on each third party separately according to its specificities in order to appraise the specific risk associated with the relationship or prospective relationship with the given third party. As such, a third party in a category classified as low risk in the risk map may be reclassified as a high-risk third party following its individual assessment.

It may be helpful to compile an internal database of third parties, in compliance with applicable laws and regulations, to prompt the adoption of formalized, secure procedures to create, approve, amend and delete third parties recorded therein.

Step 2: Conduct of third-party due diligence

The conduct of third-party due diligence requires the involvement of several levels of players:

• Staff members who are responsible for collecting information and documents useful for due diligence on the third parties with which the company has a relationship or a prospective relationship, and who issue a first appraisal;

• The compliance officer (or any other designated individual) who provides expertise and advice to staff members responsible for collecting the information;

• Our dedicated team whose role is not only to assist, provide guidance and advice to the compliance officer and staff members involved in the design and implementation of the third-party due diligence process and to actively participate in the analysis of the risks identified and the issues at stake for the company, but also to help in the collection of information and documents that the company is not in a position to obtain itself (e.g., in case the third parties is based in a foreign country);

• The senior management who decides on any further actions to be taken with respect to the highest-risk cases referred to it by the other players involved in the due diligence.

The third-party due diligence procedure must be formalized and the nature of the information and documents useful for this purpose is determined on the basis of the risk map. It may include inter alia: 

• Collecting information by using the company’s internal lists;

• Collecting open-source information, public documents and documents available to the public (financial statements, court decisions, press articles, etc.);

• Checking whether the third party, its beneficial owners, its management or its directors appear on lists of sanctioned natural and legal persons (lists of persons debarred from public contracts funded by the World Bank and development banks, list of persons subject to financial and international sanctions);

• Collecting information from databases marketed by specialized service providers;

• Collecting information and documents directly from the third party by such means as a questionnaire, interview, audit, etc.

The objective is to collect the main elements that identify the third party (corporate name, legal form, date of incorporation, number of employees, turnover, capital, business sector(s), and geographical location, etc.) and to ascertain the first and last names of its senior managers, leading shareholders and beneficial owners to further enquire whether they have ever been mentioned in negative reports, allegations, proceedings or convictions related to corruption.

The sensitivity of the third party’s business sector must be assessed with regard to the corruption risk specific to that sector, in particular on the basis of the risk map, the company’s business experience and external analysis by international companies or non-governmental organizations.

It is critical to ensure that the third party, especially if it is an intermediary or a supplier, has the necessary experience, credentials and competence to perform its mission, as a lack of credentials or experience may be an aggravating factor when assessing the level of risk of the third party in question.

It is also useful to ensure that the third party has itself implemented an anti-corruption compliance program.

Finally, as dealings between the public and private sectors represent an identified risk in terms of corruption, it is appropriate for the company to identify the interactions that the third party in question may have with public officials.

Step 3: Assessment of the third party’s risk level

The third party’s risk level is assessed on the basis of (i) the collected information and documents, and (ii) an analysis of the nature, terms and purpose of the existing or prospective relationship. The assessment must also consider aggravating factors, such as country risk or the third party’s conduct.

A number of elements may be considered as risk factors, including:

• The existence of a long-term, high-value financial relationship, the use of certain foreign currencies given the extraterritorial reach of some anti-corruption legislation, the company’s level of economic dependence vis-à-vis the third party or the third party’s level of economic dependence vis-à-vis the company;

• The inconsistency or non-conformity of the paid compensation with the nature and volume of the goods/services sold/provided by the third party;

• The payment of commissions for winning contracts;

• The location of the third party’ bank account, especially when the bank account has been opened in a country included in the list of non-cooperative countries and territories;

• payment methods, including cash payments, cross-border payments, payments made on the basis of non-itemized invoices, etc.

In each case, it is essential to ensure, in particular for service providers or intermediaries, that the use of these third parties is justified and that the services provided are real and effective. It must also identify the reasons for choosing a third party rather than one of its competitors (for example, the fact that the third party is recommended or imposed by a client should constitute a danger signal for the company).

If the third party is not based in France or if the services are performed in another country, the assessment must consider the corruption risk level of that country inter alia on the basis of:

• The list of countries subject to financial and international sanctions published by economy and finance ministries;

• OECD’s monitoring reports on the implementation of the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions in signatory countries;

• Investigations and indices on public sector corruption;

• Incorporation of the third party in an uncooperative country or a country without equivalent legislation.

The risk assessment must also take into account the third party’s conduct. Refusal to produce the requested information and/or documents can be considered as a risk factor.

Finally, if the company operates in an ecosystem with several stakeholders, without actually being linked to each of them (e.g., contractual chains), it must ensure that the third parties it is dealing with conduct its own third-party due diligence.

Step 4: Findings of the due diligence

The decision with respect to each third party must be made according to the stage of the business relationship (start of a new relationship, renewal of an existing relationship, etc.), the category to which the third party belongs and the third party’s level of risk.

Following the assessment of the level of risk, it may be decided either to:

• Approve the relationship – with or without due diligence measures;

• Terminate the existing relationship or refrain from engaging into a new relationship; 

• Postpone the decision (pending, for example, further investigations).

The absence of risk factors following an assessment does not guarantee that the relationship with the third party is absolutely risk-free and, conversely, the identification of risk factors does not rule out the relationship but requires that appropriate due diligence measures be taken throughout the relationship.

Step 5: Implementation of due diligence measures following the assessment

Depending on the findings of the assessment, the company must take due diligence measures that are adapted to its environment and consistent with its business model.

These measures may include:

• Informing the third party of the existence of the anti-corruption compliance program implemented within the company;

• Training or raising awareness of the third party about corruption risk;

• Formalizing the third party’s written anti-corruption commitment;

• Inserting a contractual clause enabling the company to terminate the contractual relationship in the event of corruption insofar as the legal nature of the relationship with the third party so permits;

• Encouraging the third party to assess the situation of its own subcontractors to ensure that the contractual chain is secure.

Step 6: Renewal, update and archiving of the third-party due diligence process

The due diligence process must be renewed periodically, depending on the category and level of risk of the third party, as well as in the event of a significant change in the third party’s situation (change of shareholder or beneficial owner, merger, acquisition of a new entity, etc.).

In this context, it is recommended to set a review date when entering into a relationship.

A follow-up of the third-party due diligence process system can also be set up.

The entire third-party due diligence file and the record of changes must be kept for 5 years after the termination of the business relationship.