The growing complexity of third-party relationships, and the immediate regulatory and reputational risks of those third parties has procurement teams, compliance officers and legal departments working to figure out the best way to proceed.
When and how should they manage due diligence? How can they reduce risk with limited staff, limited budget and increasing expectations?
Today’s expansive risk environment requires new ideas and new technology solutions. Compliance personnel are expected to know more and know it immediately. The world of compliance has fundamentally changed and we all are working furiously to manage those changing expectations.
Law enforcement and regulators are experiencing a big shift in their expectations as well. Just as we’re all monitoring the evolution of artificial intelligence (AI) and how automation may impact a huge range of industries, so too are our regulators and legislators.
AI and automation have fundamentally altered the way companies approach risk by dramatically reducing the cost and time associated with managing and conducting due diligence on third parties. Regulators are increasingly aware of these capabilities and their expectations are rising as well. They expect more than one-time searches, manual, old or outdated audit reports, and one-size fits all approaches to due diligence and risk management.
The DOJ and the SFO are increasingly looking for companies to tailor their controls to their actual risks, and to do that effectively, it often requires the adoption of new technologies.
Automated due diligence solutions have created a much greater capability to extend the reach of a compliance officer with more on-going, thorough reviews of third parties using large quantities of structured and unstructured data, as well as smarter solutions to reduce false positives.
Flexible SaaS (Software as a Service) solutions mean implementing regulatory changes quickly within a technology platform, and identifying a wide range of risks — and addressing them — in a faster, more sustainable way. As these new solutions are adopted, we’re hearing that the expectations of law enforcement and regulators around compliance activities are changing as well.
What are the regulators expecting now?
1. More sophisticated approaches to risk assessment procedures. Do you differentiate your risk assessment modeling based on the facts? How does the protocol change based on findings? How often do you update your controls?
2. Monitoring of risk on more than a one-off reporting basis. Can you demonstrate that you’re following high-risk third parties on a regular basis? Will you be aware if the circumstances for that third party changes? How quickly can you identify and remediate any issue?
3. Not just more thorough assessments but also assessments tailored on actual risks. How thorough is your check on the third-party? Are you comprehensive enough to be able to risk rate your relationships, in your review of all publicly available information? Have you created a process to track false-positives to assess and resolve their relevance to the case? When appropriate, how far down the third party and supply chain set have you gone with your risk assessment?
To be clear, regulators and prosecutors are not demanding better technology. Instead, they are demanding better solutions that are appropriately tailored to the risks at hand. The recent deferred prosecution agreements from the Serious Fraud Office in the UK, for example, make it clear that organizations need to craft controls relevant to their risks.
With new technologies enabling the implementation of these controls — and new abilities to monitor and detect risks faster and more cost effectively — it becomes riskier and riskier not to act.
Aaron Narva is the Global Head of Exiger Insight 3PM and Director at Exiger, a global regulatory and financial crime, risk and compliance company delivering actionable advice and tech-enabled solutions to prevent compliance breaches, respond to risk, remediate critical issues and monitor ongoing business activities. For more information on how AI is transforming third-party risk, please join Aaron for a webinar on the topic on September 13.