Report about error or idea
logo youcontrol
youcontrol youcontrol
0 800 309 077
Free call

Register and check 10 companies for free, or get a phone consultation by calling us at 0 800 309 077.

Third-party compliance system
20 min

Welcome to our first interactive video lesson from course "Compliance" in english!

What does it mean?

This means that by clicking on the video you will get to the YouTube channel YouControl, where you can learn in english in a game format.

How does it work?

1. Press the red button and start watching the video of the lesson.

2. Speaker introduce you the topic of the lesson and tells you the material.

3. Speaker asks you the first question. In parallel with his question, the variants of the answears appears on the screen and yes - you can click on them. Choose that answear that is correct in your opinion. 

4. If you answered correctly - congratulations! Listen to the second question. If not, try again by clicking on the rectangle under the "Try again" column, which appears immediately after the author's comment.

5. Go back to the question each time, using the rectangle under the "Try again" column, when the answer is incorrect.

6. Listen to the whole lesson with all the questions and correct answers to the end to master the material.

Have an interesting training/good game!


Also you can take a text lesson - you can find it under the video. At the end of the text lesson there are 3 written questions.

Third-party compliance is aimed at mitigating the risk related to your suppliers, distributors, customers and any other party that your company interacts with. By interaction we mean predominantly the existence of financial operations. Third-party compliance risk is one of the most significant and at the same time hard to indicate. In order to build your third-party compliance, one should approach this issue in a systemic way.

The three key components of a third-party compliance system are:

  1. Internal third-party data processing;
  2. Compliance-related communication;
  3. Third-party due diligence.

In general terms, all three points should be covered by a third-party compliance policy. We will not cover the policy as a document in this lesson, but will highlight its key principles instead.

Internal third-party data processing

Since there may be different scenarios of third-party data processing in different organizations depending on their size, business specifics and organizational structure, the key element within this point is the identification of the most risky areas within your entity in regard to onboarding, communicating and paying third parties. This is where you are supposed to build a transparent information processing system, accessible by the compliance department/officer. By transparent system we mean two key aspects:

  1. A clear understanding of roles within the company and responsibility for third-party data processing;
  2. A clear data flow mechanism that implies a. information exchange, b. reporting and c. logging.  

Units responsible for initial interactions with third parties in some organizations share certain functions within the compliance system with compliance officers, and in some they are only responsible for proper reporting in regard to third parties, and as such their role within the compliance system is limited. In the first case, they can be responsible for both compliance-related communication and third-party due diligence. In the second case, the compliance department is responsible for those aspects.

Compliance-related communication

A properly developed communication process is a good way of mitigating compliance risks related to third parties and include such two key elements:

  1. Anti-corruption clauses included into contracts with your third parties;
  2. Compliance questionnaires.

Those documents are, in a sense, a documented obligation from your counterparty in regard to their integrity and compliant behavior, which in case of a violation can reduce your responsibility to a certain extent.

This point could have been called “Compliance-related documentation” rather than “Compliance-related communication”, which would have been relevant in developed compliance environments, but in other cases, the above-mentioned points are subjects to serious communication efforts, that could be taken both by the units involved in interactions with specific third parties, or by the compliance department. Such efforts are required due to the fact that anti-corruption clauses and compliance questionnaires are often seen as mistrust and pressure from the side of the company initiating their completion and signing.

The anti-corruption clauses are either included into the general contract, or are placed in the appendices to the general contract. In some cases it is a separate document, such as the non-disclosure agreement for example. Usually, by accepting the clauses your counterparty confirms its zero tolerance for corruption in any business activities both related to your business interactions and in general.

As to the compliance questionnaire, it is a document that your counterparty fills in during the onboarding process, and is intended to reveal how strong your counterparty’s compliance system is. The questions are usually related to the existing documents such as the code of conduct and compliance policies, compliance-related processes description, and people responsible for the company’s integrity level. Some questions may directly ask about any corruption-related violations in the past, or presence of politically exposed persons (PEPs) among the shareholders or managers of the company. Such questionnaires actually have two aims:

  1. Responsibility reduction (described above);
  2. Prepare ground for verifications.

Third-party due diligence

Integrity Due Diligence is probably the strongest tool in the whole third-party compliance risk mitigation system. It gives you a real picture of what your counterparty is, and moreover, it lets you verify the information provided in the questionnaire, as well as satisfy the recommendations of such legal acts as the Foreign Corrupt Practices Act (FCPA). As such, you are safe on both sides – legal (as you have taken all relevant measures to mitigate the risk) and security (if your integrity due diligence is not just a box ticking exercise of course).

First of all you should determine how deep you want your due diligence to be. The scope of the check depends on the risk level of your third-party. We suggest using the following indicators:

  • Country of operations of the counterparty;
  • Industry of operations;
  • Type of counterparty;
  • Volumes of payments;
  • Other.  

This will let you divide the counterparties by three risk levels: green, yellow and red. In case of a green level (e.g. the entity operates in a developed European country and supplies some minor high-tech component of a well-known brand once in two years for a total amount of EUR 4 000), it is enough to make only high-level screening on such an entity.

High-level screening could imply searches through specialized automated tools and databases in regard to any sanctions or watch lists, etc. Or it could be a screening procedure involving all official data gathering. This includes:

  • Corporate registers information;
  • Sanctions and watch lists;
  • Litigation checks.

Unlike in the first three points, the fourth point requires manual search and analysis through court decisions registers. The high-level screening, being quite a quick procedure, may be slowed down depending on the jurisdiction your counterparty operates in, as publicly available information is different across the globe. When in one country you can easily access the corporate register online, in another you might need to be logged in as a citizen of that country, or even request the register extract offline.

In case of a yellow level risk, it is not enough to screen through official information only, but is recommended to run adverse media checks as well. This implies local and international media searches in regard to potential red flags related to your counterparty. Such searches are aimed at identifying potential red flags related to non-transparent government dealings, PEP connections, other corrupt practices, fraud, offshore shareholding structures, money laundering activities, environmental breaches, human rights violations, etc.

Such searches are complicated by untrustworthy media environment, excessive information flows and language (in case of searches in foreign jurisdictions).

When the risk level is red, or in case you have identified some red flags that require further verification due to lack of publicly available information, the method often used in third-party due diligence is interviewing. This method can also be used in case the media environment is significantly affected by the state or a single group of influence, for example.

For a solid interview report, first of all you need to identify the respondents who are informed enough about the issue you are investigating, and at the same time are not biased. The respondents can be found among your counterparty’s clients, competitors, former employees, etc. While executing the interviews, it is important to stick to legal and ethical methods only. 

Despite the fact that the red flags remain the same within all three levels of risk, it is the method of their identification that is different. In case of high-level screening you rely purely on what the database has for you, but in case of a deeper due diligence you verify that data through media sources or interviews, and as such touch upon initially unseen sides of the case. However, some negative reputational matters can still be hidden, due to the screening method applied, but not an in-depth approach.

In this context it is worth mentioning such method of due diligence as enhanced due diligence. This method is applied to exceptional counterparty’s that are exposed to the highest risk. What differs enhanced due diligence from the above-mentioned screening method is the level of analysis applied. Enhanced due diligence is invaluable in business environments characterized by non-transparent government-business relations, often violated sanction regimes, nominees among shareholders, large number of shell companies, imperfect banking systems and so on.

As to the interviews, unlike the ones within a screening procedure described above, enhanced due diligence interviews are not limited to the basic compliance checklist questions, but are aimed at revealing hidden facts, as well as the nature of the ones that are already known.

An important part of the due diligence procedure is reporting and storing information. When the check is complete, no matter who conducts it – the responsible unit, or the compliance department, the compliance officer should approve it for further actions. The due diligence procedure can be done once in three years for green risk level third parties, and once a year for yellow and red  risk level third parties. It can also be done before significant payments, long-term contracts signing and strategic partnerships initiation.

All of the due diligence reports should be stored and be accessible by the compliance department.


The author of the lesson: Pavlo Verkhniatsky, managing partner at COSA

Отримайте знання від кращих експертів на ринку
Реєстрація в академії
Add "YouControl" app to your home screen
Press load -> ‘Add to Home Screen’