Consequences of not conducting adequate Third-Party Due Diligence
Take the example of a provider which is considering bidding for a major contract to provide business services. It undertakes due diligence on its prospective client and discovers that one of the latter’s key shareholders is under investigation for a major fraud. If the shareholder did undertake this fraud and the client uses some of the proceeds to finance the contract, then the provider would be paid out of the proceeds of crime. The provider may therefore become involved in a money laundering transaction with potential criminal consequences for them.
Merely identifying the existence of the risk does not mean that the factors identified are necessarily true or will materialise. However, the organisation must give careful consideration to the risk, and to the likely effectiveness of its own policies and procedures to prevent this risk from occurring. The firm should only proceed with the contract if it believes the residual risk to be sufficiently low and that it is a reasonable business decision to proceed.
Firms need to be satisfied that any third-party service provider has at least, equivalent internal controls and operational resilience conditions to safeguard its business services when outsourcing critical or important operational functions.
Case Study 1: Asset Manager
The following table provides examples of outsourcing arrangements in place between an asset manager and third-party service providers, including the potential impact of disruption which could follow a failure to conduct adequate due diligence.
Firms retain full responsibility for the effective governance and management of any risks to which the firm is exposed as a result of reliance on third parties. Hence, the regulators would be unlikely to take a lenient approach in the event of a failure to conduct adequate due diligence on service providers.
Case Study 2: R. Raphael & Sons PLC (“Raphael”) – UK Bank
The table below provides summarised extracts from the Final Notices issued by the FCA and PRA to R. Raphael & Sons PLC (“Raphael”), a UK bank, on 29 May 2019, in relation to failures by its Payment Services Division (“PSD”) to manage the operational responsibilities of the prepaid card (or charge card) programmes (“Card Programmes”). The noted failings also serve to illustrate the level of due diligence expected by the regulators.
Case Study 3: UNAT DIRECT Insurance Management Ltd (“UNAT”) –
The table below provides summarised extracts from the Final Notice issued by the FCA to UNAT DIRECT Insurance Management Ltd (“UNAT”), an insurance intermediary, on 19 May 2008, in respect of failures associated with making arrangements for the sale of an associated insurers’ general insurance products (in particular personal accident insurance policies) to consumers through third-party call centres (“General Insurance Products”).