Applying the right level of Due Diligence
Simplified versus Enhanced Due Diligence
Regulators expect an enhanced level of due diligence to be carried out for material outsourcing and material third-party providers.
Simplified due diligence: Where a third-party arrangement is likely to be low risk and not material, simplified analysis may be sufficient to inform the risk assessment. Methods such as online research of publicly available information, screening against databases and basic financial analysis may provide the required assurance.
The PRA supervisory statement on Outsourcing and Third-Party Risk Management expects due diligence to consider whether potential service providers:
- Have the authorisations or registrations required to perform the service
- Comply with GDPR, the Data Protection Act, and other applicable legal and regulatory requirements on data protection
- Can demonstrate certified adherence to recognised, relevant industry standards
- Can provide relevant certificates and documentation
- Have the ability and capacity to provide the service that the firm needs in a manner compliant with UK regulatory requirements (including in the event of a sudden spike in demand or shift to remote working).
Enhanced due diligence: Material third-party and outsourcing arrangements generally represent a greater risk. In this situation, regulators expect firms to conduct an enhanced level of due diligence which notably considers the potential provider’s:
- Business model, complexity, financial situation, nature, ownership structure and scale
- Capability, expertise and reputation
- Financial, human, and technology resources
- ICT controls and security
- Sub-outsourced service providers.
Initial versus Ongoing Due Diligence
Risk assessment and due diligence are not just something you conduct at the point of onboarding.
Onboarding Vendor Due Diligence is carried out when you intend to enter into a long-term relationship with suppliers or place significant orders. A due diligence review helps assess the risks associated with the potential supplier.
Due diligence in the context of onboarding not only includes the risk assessment before you enter into a business relationship, but also the necessary diligence when you integrate and introduce providers into your processes.
Ongoing due diligence and Vendor Risk Management are carried out in the course of the business relationship. The reviews typically take place at regular intervals, and as soon as you become aware of a red flag. Regular reviews of this kind ensure that your service delivery standards are not disrupted and continue to be met.
In relation to vendors and other business associates, the firm may choose to undertake a regular risk assessment of associates by vendor category (e.g. high, medium and low risk). Determining the appropriate categorisation and frequency would depend on various factors such as:
- Amount spent or budgeted
- Frequency of purchases
- Is it considered strategic?
- Materiality and outsourcing considerations including the criticality of services, the nature of data processing and likely interaction with the firm’s customers.