As companies wrestle with designing and implementing due diligence screening and monitoring programs, several organizations have been pushing the value of certifications.
The certification services come in different forms and with different levels of review. Plus they come with a range of legal caveats.
For now, these programs are valuable but only for a limited purpose. Companies that solely rely on certification services are definitely asking for trouble.
There are two problems with the certification programs.
First, and most importantly, the certification programs only collect information, ask follow-up questions but do nothing to very little to test the accuracy or the veracity of such information. That is a big red flag unto itself and can cause serious problems.
It is easy to imagine the Justice Department and the SEC attorneys reviewing a certification file and then asking company officials why they did not follow-up on information that was provided to them. It could be an easy and quick way for prosecutors to demonstrate the willful blindness of the company actors.
The certification process, however, is helpful as an initial information-gathering tool. Once a company has that information, however, the company has to act on red flags, pursue them to the point of resolution, and develop risk mitigation strategies to address these red flags.
The second problem with the certification process is that there are no agreed-upon standards governing the certification process. What may be good for one organization may not work for another organization. It would be helpful for an international organization to develop such standards.
Transparency International and other anti-corruption organizations are working together in this area to help bring greater guidance to the international standards process.
My good friend, Judge Stanley Sporkin, has long advocated for an international approval process for reviewing and blessing proposed third-party agents in accordance with an agreed upon set of standards. Once a third-party is approved by this international organization, the third-party would be able to satisfy most corporate due diligence screening programs.
The concept of certification process, however, is a good one. As always, the tricky part is in the details and how it is implemented. It is helpful when a potential third-party brings to the table a certification.
My warning to everyone is be careful how you use the third-party certification, look under the hood of the certification process and carefully follow-up on important issues. That is where the work will continue – due diligence screening can never be replaced by a certification process until there is a more robust set of standards applied to the certification process.
Also, it is important to remember that the initial screening is only the beginning of the third-party relationship with a company. After the screening and contract is completed, companies have to monitor their third parties, audit them when necessary and integrate them into their training and compliance programs.