Working With Third Parties In The Due Diligence Process

by Thomas Fox

Jamestown ColonyOn this day we celebrate the 1607 founding of the English colony at Jamestown. While credited with being the first English colony in what became America, it’s probably more accurate to refer to it as the first permanent English colony that survived for any length of time. The largely male colonists faced many tough years before they finally pulled through. One thing that made the colonists experience so difficult was that they had no idea about what to expect when they sailed over to the New World.

Hopefully in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance regime, the situation is a bit more advanced today when it comes to looking at third parties, in the pre-contract phase of third party management, during due diligence. While most companies, if not comfortable with the need for and execution of pre-contract signing due diligence, certainly understand the need for this process; the same is not universally true for the non-US or non-UK company upon which due diligence is being performed upon. An interesting article in the recent issue of Compliance Insider, entitled “Disclosing the Subject-Dealing with Compliance Immaturity”, deals with precisely this situation; where the third party has not gone through the due diligence process. The article provides some useful tips on how the compliance practitioner can get through this sometimes-delicate process.

One thing the article makes clear is that if you are performing due diligence on a third party, you should fully disclose this information to the third party. They state, “There is nothing to be gained by not telling the subject company about the process or trying to keep it secret. Except for in an acquisition where the buyer has yet to disclose themselves, there is little advantage in keeping quiet. The third party expects that you will be doing some form of due diligence and engaging a compliance or legal firm to complete a review. There is nothing that the due diligence company or law firm is going to do differently than if that due diligence were secret – no one would ever disclose more than they had to and would never disclose the name of the client for which they were acting.”

After you disclose to the third party that they need to go through your company’s due diligence process, which should begin with a questionnaire to help determine the appropriate level of due diligence to perform, you may face pushback from the third party. Unfortunately, as the article notes, such pushback usually goes initially to the business contact, which tends to side with the third party against the compliance function. This means that you need to educate your business unit sponsor on the reasons your company must engage in the third party management process so that they can communicate this to the third party. The article identifies three major reasons which a third party may resist your attempts at due diligence.

  1. Immaturity - the third party is “not used to due diligence or working with global companies that focus on compliance. They are not aware of the value of due diligence and have been living in the “compliance cave”. This is an issue in itself as it shows a degree of compliance immaturity and certainly gives an insight into how that company might be as an acquired entity. They are probably going to focus on the fact that there is an inbuilt level of trust that is needed in business and that the company should rely on that trust.”
  2. Negotiating - the third party may be “negotiating, trying to leverage the issue for their own gain as part of a negotiation. They may not be trying to hide anything per se, but may be sending a message that the company is taking too long, being too conservative, being caught in compliance obfuscation or losing sight of the real deal.”
  3. Hiding - it may also be that the third party does have something to hide.

The article suggests four clear steps that you can take if you are faced with one or a multiple of the above reasons for pushback from the third party.

  1. Engage the issue head on – it is important that you quickly and succinctly address concerns that your compliance team or compliance process is “heavy handed or that there is a lack of trust” between your company and the third party.
  2. Engage the business sponsor – as I stated above, one of the key components of any successful third party lifecycle management program is the engagement of the business sponsor. Obviously the business sponsor needs to justify the potential contractual relationship your company would have with the third party but the business sponsor is also the primary point of contact with the third party, throughout both the pre-contracting phase and the post-contracting relationship management. The article intones that if the third party tries to use an excuse to stop or lessen the process, “then the transaction is probably not worth it.”
  3. Develop your company’s compliance message – you should be crystal clear that your company will “conduct due diligence and background screening on all its proposed business partners and it is company policy to do so.” This can be done so through reference to the FPCA and your company policy. But more than simply a legal explanation, reputational risk is also important for your company. Be clear and re-emphasize your message that “there is neither a lack of trust nor an assumption of lack of integrity on the part of the subject company – it is normal procedure and gets done for all third parties of certain types right across the company, and this subject company is no different.”
  4. Negotiate a proposed go-forward plan – the article emphasizes that you should “not back down” and I whole-heartedly agree. But more than simply standing strong, you can use these discussions to help educate the third party involved why it is not only important for your company but also the third party. If they want to do business with any US or UK Company, they will need to go through this process. Indeed, it will make them more marketable to US or UK Companies if they have gone through the process.

Like many compliance practitioners, I came to the field of compliance through the legal department. Working for a very big fish company in the energy company it was very much ‘big fish-little fish’ where the big fish told the little fish what would be in the contract. However that model does not, nor should it, work in the compliance field. I have found that most third parties understand that if they desire to do business with a US or UK company, since we are required to perform due diligence as part of any best practices compliance program, the third party will need to be a part of that process. The Compliance Insider article provides a valuable look at a topic which is not always focused on from the perspective of the US or UK based compliance practitioner.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.