Third-Party Due Diligence: A Complete Guide

Third-party due diligence is the process of investigating the individuals and entities your organization does business with before entering into a significant relationship. It is a foundational part of corporate compliance programs. Its importance has grown as regulators in the United States and abroad have expanded liability for the conduct of business partners, vendors, and agents.

Why Third-Party Due Diligence Matters

Organizations are not isolated from the risks created by their third parties. The Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act both create liability for corruption committed by agents and third parties on a company's behalf. Sanctions regulations prohibit dealings with designated parties and can expose organizations to significant penalties, even for unintentional conduct. Anti-money laundering regulations impose due diligence duties on financial institutions and, increasingly, on non-financial businesses in regulated sectors.

Third parties can also create reputational damage. A vendor's labor practices, a partner's environmental record, or a distributor's involvement in fraud can all become your organization's problem.

The practical result: organizations that do not conduct meaningful third-party due diligence are taking on risks they may not fully understand.

Categories of Third Parties

Third-party due diligence is most important for parties that create heightened risk. Common risk factors include:

Government interactions. Third parties who interact with government officials on your behalf, such as customs brokers, local agents, and lobbyists, create FCPA and bribery risk.

Financial relationships. Third parties who handle your money, including payment processors, financial advisors, and joint venture partners, create fraud and money laundering risk.

High-risk jurisdictions. Third parties operating in countries with high corruption perception index scores, active sanctions programs, or weak rule of law present heightened risk regardless of the function they perform.

Sole-source arrangements. Third parties who are the exclusive source of a critical input or service have structural leverage that warrants extra scrutiny.

What Third-Party Due Diligence Involves

The scope of due diligence should be calibrated to the risk level of the relationship. A high-risk third party warrants more extensive investigation than a low-risk one.

Entity verification. Confirming that the organization exists as represented, is in good standing, and has the capacity to perform the contracted services.

Beneficial ownership. Understanding who ultimately owns and controls the entity. Ownership obscured through complex structures may itself be a red flag.

Sanctions screening. Screening the entity and its known principals against OFAC's SDN list, EU sanctions lists, and other applicable lists.

PEP screening. Checking for politically exposed persons (PEPs) in the ownership or management of the entity. This triggers enhanced due diligence duties in financial services and many other regulated contexts.

Litigation and regulatory history. Searching for civil litigation, criminal proceedings, regulatory enforcement actions, and debarment from government contracts.

Reputational research. News and media research, adverse media screening, and OSINT analysis to find reputational concerns that do not appear in formal legal records.

Ongoing Monitoring

Due diligence conducted at onboarding is not enough on its own. Circumstances change. An approved third party may later be designated on a sanctions list, become the subject of a regulatory investigation, or change ownership in a way that introduces new risk. Periodic rescreening and monitoring for adverse developments are part of a mature due diligence program.

Building a Risk-Based Tiering Framework

Every compliance program operates within constraints. Budgets, staffing, and timelines are finite, and no organization can apply the same depth of investigation to every counterparty. A workable program begins with a defensible tiering framework that matches the level of scrutiny to the level of risk.

A typical framework establishes three or four tiers. Tier one, the lowest risk, might cover routine domestic vendors providing commodity goods or services. These vendors have:

• no access to sensitive data
• no government touchpoints
• no material financial exposure

For this tier, automated sanctions screening combined with basic entity verification is often enough.

Tier two covers parties with moderate risk factors, such as vendors with access to company systems, foreign suppliers in lower-risk jurisdictions, or professional service providers. This tier typically receives sanctions and PEP screening, basic litigation searches, and adverse media review.

Tier three and above involve agents touching government officials, counterparties in high-risk jurisdictions, joint venture partners, acquisition targets, and any relationship involving significant financial commitments. These parties warrant comprehensive investigation, including source inquiries, human intelligence gathering, and full beneficial ownership tracing.

The framework should be documented, approved by compliance leadership, and applied consistently. Regulators reviewing a compliance program after an incident will ask how a particular third party was categorized. An undocumented or inconsistently applied framework undermines the defensibility of the entire program.

Red Flags That Warrant Enhanced Scrutiny

Experienced investigators learn to recognize patterns that signal deeper problems. Some red flags appear in the documentation a counterparty provides. Others emerge only through independent investigation.

Unusual corporate structures are among the most common indicators. Watch for:

• entities registered in secrecy jurisdictions
• layered holding companies that obscure ownership
• nominee directors
• shell companies with no apparent operational footprint

These structures are not always signs of wrongdoing, but they require the investigator to work harder to establish who actually controls the entity and where its money flows.

Unexplained wealth or rapid growth can indicate undisclosed income streams, fraudulent inflation of financial statements, or proceeds from illicit activity. A counterparty that has scaled from a small operation to a significant enterprise in an unusually short period deserves careful examination, especially in a jurisdiction without obvious economic drivers. Our Certified Fraud Examiner services are frequently engaged when due diligence turns up financial patterns that require forensic accounting expertise to interpret.

Resistance to providing information is itself a red flag. Legitimate counterparties generally understand the reasons for due diligence and cooperate with reasonable requests. A counterparty that refuses to disclose beneficial owners, declines to provide audited financials, or objects to standard compliance certifications is signaling something, and the something is rarely good.

Commission structures or payment arrangements that do not align with market norms are a classic FCPA red flag. Investigate before the relationship proceeds when you see:

• unusually high commissions
• payments to third-party accounts in jurisdictions unrelated to the services performed
• requests for payment in cash or cryptocurrency

Industry-Specific Considerations

Due diligence standards vary significantly by industry. Financial institutions operate under the most stringent requirements. Bank Secrecy Act and Customer Due Diligence rule obligations extend well beyond what most corporate compliance programs contemplate. Healthcare organizations face specific obligations around referral relationships and the Anti-Kickback Statute. Defense contractors must navigate ITAR and export control considerations. Life sciences companies contracting with healthcare professionals in foreign jurisdictions face layered FCPA and transparency reporting duties.

Private equity and venture capital firms have seen due diligence obligations expand significantly. Investment in portfolio companies now routinely includes pre-close investigation of management teams, key customers, and material suppliers. Post-close, many firms establish ongoing monitoring programs across their portfolios to detect emerging risks before they become enforcement matters. Our due diligence practice for businesses is structured to support both transactional and portfolio-level engagements.

Law firms conducting due diligence for corporate clients face an additional consideration: the work product may become evidence in litigation or regulatory proceedings. Investigations supporting legal matters require careful attention to privilege, work product, and chain of custody. Our work with law firm clients is structured to preserve privilege where applicable and to produce documentation that will withstand adversarial scrutiny.

Integrating Due Diligence with Broader Risk Functions

Third-party due diligence is most effective when integrated with adjacent risk functions rather than treated as a standalone compliance checkbox. The intelligence generated during due diligence has value across the organization if it is channeled to the right stakeholders.

Information security teams benefit from understanding which vendors have access to sensitive systems and what the vendors' own security postures look like. Procurement teams use due diligence findings to inform negotiating positions and contractual protections. Internal audit uses third-party risk data to scope audit plans. Executive leadership uses aggregated third-party risk information to understand the organization's exposure in specific markets or categories.

When due diligence surfaces concerns about a counterparty that is already engaged, the organization needs a clear protocol for acting on the information. Depending on the nature of the concern, responses may include:

• contract renegotiation
• enhanced monitoring
• restricted access to systems or information
• internal investigation
• termination of the relationship

In cases involving potential misconduct by an internal executive who approved or maintained a problematic relationship, dedicated executive misconduct investigation capabilities may be required.

Documentation and Audit Trails

A due diligence program that cannot be documented effectively does not exist from a regulatory perspective. Each engagement should produce a clear record of what was investigated, what sources were consulted, what findings were made, how findings were assessed, and what decisions followed. The record should be preserved for the duration of the relationship and for an appropriate period afterward.

Good documentation serves several purposes. It supports the defensibility of compliance decisions if they are later questioned. It preserves institutional knowledge when personnel change. It provides a baseline for ongoing monitoring, since later reviews can focus on what has changed since the last investigation. It creates an auditable trail that satisfies both internal and external reviewers.

Our investigative team conducts third-party due diligence investigations for corporations, investors, and legal teams. Our corporate due diligence engagements build the ongoing monitoring component that a mature program requires, and corporate compliance teams use us for onboarding, periodic rescreening, and incident-driven reviews. Contact us to discuss your program or a specific engagement.