This morning at the Society of Corporate Compliance and Ethics Annual Institute, we heard remarks by Nicole M. Argentieri, the Principal Deputy Assistant Attorney General for the Criminal Division, US Department of Justice (DOJ) and the news that the DOJ has updated its guidance on the Evaluation of Corporate Compliance Programs. This was a nice surprise as we were all expecting this next year, further enhancing its expectations for how organizations should design, implement, and maintain their compliance frameworks. While previous versions offered comprehensive insights into managing internal compliance, and there are more changes in this new version, let's consider the stronger emphasis on the growing importance of third-party risk management. The update underscores the need for ongoing due diligence and continuous oversight of external partners, making clear that third-party compliance is integral to a company’s overall risk management strategy.
In today’s interconnected marketplace, third-party partners—including vendors, suppliers, distributors, and consultants—are integral to a company’s operations. However, they also present potential risks, especially when it comes to legal and regulatory compliance. The DOJ’s updated guidance not only requires companies to vet third parties before entering into contracts but also emphasizes the need for continuous monitoring throughout the relationship. This focus on ongoing due diligence represents a shift in how businesses should approach their external relationships, and it offers a blueprint for managing third-party risk more effectively in an increasingly complex business environment.
Ongoing due diligence: What it looks like in practice
Ongoing due diligence goes beyond simply assessing a third party at the outset of a relationship. The 2024 DOJ guidance emphasizes that due diligence must be a continuous process, with businesses required to monitor third parties regularly for compliance risks throughout their working relationship. This can include conducting periodic audits, updating due diligence reports as new risks arise, and implementing mechanisms to ensure that third parties remain aligned with a company’s compliance expectations.
Once a relationship has been established, monitoring must be continuous. This can involve setting up regular compliance reviews, analyzing transactional data for signs of irregularities, and conducting random audits. With modern data analytics tools, companies can track third-party behavior in real-time, identifying potential issues before they escalate.
The updated guidance places a strong emphasis on leveraging technology to manage third-party risks. By using data analytics, companies can monitor transactions for red flags, track adherence to compliance policies, and ensure that third-party partners are not engaging in misconduct. Automated systems can help companies detect suspicious activity, such as abnormal payment structures or deviations from contractual obligations.
Building a compliance partnership with third parties
The DOJ’s 2024 update not only stresses the importance of keeping a close eye on third-party activities but also encourages businesses to foster a culture of compliance with their external partners. Third parties should be viewed not as separate entities but as an extension of the organization’s compliance ecosystem. One way to strengthen this partnership is by encouraging third parties to adopt similar training and ethical standards that are expected of the company’s own employees.
While the DOJ’s guidance stops short of mandating specific training for third parties, it makes a compelling case for ensuring that external partners are equipped to understand and follow the same compliance policies as internal teams. Subtly encouraging third parties to participate in tailored compliance training, can help build a stronger alignment between the company and its partners.
Training programs should be relevant to the specific risks that third parties might encounter in their roles. For instance, a distributor working in a high-corruption region may need specialized anti-bribery training, while a vendor handling sensitive customer data might require a deeper understanding of data privacy regulations. Ensuring that these third parties understand both the local laws and the company’s global compliance standards can significantly reduce the risk of misconduct.
This approach benefits both parties: the company mitigates its risks, and the third party gains valuable knowledge that can enhance its own operations and reputation. When third parties see the company as a compliance leader, they are more likely to adopt those same standards in their business dealings.
The DOJ’s 2024 guidance underscores a critical shift in how companies should approach third-party risk management. No longer is it enough to perform an initial risk assessment and then assume that compliance will be maintained. The guidance makes it clear that ongoing due diligence, continuous monitoring, and regular audits are essential for managing third-party risks in today’s fast-paced, interconnected business world.
As companies grow and expand into new markets, the importance of third-party compliance will only continue to rise. By adopting a proactive approach to due diligence—one that includes regular monitoring, tailored training, and collaborative audits—organizations can not only meet the DOJ’s expectations but also protect themselves from the legal and reputational risks associated with third-party misconduct.
