Third party due diligence best practices for compliance teams

Corporate compliance teams often face a choice: should they conduct due diligence in-house with their internal team and available tools, or outsource it to a specialist due diligence firm? Regardless of the choice made, the tools commonly used do not adequately cover publicly available data, leaving significant gaps in risk assessments.

This is heightened by new regulatory standards focused on environmental sustainability and human rights, such as the upcoming Corporate Sustainability Due Diligence Directive (CSDDD) and the established Germany’s Supply Chain Due Diligence Act. These regulations place additional demands on compliance teams, making it difficult to manage third-party risks effectively without the right tools.

The traditional approach of screening all third parties but reserving enhanced due diligence for only a smaller, higher-risk subset is no longer sufficient in the eyes of regulators. To meet current standards, compliance leaders must prioritise risk-based due diligence supported by effective technology following these five best practices.

Go beyond screening to take a risk-based approach

Just as screening tools redefined regulatory expectations a few decades ago, AI is setting a new benchmark for third-party due diligence. What’s considered adequate procedures in third-party risk management is changing with technology. A large part of that is how compliance teams take a risk-based approach to third party due diligence. 

In today’s complex regulatory landscape, simply screening third parties against AML and corporate databases is insufficient. In fact, screening is just one component of a broader, dynamic due diligence process. To truly assess a third party’s risk level, a preliminary triage process is needed using both screening and open source data.

By categorising third parties based on risk level, compliance teams can determine where to invest resources, such as Enhanced Due Diligence (EDD). Without this early assessment, compliance efforts are inconsistent as teams lack the insights needed to address risk proportionately. Having a triage process ensures compliance teams direct their focus and resources to the third parties that genuinely require closer scrutiny, making the process not only compliant but effective.

Use open sources to find third-party risk information

While screening is an important first step, it provides only a partial view of a third party’s risk level (i.e. whether they are sanctioned, a Politically Exposed Person, or on a watchlist). It provides no wider insight about them other than whether they appear on these constrained datasets. Consequently, due diligence isn’t really performed in proportion to risk.

With only a few million entries on those lists and billions of individuals in the world, just because a third party isn’t in an compliance database doesn’t mean they aren’t risky. In reality, a lack of data in a curated database only indicates that the third party has not been flagged in that specific system.

Valuable risk information exists in the public domain but goes undetected because current tools can’t search and integrate unstructured data effectively. This includes news reports, research papers, regulatory filings, and other forms of unstructured data. Utilising these diverse sources gives compliance teams a fuller picture of hidden third-party risks.

Procured negative news databases have limitations

Using just curated news databases for adverse media checks is ineffective. These databases aggregate negative news from media sources to alert compliance teams to third-party risks. However, since they are often manually curated, these databases cannot encompass all risk-relevant information in real-time. 

Instead, they’re updated periodically, so compliance teams might miss emerging risks. This lag is particularly concerning in today’s fast-paced globalised market, where third-party risks can evolve quickly. Relying on curated news sources risks overlooking critical developments. 

Compliance teams might also conduct manual web searches to gain a real-time view of third parties. However, when you’re managing a third-party onboarding program that adds 5,000 to 10,000 new entities each year, you’ll likely follow a programmatic approach to web searches. This might include limits on your search methodology, such as reviewing a specific number of search result pages.

The challenge is how compliance teams can effectively use this information without overwhelming their already-limited resources. This leads us to the next section…

Don’t overlook the benefits of AI-powered systems 

In the same way that screening tools set new compliance standards a few decades ago, AI is now redefining what constitutes “adequate” compliance systems in the eyes of regulatory bodies. Recent guidance from the  Department of Justice (DoJ) has introduced the idea that companies are already using AI in their compliance programs. 

For the first time, the DoJ’s guidance explicitly acknowledges AI as a critical component of effective compliance. This shift signals a move towards automated, intelligent AI tools that provide a deeper, more comprehensive understanding of third-party risk—all in a fraction of the time it would take a compliance officer to do manually.

The hype surrounding AI is now passing and its benefits are crystallising for compliance teams, who are increasingly recognising how to use AI in ways that enhance regulatory compliance. The DoJ’s guidance indicates that companies that fail to integrate AI may risk falling behind, exposing themselves to potential legal penalties and reputational harm.

Turn compliance into a business-enabling function

The role of technology in compliance has evolved significantly. Screening third parties for sanctions exposure, once a non-regulatory action, became a requirement after technological advances made it possible to do so. 

Similarly, AI is now creating a new paradigm in compliance. In a world marked by increased geopolitical tensions, evolving sanctions, and the rise of ESG considerations, the limitations of static databases are increasingly apparent as we talked about. Traditional screening tools and curated lists are no longer adequate to keep up with changing risk factors. AI-powered compliance systems, on the other hand, have the ability to keep pace.

It’s soon becoming an industry standard to power third-party due diligence processes with AI, from initial risk assessments to in-depth investigations. Xapien, for instance, can integrate data from structured and unstructured sources in real-time, and then synthesise this data for a holistic view of a third party’s risk profile in less than 20 minutes.

This advanced capability allows compliance teams to process due diligence at scale, assessing more third parties faster and catching potential risks earlier in the onboarding process. By using AI tools such as Xapien, compliance teams can focus on a third party’s risk level to tailor their next steps effectively.

How can automation support your compliance team?

Firms face high expectations from the regulator and more nuanced questions to answer about third parties. The ability to perform deep due diligence at speed is more important than ever. However, many current tools are unwieldy and cost too much to run. As regulatory and reputational risks evolve, companies need more sophisticated tools to manage third-party risk. Only automation can help firms do this depth of research in minutes and earlier in the relationship.

Our expert team has a background in advising multinational organisations on third-party due diligence and onboarding programs. Fill out the form below to discuss how Xapien can help strengthen your compliance systems for improved third-party due diligence.