The Problem With Third-Party Due Diligence Questionnaires

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

COMPLIANCE PROGRAMS
Hui Chen

By Hui Chen

Hui Chen ( www.HuiChenEthics.com) was the Justice Department’s first-ever compliance counsel expert before leaving in June to start her own private compliance consulting service. Before she joined the DOJ, Hui served in global senior compliance lead positions at Microsoft, Pfizer, and Standard Chartered Bank.

Third-party due diligence is a constant topic in corporate compliance. Judging from the number of vendors in the space, one surmises there is significant spending to sustain them all. Virtually all of the systems I have seen begin with a request to the third party to provide information about itself in a questionnaire. Just how reliable is this foundational data?

Not only do I have opportunities to review due diligence questionnaires on many occasions, but I now also have the pleasure of having to complete them myself as a consultant. Below are some common pitfalls I have observed.

Who is completing the form?

Typically, the person who is completing the questionnaire is a low-level employee with no organizational overview and little access to information. Most due diligence processes I have seen, however, do not appear to recognize this reality. In asking a question such as “Have you received training on export controls?”, who exactly is “you”? If “you” is the organization, you are counting on the clerk answering the question to collect and provide information on all export control training that’s been done across the organization. How confident are you that this would be done?

Unclear or overly broad scope.

“Have you ever provided hospitality to any Government Officials?” Does having your army buddy over for drinks count? “Do you take cash payments?” Surely, somewhere at some time the organization does. And there are the eight questions rolled into one: “Are you, or are any of your immediate family members, in a business or personal relationship with a current or former Government Official?” There are three sets of variables: you and your family members, business and personal relationships, current and former Government Officials. How much are you counting on the clerk answering the question to be able to inquire and document each line of relationship?

Unanswerable questions.

“Have you potentially or actually violated any laws relating to [several different areas of law]?” Even in a company with the most vigilant compliance program, it is impossible to know all potential or actual violations of all kinds of laws. Even when it is aware, it is hardly in a position to disclose that knowledge in this setting. Thus the only truthful answers to this question would be “don’t know” and “can’t tell.” What exactly is accomplished by asking this?

Obviously cover-your-ass questions.

Questions such as “Do you comply with all applicable laws?” or “do you [launder money]/[provide payments for benefit]?” are clearly asked to prompt the “right” answer. People have told me these are “CYA” questions. The problem is, when everyone knows it is a CYA query, it loses credibility to provide the coverage you desire.

Duplicative processes.

A symptom of compliance due diligence not being integrated into the business processes is that duplicative questions are asked on multiple platforms. Due diligence questionnaires usually begin with basic questions such as the nature of the service, contact person, business type, etc. Often, the company already has the answers to these from the contract and other procurement or partner processes that precede onboarding. These separate processes create room to game the system: what’s in the questionnaire doesn’t have to be what’s in the contract. It then creates the need for additional audit and monitoring to ensure consistency across systems. Multiple platforms are costly because they create inefficiency and vulnerability.

What will you do with the answers?

Questions need to be asked with a purpose in mind: this means knowing what to do with the answers you might get. Efficiency demands that you ask questions to which you really need the answer, and accountability requires that you have ways to verify the answer. Questions that generate information you don’t need, or answers you have no way of verifying, waste everyone’s time and erode your credibility.

Missing a brain.

I have found the lack of common sense and logic to be the underlying theme of many due diligence questionnaires. Things that can easily be explained in one sentence are now broken into unrelated entries of drop-down boxes that do not offer sensible answers. No one seems to be asking common sense questions and, more importantly, putting the pieces together in a logical way. The technology and the platforms are tools: they need a brain to make them useful.

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law