27th April 2021
Third Party Money Laundering Risk
In the global financial landscape, supply chains are crucial to the delivery of goods and services, with third-party relationships connecting companies and sectors across jurisdictions. The integration of effective supply chains into modern business infrastructure allows firms to acquire resources, enlist expertise, and connect with important markets quickly and cost-effectively – rather than having to control and manage their production processes entirely in-house.
However, supply chain integration and the third-party relationships that entails bring a degree of elevated risk: in relying on a supply chain for essential commercial goods or services, firms must be confident that third parties are not involved in criminal activities such as fraud, money laundering, or the financing of terrorism, and are operating in compliance with relevant AML/CFT regulations. While a firm may be able to deploy robust compliance measures internally, third-party firms may not implement the same level of AML scrutiny, or may even seek to exploit vulnerabilities in partners’ infrastructure to engage in illegal activities.
To fulfill their compliance obligations and avoid facilitating criminal activity, firms must be able to accurately assess the third-party money laundering risks that they face on an individual basis. In practice this means investigating the conduct of partner firms up and down the supply chain and performing an appropriate level of due diligence prior to initiating a business relationship.
As a first step, firms should map their supply chain from end to end, listing persons involved in the chain individually. Since a third-party supply chain may comprise manufacturers, transporters, suppliers, distributors, consultants and more, firms must implement a due diligence process that reflects the diversity and unique challenges of their environment.
When conducting supply chain due diligence, firms should focus on acquiring third party information on that can be used to inform money laundering risk assessments, including:
- Company names, addresses, taxpayer references, and incorporation documents
- Names of company owners and beneficial ownership
- Company Cash flow and asset expenditure data
- Debts, liabilities, and other contingencies
- Employment status of company employees
- Historical financial data
- Internal business risk assessments and growth projections
- Historical AML compliance performance
A lack of familiarity with third-party partner firms may expose firms to specific risks. These include:
- Industry: While a firm may operate in a relatively low-risk industry, partner firms up and down its supply chain may not. Relationships with firms in the shipping, art, or payment services industries, for example, may expose partner firms to higher degrees of AML risk than their native industries.
- Location: Firms may have business relationships with partners in countries that have lower AML/CFT controls than their operational jurisdiction and that exploit disparities in international legislation.
- Sanctions: Partner firms may have business relationships with persons that are subject to international sanctions or similar restrictions, especially when those persons are located in foreign jurisdictions.
- Political risk: It may be difficult to track partners firms’ relationships with politically exposed persons (PEP). Elections in foreign countries may change a third-party’s PEP status and with that the level of money laundering risk that they present.
Managing supply chain risk can be complicated and challenging especially since third-party AML/CFT threats are less visible than those captured by internal compliance controls. However, the principles of managing third party money laundering risk are broadly similar to the process of managing known risks, and require the implementation of monitoring and reporting controls.
Under Financial Action Task Force (FATF) recommendations, firms must implement risk-based compliance solutions in order to manage the AML threats they face. In a supply chain context, this means conducting an effective risk assessment of supply chain relationships and then deploying enhanced due diligence measures for higher risk third-parties and simplified measures for lower risk third-parties. Risk-based AML allows firms to approach supply chain due diligence pragmatically, balancing their significant compliance responsibilities with their administrative and financial resources.
In addition to performing suitable supply chain due diligence (and acquiring the important information listed above), firms should perform a range of ongoing checks to ensure third-party risk profiles have not changed over the course of their business relationships. Ongoing supply chain checks should include:
- PEP screening: Firms should screen for elections and other governmental processes that may change the PEP status of third-party partners, and of their relatives and close associates.
- Sanctions screening: Firms need to know if the third-parties they do business with have links to individuals and countries that are subject to economic sanctions. Accordingly, firms should screen third-parties against relevant sanctions lists, such as the OFAC list, the UK list, the EU list, and the UNSC Consolidated List.
- Adverse media: Negative news reports often indicate that a person is involved in criminal activity and poses a greater risk of money laundering. Firms should screen for adverse media stories that involve third-parties in their supply chain, incorporating traditional screen and print sources and online sources.
Audits: Effective supply chain due diligence may require firms to conduct an audit of third-party businesses to verify the information they provide and ensure that they have implemented appropriate internal AML/CFT controls. Audits may involve site-visits, investigations of clients, customers, and business relationships, and, in some cases, correspondence with authorities.
Penalties: Failure to implement suitable supply chain due diligence measures may result in significant AML compliance penalties for both firms and individuals – depending on the jurisdiction in which a violation takes place. In the United States for example, AML compliance failures under the Bank Secrecy Act (BSA) may result in fines of up to $1 million and prison sentences of up to 10 years.