Engagement with a new business partner brings hope for successful cooperation, increased revenue or reduced costs. However, one cannot forget that each new business relationship is also associated with a risk that may damage the business or the relationship if not properly managed. This article is aimed at providing a few practical tips on risk based approach in engaging with a new business relationship.
Collection and verification of the vendor/customer information
While engaging with the customer or a vendor we need to identify and verify that customer’s/vendor’s identity using reliable, independent source documents, data or information. The same applies to the beneficial owners, i.e. those individuals who actually own or control the corporate vehicle.
Very often the initial information is collected based on check-lists and questionnaires available on paper or on-line and accompanied with all the necessary confirmation, for verification of the declared information, such as IDs or passports of individuals or Corporate Registration Certificates for corporate vehicles.
Helpful verification tool/aid for a corporate customers or vendors may be publicly available databases. Examples for such publicly available and reliable sources of information may be:
On top of that there are plenty of commercial databases, that I will not mention here, but these are also easy to track on-line. Moreover, there are social media and other publicly available databases that aid Open Source Intelligence searches (OSINT) on our new business partners and plenty of tools helping us to visualize the findings from our Business Intelligence Activities.
We also need to understand and, as appropriate, obtain information on the purpose and intended nature of the business relationship with our vendor or customer. Usually it is being done based on the declaration.
Once we collected all the above information we need to assess the information against our own risk appetite matrix.
Risk based assessment of the information collected on vendors/customers
As soon as we know with whom we intend to interact we need to understand the risk factors associated with the future relationship. Those factor include:
- Customer/Vendor’s identity related factors such as: a PEP status, unjustifiably complex corporate structure, involvement of trusts or other structures supporting the anonymity of beneficial ownership, or discrepancies between declared identity information and our independent verification in independent sources of information
- Industry related factors, such as corruption vulnerable industries, e.g. those dependent on public procurements and funds, such as oil & gas, healthcare, construction, energy
- Country or geographic factors, e.g. locations with military conflicts, or locations with low Corruption Perception Index by Transparency International
- Product, service, transaction or delivery channel factors, e.g. FATF recognized that specific circumstances may pose a greater risk of money laundering. Examples or such circumstances include private banking, anonymous transactions (which may include cash), non-face-to-face business relationships or transactions, and payment received from unknown or un-associated third parties.
Once we have the risk factors mapped and assessed we may decide to engage or drop the business engagement. If we decide to go for the engagement we have to agree the risk based terms and conditions of the engagement in the contract and monitor our relationship.
Obviously the risk based assessment and data collection is not a one-off activity as the information needs to be kept up to date and the relationship monitored for consistency with declarations and known information on the vendor or the customer. Hence, we need to maintain a procedure for conducting an ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with our knowledge of the vendors or customers, their business and risk profile, including, where necessary, the source of funds.
Record keeping
For the purpose of demonstrating our due diligence compliance we need to maintain the record of our risk based approach activities, e.g. for tax compliance demonstration purposes. The period of record keeping usually lasts for the time of engagement plus five years.