Know your vendor:
5 best practices to reduce risk, save time, and boost revenue

Outsourcing corporate operations to third-party vendors — service providers, suppliers, and contractors — may be cost effective and efficient, but relying on parties outside an organization does involve some risk.

In the area of data security, for example, outsourcing services to a third party can potentially create systemic vulnerabilities that criminals can then exploit. Dysfunctional or ill-advised vendor relationships can also jeopardize supply chains and cause a ripple effect of disruption throughout an organization. Even worse, doing business with a vendor involved in illegal activities, such as fraud, corruption, money laundering, or forced labor, can expose the enterprise to legal, financial, and reputational damage.

Know your vendor (KYV)

To avoid such unfortunate outcomes, companies should manage vendor relationships. They can do so with a comprehensive know-your-vendor program — a set of best practices and tools designed to protect enterprises from engaging in business with vendors that pose a risk to the organization and help lay the foundation of trust necessary to develop a lasting, mutually beneficial client/vendor relationship.

At onboarding and throughout the vendor life cycle, a state-of-the-art KYV program can not only verify the integrity, reputation, and professionalism of third-party vendors, but such a program can also guard against unscrupulous actors, identify suspicious behavior patterns, and alert companies to any financial or operational irregularities that might call a vendor’s conduct into question.

To ensure that the quality of your vendors is as high as your company’s own standards, follow these five KYV best practices.

1. Understand the risks of working with unverified vendors

Working with unverified vendors is akin to jumping out of an airplane with a parachute someone else has packed — someone you don’t know and are not sure you can trust. There might be nothing to worry about, but if there is, you’re the one in danger, not them.

Unverified vendors pose varying risks in terms of type and severity, but all have the potential to impact the bottom line.

Vendor risk factors

Operational risk. Vendors that are ill-equipped or incapable of fulfilling their contractual obligations can cause supply-chain delays, affect product quality, and sometimes disrupt an entire organization. After all, only one link in the supply chain needs to fail to compromise the whole system — which is why a comprehensive risk-management program should include plans for alternate vendors, just in case.

Reputational risk. Today’s volatile social media climate also makes reputational risk a reality that cannot be ignored. For instance, if the public discovers that a company is sourcing materials from a supplier suspected of using forced or underage labor, the damage to a brand’s reputation can be significant. Scrutiny of corporate practices has never been higher, so the risks have risen accordingly.

Legal or regulatory risk. Any vendor with multiple regulatory violations or a history of suspicious or criminal activity must be approached with caution, if not avoided altogether. The same goes for any vendor found to be involved in fraud, money laundering, or corruption. Indeed, underestimating the risks that unverified vendors pose is an enormous risk, albeit one you can minimize with adequate KYV protocols.

2. Be selective when choosing vendors

Choosing a vendor isn’t just about avoiding suspicious suppliers; it’s also about finding a vendor whose capabilities and values align well with the organization.

Due diligence for onboarding

Thorough vendor due diligence (VDD) during the onboarding process is the key to hiring trustworthy, reliable vendors.

For example, basic VDD involves collecting information that vendors submit about their company and evaluating it to confirm the vendor’s identity and legitimacy. That information should also include verification that the vendor is properly licensed and insured and that they have the experience and resources to do the work for which you are hiring them.

Basic VDD can also include:

• Site visits to assess a vendor’s operations and processes
• A review of past performance on similar projects
• Reference checks
• An assessment of operational and financial stability

Once you’ve gathered the above information, you should organize it using a rating system or evaluation framework to assess vendors based on how well they align with the company’s work requirements and values.

3. Verify high-risk vendors with enhanced due diligence

In cases where basic VDD is insufficient or a vendor is considered high risk, enhanced due diligence (EDD) is a good practice that provides a much more thorough analysis of a vendor’s operations, finances, and business history.

Unfortunately, adequate VDD and EDD can be difficult without the proper processes and tools. Indeed, one of the shortcomings of basic VDD is that many companies take the information vendors provide at face value. Alternatively, they may try to vet the information by doing a few simple web searches with publicly available search engines.

The problem with that approach is that it is far too easy for fraudulent vendors to create professional-looking websites and social media accounts that can fool even experienced investigators. If a potential vendor is involved in any illicit activities — like fraud, money laundering, forced labor, terrorist financing, etc. — they are not going to reveal that information willingly.

KYV risk-management technology

The only way to be certain of a vendor’s legitimacy is to conduct VDD or EDD using know-your-vendor technology specially designed to scour the internet for information that vendors may be reluctant to disclose.

This information includes, but is not limited to:

• Court records — arrests, bankruptcies, liens, citations, judgments
• Sanctions lists — to ensure regulatory compliance
• News and media — to detect any adverse media coverage
• Vehicle registration data — for identity verification
• Social media — to protect against synthetic identities
• Financial data — such as transaction records, debt collection, and suspicious activity reports (SARs)
• Business networks — to identify any possible criminal associations
• Business ownership or identity verification — owner identities, subsidiaries, shell companies, etc.

The difference maker here is that KYV technology allows companies to investigate a potential vendor’s entire digital footprint rather than the small portion covered by free search engines. Using this information, a company can create an accurate risk profile for each vendor and a framework for monitoring the vendor’s performance after being onboarded.

3. Automate monitoring to save time and reduce risk

The KYV process doesn’t stop once a vendor is hired. Throughout the vendor relationship, a company should continuously monitor a vendor’s performance, including ongoing financial transactions, relevant operational factors, and anything that might impact supply-chain resilience, such as logistics and procurement.

Manually monitoring this much information is extremely labor intensive. The only practical way to perform this vital KYV function is to use an automated solution that can monitor all relevant data sources simultaneously.

By automating KYV monitoring, companies can:

• Free up time for higher-value tasks
• Set up individual risk profiles for each vendor
• Customize risk tolerance levels
• Receive real-time alerts about suspicious activity
• Lower operating costs
• Minimize errors
• Streamline vendor management

Automated content support

Another advantage of an automated know-your-vendor tool is the time it saves trying to stay current with regulatory changes, sanctions updates, and other fluid rules of global commerce.

Again, manually trying to keep up with constant regulatory changes is impractical; it is also potentially dangerous. Missing any given update can lead to fines, penalties, and loss of both reputation and revenue. Moreover, if foreign governments don’t trust a company to respect its rules, the consequences could harm its ability to conduct business in that region.

With an adequately supported KYV tool, however, regulatory changes and sanctions lists are updated continuously and then automatically factored into the tool’s search parameters and alert algorithms. There is no need to worry about a missed rule change in some far corner of the world; the tool gives you the peace of mind to focus on other, more important matters.

In short, automation is essential to a comprehensive KYV program. Without it, the data tracking necessary to ensure vendor integrity in the modern world is simply too time consuming and expensive.

4. Continue screening public records

As the relationship with a vendor evolves, it is essential to continue monitoring public databases as a practice for any additional indications of illicit activity or conduct that could represent a risk to the organization or be cause for concern.

As with regulatory content, an automated KYV tool with advanced screening technology can make the daunting task of constant database monitoring as simple as setting search and risk parameters and then responding when an adverse event is flagged.

Properly programmed, such a tool can dig for publicly available data that conventional search engines do not — or cannot — access.

These additional data sources might include:

• Corporate registration and licensing data
• Civil and criminal court records
• Trade journals and legal publications
• Social media platforms
• Sanctions lists and politically exposed persons (PEPs)
• Corporate beneficial ownership data
• Curated databases of industry-specific intelligence

5. Monitor key performance metrics

Though know-your-vendor best practices guard against the risks of hiring third-party vendors, they also help establish the foundation of trust and professionalism necessary for a mutually beneficial business relationship.

To maintain the integrity and reliability of vendor relationships, companies should also consider monitoring the vendor’s ongoing performance, much as they would an employee. In addition to ensuring that a vendor is meeting their contractual obligations, other key performance metrics that may merit monitoring include:

• Quality control and consistency
• Timeliness and adherence to deadlines
• Responsiveness to inquiries
• Willingness to change or improve

Periodically — bi-annually or annually — companies should also audit vendors to verify their performance in other areas, such as:

• Data security
• Regulatory compliance
• Operational processes and efficiency
• Financial health

Finally, once a comprehensive KYV program is in place, companies should regularly review their overall risk-management strategy to ensure it is still effective. If they find any lapses or gaps, they should modify the strategy to address any process weaknesses, regulatory updates, or other areas of concern.

Conclusion

Implementing a comprehensive know-your-vendor program is crucial for companies that need to mitigate the many risks associated with third-party vendors. Conducting thorough vendor due diligence, automating KYV processes, implementing enhanced due diligence for high-risk vendors, screening public records, monitoring adverse media, and evaluating performance metrics are all elements of a robust and effective KYV program. Combining these KYV strategies with Thomson Reuters Risk and Fraud solutions can help companies protect their bottom line and ensure the long-term success of their business.

Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a “consumer report” as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning; establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing; or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.