International third-party due diligence

How much is enough?

Conducting due diligence on international third parties is now considered a leading practice for companies operating in international jurisdictions. While the need is clear, there is no regulatory guidance specifying a minimum level of due diligence to be conducted. This ambiguity can make it tempting for companies to take a cursory swipe at due diligence; review one database, check the "all-clear" box, and enter into a business agreement.

In the last few years, production of electronically stored information (ESI) for business and other purposes has increased exponentially. As the amount of information that organizations maintain grows, so do the costs and risks associated with effectively managing that data. To counter these effects, it is essential that organizations prepare themselves for potential litigation by creating a litigation readiness plan. By mapping their data types, locations, and custodians and establishing plans to respond to discovery, organizations can save money and reduce risk in litigation.

As a result of this complexity, discovery obligations necessarily involve not only legal counsel, but also records and information management (RIM) and information technology (lT) personnel. Operationally, these groups work independently. As such, solutions created solely to solve RIM or IT problems may create inefficiencies when applied to litigation.

However, as recognized by the EDRM in the 2011 publication How the Information Governance Reference Model Complements ARMA International's Generally Accepted Recordkeeping Principles (EDRM 2011), organizations can identify and mitigate these inefficiencies through careful planning.

Learn more about how to create a litigation readiness plan

Approaching due diligence

While there is no law or regulation specifically defining what is "sufficient" international due diligence, the guidance and examples of enforcement actions discussed above do provide some indication of leading practices. Generally, companies can consider several steps in their investigation of a potential int'l third party, including:

  • Require the third party to disclose information on a questionnaire.
  • Use a risk-based approach to verify the information provided and independently identify adverse information.
  • Take action on any identified "red flags" uncovered in the process.
pink circle


While the due diligence effort may lengthen the start-up time for a new third party relationship, recent SEC and DOJ judgments have demonstrated that failing to do so can have considerable negative financial and operational repercussions for companies seeking to conduct business internationally. It is far better to proceed slowly, carefully, and thoroughly with any new business relationship.

fire circle
Did you find this useful?