When using a third party to conduct customer due diligence, a reporting entity should treat the relationship with care and mitigate the risk of the third party breaching the Act or Regulations.  

It is wise to enter into a written contract which clearly sets out each party’s responsibility.   It may also be prudent to conduct either a questionnaire covering the types of systems and controls they have in place, or visit the third party’s premises to sample test their processes and procedures.

When entering into third party relationships, consideration should also be given to the obligation of suspicious reporting.  If the third party has a suspicion of the customer and the suspicion is not dispelled, is the third party obligated to pass their concerns on to the entity to whom the services are provide to?   

If the third party is not obligated to pass their suspicions on, the reporting entity that is entering into the relationship with the customer is exposed to a number of risks.