Third-Party Due Diligence in Trade Compliance

Third-party due diligence in trade compliance is the structured process of evaluating business partners, intermediaries, agents, and vendors before and during commercial relationships to identify regulatory risk. Federal agencies including the U.S. Department of Commerce Bureau of Industry and Security (BIS) and the Office of Foreign Assets Control (OFAC) hold companies accountable for violations committed by or through third parties, even when the domestic firm is not the direct transacting party. This page covers the definition of third-party due diligence, how the process operates in practice, the scenarios where it applies, and the boundaries that determine the depth of review required.

Definition and scope

Third-party due diligence in trade compliance refers to the investigation and ongoing monitoring of external entities whose actions could create regulatory liability for a U.S. company. The scope encompasses exporters, importers, freight forwarders, customs brokers, foreign distributors, resellers, joint venture partners, and any agent authorized to act on behalf of the company in cross-border transactions.

The legal foundation for this obligation appears across multiple federal frameworks. Under the Export Administration Regulations (EAR), codified at 15 C.F.R. Parts 730–774, exporters bear responsibility for knowing their end-users and end-uses. OFAC's enforcement guidelines, published in its Framework for OFAC Compliance Commitments, identify third-party due diligence as one of five essential components of a sanctions compliance program. The Foreign Corrupt Practices Act (FCPA), enforced by the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), extends liability for bribery conducted by foreign agents or intermediaries, creating a parallel due diligence obligation that intersects directly with trade compliance program elements.

Due diligence scope is not uniform. The depth of review scales with risk factors including jurisdiction, transaction value, commodity sensitivity, and the nature of the third party's role.

How it works

Effective third-party due diligence follows a phased structure that moves from initial screening through onboarding, transactional monitoring, and periodic re-evaluation.

1. Risk classification: The third party is assigned a risk tier based on country of operation, industry sector, ownership structure, and the regulatory regimes that govern the transaction. Parties in OFAC-sanctioned jurisdictions or countries subject to BIS Entity List restrictions receive elevated scrutiny.
2. Denied-party and watchlist screening: All parties are checked against government-maintained lists, including the BIS Entity List, Unverified List, Denied Persons List, OFAC Specially Designated Nationals (SDN) List, and the State Department Debarred Parties list. This step is foundational and must precede any transaction. The process is detailed further under denied-party screening.
3. Documentary collection: Higher-risk relationships require submission of organizational documents, ownership disclosures, financial references, and certifications of compliance. For export transactions, this may include end-user certificates or BIS Form 711 statements.
4. Substantive background review: For elevated-risk parties, the review extends to public records, legal history, beneficial ownership verification, and reputational screening. OFAC's 50 Percent Rule requires blocking any entity owned 50 percent or more by a sanctioned person, even if that entity does not appear on a published list (OFAC Guidance on the 50 Percent Rule).
5. Contractual compliance provisions: Agreements with third parties should include representations, audit rights, and termination clauses tied to compliance violations. The DOJ FCPA Resource Guide (Second Edition, 2020) identifies contractual protections as a marker of a credible compliance program.
6. Ongoing monitoring and re-screening: Relationships are re-screened at defined intervals and upon triggering events such as ownership changes, sanctions designation updates, or news of enforcement actions against the counterpart.

Common scenarios

Third-party due diligence requirements arise across the full range of trade activities.

Export distribution networks: A U.S. manufacturer selling through a foreign distributor must verify the distributor is not listed on restricted-party lists and does not intend to re-export controlled goods to prohibited end-users. This connects directly to export compliance requirements and the deemed-export provisions of the EAR.

Import supply chains: Importers must assess whether suppliers are linked to forced labor in violation of the Uyghur Forced Labor Prevention Act (UFLPA), which creates a rebuttable presumption that goods from the Xinjiang region of China are produced with forced labor (CBP UFLPA Enforcement Guidance). U.S. Customs and Border Protection (CBP) enforces this at the border, making upstream supplier due diligence part of supply chain compliance.

Sanctions intermediary risk: Parties in non-sanctioned jurisdictions may serve as conduits to sanctioned entities. OFAC enforcement actions have resulted in civil penalties exceeding $1 billion in single cases where inadequate third-party screening failed to detect indirect sanctions exposure (OFAC Enforcement Actions database).

Customs broker and freight forwarder relationships: As discussed under customs broker compliance, companies retain liability for misdeclarations or violations introduced by their licensed agents, making vendor qualification a compliance obligation rather than a procurement preference.

Decision boundaries

Not all third-party relationships require the same depth of due diligence. The following distinctions define the appropriate scope of review.

Transactional vs. ongoing relationships: A one-time, low-value purchase from a domestic supplier in an uncontrolled commodity category warrants basic denied-party screening. A multi-year foreign distribution agreement in a dual-use technology sector requires full documentary collection, background investigation, and contractual compliance architecture.

Controlled vs. non-controlled goods: Items classified under Export Control Classification Numbers (ECCNs) with license requirements trigger heightened end-user verification obligations under 15 C.F.R. Part 732. Items classified EAR99 (no specific classification) carry lower baseline requirements, though sanctions and restricted-party obligations apply universally regardless of classification.

High-risk vs. standard jurisdictions: Transactions involving parties in countries subject to comprehensive OFAC sanctions programs — Iran, North Korea, Cuba, Syria, and the Crimea region — require categorical review regardless of transaction size. Countries on BIS's Country Chart with multiple license requirements similarly elevate due diligence thresholds.

Agent vs. vendor distinction: An agent acting with authority to bind the company to contracts (creating FCPA third-party intermediary exposure) requires more rigorous review than a vendor supplying commodities at arm's length. The DOJ and SEC treat this distinction as material when evaluating whether a company's due diligence program was adequate following an enforcement action.

A compliance risk assessment provides the documented methodology for calibrating these boundaries consistently across the enterprise.

References

• Bureau of Industry and Security (BIS) — Export Administration Regulations, 15 C.F.R. Parts 730–774
• Office of Foreign Assets Control (OFAC) — Framework for OFAC Compliance Commitments
• OFAC — Guidance on the 50 Percent Rule
• OFAC — Civil Penalties and Enforcement Information
• U.S. Customs and Border Protection (CBP) — UFLPA Enforcement Guidance
• U.S. Department of Justice — FCPA Resource Guide, Second Edition (2020)
• BIS — Entity List

📜 4 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log