Third-Party Due Diligence Under Sapin II: What It Looks Like in Practice

The risk that arrives from outside.

Of the eight measures required by Article 17 of Sapin II, third-party due diligence is the one that tends to generate the most uncertainty in practice. The law requires companies to implement procedures to assess — in proportion to their risk exposure — business partners: customers, suppliers, and intermediaries with whom they maintain a significant commercial relationship.

The formulation sounds straightforward. In practice, it raises a series of questions that compliance teams frequently struggle with: What constitutes a significant commercial relationship? What level of assessment is proportionate to what level of risk? What does assessment actually require — a questionnaire, a database check, an on-site visit? And how is the output of an assessment turned into a decision?

The AFA's published guidance on third-party due diligence provides a framework, but not a formula. What the agency expects is a risk-based, documented, and consistently applied procedure — not a uniform process applied identically to every counterparty regardless of their risk profile.

Risk-based, documented, and operationally real.

A third-party due diligence programme that functions under Sapin II begins before the relationship begins. The risk assessment happens at the onboarding stage — informed by the company's anti-corruption risk map, which should already have identified the categories of third party, geographies, and transaction types that carry elevated exposure.

The due diligence itself is calibrated to the risk profile of the specific relationship. A low-risk supplier of standard goods in a low-risk jurisdiction may require no more than a database screening and confirmation of basic corporate information. A sales intermediary operating in a high-risk market, with significant discretion over how it pursues business on the company's behalf, requires something substantially more rigorous: a detailed questionnaire, financial verification, reference checks, potentially an on-site assessment.

The output of due diligence is a documented decision — not simply a record of the process. The company must be able to demonstrate that it reviewed the findings, that it made an informed judgment about whether to proceed, and that any risk-mitigation measures agreed as a condition of the relationship are actually monitored. A due diligence file that ends with a completed questionnaire and no evidence of review is not a functioning programme.

The gaps the AFA finds most often.

The most common failure mode is a programme that exists at the design stage but breaks down in implementation. The procedure is documented. The risk categories are defined. The questionnaire is developed. But the procedure is applied only to new relationships — not to the existing portfolio, which may contain counterparties who were onboarded before the programme existed and have never been assessed. The AFA expects retroactive coverage of material relationships.

A second common failure is inconsistency of application. Due diligence is conducted rigorously for third parties that procurement identifies as significant, but not for third parties introduced through commercial channels — where the pressure to close a deal quickly can override compliance process. The AFA assesses whether the procedure is applied across all relevant categories, not only the ones where the compliance function has direct involvement.

A third failure mode is the absence of ongoing monitoring. Due diligence conducted at onboarding does not remain valid indefinitely. A counterparty whose risk profile was acceptable three years ago may have changed — through ownership changes, geographic expansion, or the emergence of adverse media that a periodic refresh would have identified. Sapin II expects monitoring to be ongoing, not a one-time event.

The practical implication is that third-party due diligence requires genuine operational infrastructure: a process that is integrated into commercial and procurement workflows, a risk model that is regularly updated, and a review mechanism that ensures findings are acted on rather than filed. Building this takes time. Maintaining it takes discipline. Both are what Sapin II requires.