The Hidden Liabilities in Your Deal: A Framework for Third-Party and Intermediary Due Diligence
The greatest regulatory and reputational exposures in a transaction rarely come through the front door.
You have run the target through every standard screen. The financial model is solid. The management team has checked out. Legal has reviewed the data room. And yet, buried three layers deep in the deal's third-party relationships — an intermediary who sourced the transaction, a regional distributor who controls access to a key market, a joint venture partner in a jurisdiction with complex ownership laws — there is an exposure that none of those processes were designed to find.
Third-party and intermediary due diligence is the part of the deal process that most acquirers underinvest in, and it is consistently where the most consequential surprises emerge after close. The enforcement agencies that regulate international business — the DOJ, the SEC, OFAC, and their equivalents across jurisdictions — have made this abundantly clear in a decade's worth of enforcement actions: acquiring a business means acquiring its third-party relationships, in full.
Understanding what those relationships actually look like, beneath the surface of what is presented in a data room, is not a compliance exercise. It is one of the most commercially important questions in any transaction.
"Acquirers are responsible for the conduct of the intermediaries they inherit. Regulators have made that position clear — and the enforcement record confirms it."
Why Third-Party Exposure Is Systematically Underestimated
The structural problem with third-party diligence is one of visibility. In any sizable transaction, the target company has a network of commercial relationships that is orders of magnitude larger than what appears in the data room. Agents, distributors, consultants, deal finders, joint venture partners, local market facilitators — each of these relationships carries its own risk profile, and the information available on most of them in a standard diligence process is minimal.
There are three specific categories of third-party risk that consistently surface in post-close investigations and enforcement proceedings.
1. Regulatory and Sanctions Exposure
An intermediary with beneficial ownership ties to a sanctioned individual, a distributor that operates in a jurisdiction subject to export controls, a regional agent whose beneficial owners include entities on OFAC watchlists — these relationships can create direct regulatory liability for the acquirer, regardless of the acquirer's knowledge or intent.
The challenge is that this exposure is rarely visible at the surface level. Shell structures, nominee ownership arrangements, and multi-jurisdictional corporate architectures are specifically designed to obscure beneficial ownership. Tracing through them requires primary research — not database queries.
2. FCPA and Anti-Corruption Liability
The Foreign Corrupt Practices Act — and its equivalents in the UK, EU, and elsewhere — makes companies liable for the corrupt conduct of third parties acting on their behalf. A consultant who facilitated market access by making improper payments to a government official. A distributor who structured transactions in ways that allowed local officials to benefit. A deal intermediary whose fees were, in practice, a mechanism for improper payments to decision-makers.
These arrangements are rarely documented in any way that surfaces in a standard data room review. They are, by design, constructed to be invisible. Uncovering them requires human intelligence — direct inquiries with people who have visibility into how a company actually operates in a given market.
3. Reputational Contagion
Not every third-party risk results in a regulatory finding. Some of the most damaging exposures are reputational — intermediaries or business partners whose associations, business practices, or public profiles are fundamentally incompatible with the acquirer's own standards and stakeholder expectations.
A private equity fund that acquires a business with a regional partner who is the subject of ongoing corruption investigations in a foreign jurisdiction will find that incompatibility very difficult to explain to its LPs. The regulatory outcome may be uncertain. The reputational consequence is not.
|
The Third-Party Risk Framework: What You Need to Know
|
A Structured Approach to Third-Party Diligence
Effective third-party and intermediary diligence follows a staged process that moves from identification to investigation to risk assessment. Each stage builds on the last, and the depth of investigation applied to any given third party should be proportional to the commercial significance of that relationship and the risk profile of the jurisdiction in which it operates.
Stage 1: Map the Third-Party Universe
Before any investigation can begin, you need a complete and accurate picture of the target's third-party relationships. This sounds straightforward. In practice, it rarely is.
Data rooms typically contain the relationships that the target wants you to see. Significant commercial relationships conducted through informal arrangements, legacy agreements, or local market intermediaries may not be represented — or may be disclosed in ways that obscure their true nature and significance.
Building a complete map of the third-party universe requires going beyond the data room: reviewing contracts and commercial agreements, analyzing financial flows to identify undisclosed relationships, and conducting direct conversations with individuals who have operational visibility into how the business actually runs.
Stage 2: Risk-Tier the Relationships
Once the third-party universe is mapped, the next step is to prioritize for investigation. Not every third-party relationship warrants the same depth of review. Risk-tiering allows resources to be concentrated where exposure is most likely and most consequential.
The primary factors in risk-tiering are: the commercial significance of the relationship, the jurisdiction in which it operates, the nature of the services provided (particularly where those services involve market access or government relationships), and any initial red flags surfaced in the mapping process.
High-risk relationships — those combining significant commercial weight with elevated jurisdictional or relational risk — warrant deep-dive investigation. Lower-risk relationships may be addressed through more streamlined review.
Stage 3: Beneficial Ownership Tracing
For high-priority third parties, the first investigative workstream is beneficial ownership tracing. Who actually owns and controls this entity? The answer is rarely as simple as it appears in any corporate registry.
Shell structures, nominee directors, and multi-layer holding arrangements are common features of the third-party landscape in many international markets. Penetrating them requires access to foreign corporate registries, offshore jurisdiction databases, and — in many cases — primary research conducted in the relevant jurisdictions.
The goal is to identify the ultimate beneficial owners of every significant third-party relationship and to assess whether any of those individuals or entities create regulatory, sanctions, or reputational exposure for the acquirer.
Stage 4: Human Intelligence and Market Inquiry
Record-based investigation tells you what is formally documented. Human intelligence tells you what people in the relevant markets actually know about a third party's practices, relationships, and reputation.
Direct inquiries with competitors, suppliers, former employees, and industry participants who have had visibility into the third party's operations can surface information that no database contains — how business is actually conducted, what local market participants understand about how relationships with government officials are managed, and what the frank professional assessment of a third party's practices is among those who have dealt with them directly.
This kind of intelligence is particularly valuable in markets where formal records are sparse, unreliable, or inaccessible — which is precisely where third-party risk tends to be highest.
"The deals that generate the most consequential post-close surprises are almost never surprised by the target company itself. The exposure comes through the relationships the target company depends on."
Integrating Third-Party Findings Into Deal Decision-Making
The output of a third-party diligence process needs to be actionable, not merely informational. A list of identified risks without a framework for evaluating their significance and responding to them is not decision-ready intelligence.
An effective third-party diligence report should do four things: identify the material third-party relationships that carry elevated risk; assess the nature and severity of that risk in terms of regulatory, financial, and reputational exposure; recommend specific mitigation actions — whether restructuring a relationship, renegotiating deal terms, or pricing the exposure into the transaction value; and provide the evidentiary foundation for any representations and warranties that will be required in the definitive agreements.
Where third-party risks are identified that cannot be adequately mitigated, the diligence process has done its job: it has given the acquirer the information needed to make a fully informed decision about whether and on what terms to proceed.
The Post-Close Stakes
The regulatory and reputational consequences of third-party exposure do not respect transaction timelines. An enforcement action that surfaces eighteen months after close, rooted in conduct that pre-dated the acquisition, can be as damaging as one that arises from conduct that occurred on the acquirer's watch.
The DOJ's successor liability framework is clear: acquiring a business means acquiring its compliance history, including the third-party relationships through which that history was made. Thorough pre-close diligence of those relationships is not only the right commercial decision. In an increasing number of contexts, it is also the difference between an enforcement action and a voluntary disclosure — and the leniency that often accompanies it.
Third-party relationships are where deals are won and where they are lost. They deserve the same investigative rigor applied to the financial statements and the management team. In most transactions, they don't get it. The cost of that gap — regulatory, financial, and reputational — is consistently higher than the cost of closing it.