Although that guidance is written for banks, the underlying principle applies to organizations that depend on strategic suppliers, distributors, and technology partners. When systems, data, and customers are integrated, a partner’s leadership and ownership structure can become sources of operational, legal, and compliance risk.
If an executive or principal associated with a key partner has undisclosed fraud judgments, sanctions exposure, or other serious integrity issues, those facts can surface later in ways that affect performance. The impact may appear as delayed deliveries, heightened audit scrutiny, or, in public procurement, as questions about integrity that influence bid evaluations.
Key Takeaways
- Federal Reserve 2023 interagency guidance for banking organizations links third-party risk management to evaluating qualifications and backgrounds of key personnel and considering periodic background checks.
- FAR 9.104-6, effective October 1, 2025, requires contracting officers to review performance and integrity information in FAPIIS for awards above the simplified acquisition threshold.
- OFAC’s 2019 Framework for OFAC Compliance Commitments ties sanctions compliance expectations to a risk-based program that includes sanctions risk assessments and due diligence on customers, supply chains, intermediaries, and counterparties.
- GAO debarment recommendations, such as the 1985 decision B-217705, illustrate potential consequences of violations that can affect firms and their officers.
- Effective programs scale checks to risk, monitor changes in key personnel, and document decisions so they are defensible to auditors, examiners, and contracting authorities.
Federal Procurement: Responsibility and Integrity Data
Under Federal Acquisition Regulation 9.104-6, with text effective October 1, 2025, contracting officers must review performance and integrity information in the Federal Awardee Performance and Integrity Information System (FAPIIS) before awarding any contract in excess of the simplified acquisition threshold. This requirement is detailed on Acquisition.gov.
That review covers information drawn from sources such as the System for Award Management exclusions list and the Contractor Performance Assessment Reporting System. The regulation specifies that FAPIIS identifies affiliates, including immediate owners, subsidiaries, and predecessors. This means that integrity issues tied to related entities can appear in the data the contracting officer is required to consider.
When making a responsibility determination, contracting officers must consider all available FAPIIS information about the offeror, as well as any immediate owner, predecessor, or subsidiary identified in the system. Responsibility determinations for contracts above the simplified acquisition threshold are documented in the contract file. Consequently, the way integrity information was assessed can later be examined during audits or bid protests.
Historic debarment actions show the potential consequences when integrity and labor obligations are not met.
In 1985, the Government Accountability Office’s decision in case B-217705 described how a firm and its owner and secretary failed to pay required wages and proper overtime compensation under the Davis-Bacon Act and falsified payroll records. This led to their placement on the ineligible list, as summarized by GAO.
Federal acquisition policy also connects subcontractor conduct to a prime contractor’s integrity record. Under the FAR framework for FAPIIS, certain substantiated violations involving subcontractors, including trafficking in persons violations, are entered into the prime contractor’s FAPIIS record. This means issues in lower tiers can appear in the integrity data the contracting officer reviews when assessing responsibility.
More Business Articles
Sanctions, Anti-Bribery Rules, and Third-Party Relationships
Federal contracts are only one context in which counterparties are evaluated through the conduct of their key personnel and associated entities. The U.S. Treasury’s 2019 document A Framework for OFAC Compliance Commitments explains that organizations subject to U.S. jurisdiction are expected to take a risk-based approach to sanctions compliance. This includes routine and, where appropriate, ongoing sanctions risk assessments that inform internal controls, according to OFAC.
In that framework, OFAC notes that risk assessments should evaluate customers, supply chains, intermediaries, counterparties, products, services, and geographic touchpoints. The results should guide the extent of due diligence at onboarding and during mergers and acquisitions. The document also identifies insufficient or improper due diligence on customers and counterparties as a recurring factor in past sanctions violations.
Anti-bribery law similarly embeds expectations about third-party controls. The Ministry of Justice guidance on the UK Bribery Act 2010 describes how a commercial organization can rely on the statutory defence of having "adequate procedures" to prevent bribery by associated persons. It identifies due diligence as one of six core principles, as set out in the guidance published by the Ministry of Justice.
The guidance explains that organizations should apply proportionate, risk-based due diligence to persons who perform services for or on their behalf, including agents, intermediaries, and other associated persons. For multinational sales models that rely on third-party channels, that expectation effectively turns structured screening of partners into a core element of an anti-bribery compliance program.
Supply chain policy adds a further layer. The Cybersecurity Supply Chain Risk Management Acquisition Guide issued by the General Services Administration in 2025 describes how agencies can use supply chain risk assessment tools throughout pre-acquisition planning and post-acquisition monitoring. It notes that ICT and operational technology supply chains face unintentional threats such as inadequate personnel screening and risks linked to foreign ownership, control, or influence, as outlined in the GSA C-SCRM Acquisition Guide.
Taken together, these frameworks show that background checks and related integrity controls on key personnel are both compliance requirements and strategic safeguards. Weaknesses in sanctions due diligence can lead to blocked or delayed transactions, while failures in anti-bribery controls can contribute to enforcement actions and contract disruption.
In each case, the underlying risk often begins with limited visibility into the individuals steering a partner organization or its critical subsidiaries.
Operational Effects When Due Diligence Is Weak
Commercial partnerships are often structured for long-term efficiency, with shared customer interfaces, technical integrations, and coordinated roadmaps. Replacing a key partner because of late-discovered integrity concerns can require reconfiguring systems, renegotiating customer arrangements, and absorbing transition costs that were not anticipated at the time of contracting.
The interagency third-party guidance for banking organizations underscores that the use of third parties can reduce a bank’s direct control over activities and may introduce operational, compliance, and strategic risks if not appropriately managed, as reflected in the Federal Reserve’s description of these risks in its interagency guidance text.
When a partner experiences a security incident or operational failure, questions often arise about how that partner was vetted at onboarding and monitored over time. In settings where regulatory expectations about third-party risk management are explicit, gaps between documented practices and supervisory guidance can complicate responses to examinations or incident reviews.
Reputational concerns can also affect commercial outcomes even where no formal rule is breached. Institutional buyers may treat significant integrity issues involving executives or owners at key vendors as material to renewal decisions. This is particularly relevant where those buyers themselves must report on risk management practices in public filings or supervisory processes.
Documentation plays a central role in how these questions are resolved. If an organization cannot show when and how it conducted due diligence on key personnel of a critical partner, it is harder to demonstrate that its third-party risk management practices were commensurate with risk and complexity in line with supervisory expectations.
Designing Risk-Based Screening of Key Personnel
The interagency guidance on third-party relationships emphasizes that not all relationships present the same level of risk and that risk management practices should be tailored accordingly. More comprehensive and rigorous oversight is required for higher-risk relationships that support critical activities, as described by the Federal Reserve.
Within that framework, the guidance calls out the qualifications and backgrounds of a third party’s principals and other key personnel as a specific due diligence factor. An important consideration is whether the banking organization or the third party periodically conducts background checks on key personnel and contractors who may have access to information technology systems or confidential information.
The same document highlights the importance of ongoing monitoring that considers changes in a third party’s key personnel involved in an activity, along with changes in financial condition, audit and testing results, and compliance with laws and regulations. In higher-risk relationships, aligning background checks and integrity screening with these monitoring expectations can make it easier to demonstrate that oversight practices match the risk profile of the activity.
Effective programs also focus on how decisions are recorded. For each vetting decision, organizations can log which sources were consulted, the date of review, any findings, and how those findings affected risk ratings or approvals. Automating this record can reduce errors and create an auditable trail that supports later reviews by internal audit, regulators, customers, or contracting authorities.
The GSA C-SCRM Acquisition Guide describes how supply chain risk assessment tools can support pre-acquisition planning and post-acquisition monitoring, including reassessments when triggers such as mergers and acquisitions or new indicators of foreign ownership, control, or influence arise. Similar trigger-based reassessment points can be used in private-sector vendor governance so that changes in ownership or leadership prompt renewed checks rather than remaining undetected.
Contractual terms can reinforce these controls. Clauses that permit termination for cause if a partner is suspended, debarred, placed on an exclusions list, or loses a key license, and that require timely notification of such events, create a direct link between integrity data and the right to exit or renegotiate relationships.
Due diligence on key personnel and ownership structures will not remove all uncertainty from B2B partnerships. However, aligning background checks with documented risk assessments and clear contractual rights reduces the likelihood that integrity issues will evolve into disputes, disqualifications, or unplanned exits from institutional or public-sector opportunities.
Sources
- Federal Reserve System. "Interagency Guidance on Third-Party Relationships: Risk Management." Federal Reserve, 2023.
- Federal Acquisition Regulation. "9.104-6 Federal Awardee Performance and Integrity Information System." Acquisition.gov, 2025.
- Government Accountability Office. "B-217705.2: Recommendation for Debarment Under Davis-Bacon Act." GAO, 1985.
- U.S. Department of the Treasury. "A Framework for OFAC Compliance Commitments." Office of Foreign Assets Control, 2019.
- General Services Administration. "Cybersecurity Supply Chain Risk Management (C-SCRM) Acquisition Guide." GSA, 2025.
- Ministry of Justice. "Bribery Act 2010: Guidance to Help Commercial Organisations Prevent Bribery." GOV.UK, 2011.
Article Credits
