Third Party Due Diligence Guide

Download the English version as a pdf here

THIRD PARTY DUE DILIGENCE INTERNAL GUIDE

Version: January 22, 2016

In accordance with the Values & Expectations of 168 and as reflected in RPM’s Third Party Due Diligence Policy, we must “transact business with reputable and trusted individuals and entities,” and “we must all take steps to learn about those with whom we transact business to ensure that all actions taken by third parties for the benefit of the company are in keeping with the Value of 168® and its inherent core principles.” 

The level of diligence required to be exercised when assessing and reviewing third parties is largely related to the individual characteristics and risks of each subsidiary company, the manner in which each company goes to market, and different variables associated with the types of third parties with whom each company transacts business.  Consequently, through its Third Party Due Diligence Policy, RPM requires that all operating groups and companies establish Third Party due diligence procedures (“Third Party Due Diligence Procedures”) in writing to appropriately address the individual risks associated with their transactions and to appropriately function within their respective operational environments.  (Exhibit A is RPM’s written Third Party Due Diligence Procedures that may be used as an example – Note that this is an example only, and individual market variables may require different factors to be added, deleted or considered by each individual subsidiary company.  Additionally unlike its operating companies, RPM headquarters does not have customers with the exception of its own operating companies, consequently customers are outside of scope in its Third Party Due Diligence Procedures).

This guidebook was developed based upon what RPM considers to be “best practices” and is intended to assist the subsidiary companies with the development of their respective Third Party Due Diligence Procedures. This is only a guide and certainly each subsidiary company may reasonably modify or consolidate certain steps identified within this guide to appropriately and effectively conduct its Third Party Due Diligence.  However, as reflected in RPM’s Due Diligence Policy in all cases the subsidiary company must take “reasonable steps necessary to determine whether [its] Third Parties . . . possess the qualities and standards required under the Values & Expectations of 168.”  

I. Definitions:

A. “Company” refers to RPM and all of its subsidiaries. 

B. “TI Index” refers to an index published each year by the Transparency International coalition identifying the perception of corruption amongst public sector officials within different countries.  The updated version of the TI Index may be found at: http://www.transparency.org/research/cpi/overview.

C. “Third Party/Parties” means a party or parties with whom RPM, any operating group, company or subsidiary does business or C. seeks to do business, whether as a supplier, customer, consultant, distributor, service provider, contractor, installer, agent or otherwise, but for purposes hereof shall specifically exclude federal, state, provincial and local governments. Types of Third Parties may include, but are not limited to, the following individuals or entities:

  1. Customer End Users: Recipient or purchaser of products of the Company that ultimately uses the product and does not resell the product.   
  2. Customer Distributors/Installers: Purchaser of a product of the Company that intends on reselling the product or using or installing the product for its customer. 
  3. Service Providers: Provide functional services or support to the Company  (e.g., communications, logistics, storage, processing service, IT services, financial services).
  4. Suppliers/Vendors: Supply parts, components and raw materials used by the Company.
  5. Advisor/Intermediaries:  Provide technical or subject-matter expert advice on behalf of the Company by representing the Company to another person, business entity, or government official (e.g., tax and financial advisors and consultants, legal advisors, lobbyists, freight forwarders, permit consultants). 
  6. Contractors/Subcontractors: Provide goods or services to the Company under contractual terms, but otherwise are not under the control of the Company (e.g. installers, repairers).
  7. Agents:  Authorized to act for, or on behalf of, the Company in furtherance of the Company’s business interests (e.g., sales agents, customs brokers, permits agents).
  8. Joint Venture Partner: Those with whom the Company has entered into a business agreement to establish a new business entity and/or manage assets.

D. Relationship Owner: A Company employee who is (1) initiating the relationship with a Third Party or who (2) has primary continuous and direct contact and communication with a Third Party. (e.g., a purchasing agent who purchases from a specific supplier may be the Relationship Owner for matters relating to that supplier; a sales department employee who sells to a particular customer may be the Relationship Owner for matters relating to that customer; a Company lawyer who generally retains an outside attorney to render legal advice on behalf of the Company could be the Relationship Owner for matters relating to the outside attorney).

E. Reviewer(s):  Designated individuals who review gathered information about Third Parties and who make preliminary determinations and recommendations as to the appropriateness of continued transactions with Third Parties.  Conflicts of interests connected to their decision making should be considered, and thus these individuals should not be connected to the transactions involving the Third Parties they are reviewing.        

II. Due Diligence Procedures:

A. Recommended Five Step Process:    

In order to properly conduct Third Party due diligence, subsidiaries should consider the five step process depicted by the graphic below: 

Step 1:  Scope of Third Parties: 

Each subsidiary should establish and document a procedure to identify all of its Third Parties.  As most, if not all, of our Third Parties are either invoiced or paid, reasonable tools that may be considered to initially identify existing Third Parties are the corporate accounts payable and account receivable databases and consolidated master sheets.  Care should also be taken to identify any Third Parties that are not paid or invoiced, but who still provide services and products to the Company or who may act on behalf of, or for the benefit of, the Company.

Step 2:  Third Party Risk Assessment.

After all Third Parties have been identified, each should be tracked and evaluated to determine its level of risk to the Company.  Risk assessment involves the evaluation of objective criteria as well as certain variables that must be subjectively evaluated and categorized.  It should be the responsibility of the applicable Compliance Advisor responsible for each subsidiary to ensure that all factors are appropriately considered after consultation with the respective subsidiary’s operational subject matter experts and Relationship Owners.

When conducting the Risk Assessment, objective values may be assigned to different characteristics of Third Parties based upon individual compliance risks associated with each type of Third Party.  The following are examples of how values may be distributed across different categories: 

1. General Type of Third Party

  • Suppliers (1)
  • Customer End Users (0)
  • Customer Distributors (2)
  • Service Providers (2)
  • Installers/Repairers(2)
  • Agents (3)
  • Joint Venture Partners (3)
  • Advisors/Intermediaries (3)
  • Contractors/Subcontractors (2)
  • Licensees (3)

2. Government Relations of the Third Party

  • Direct (3)
  • Indirect (2)
  • None (0)

3. Lowest TI Index for any country in which Third Party Association with the Company is Implicated (If more than one apply, use lowest TI Index score)

  • TI Index Less than or Equal to 39 (3)
  • TI Index Less than or Equal to 49 and More than 39 (2)
  • TI Index More than or Equal to 50 (1)

4. Legal Form of Third Party

  • Sole Proprietorship/Private Company (3)
  • Publicly traded company registered in an internationally recognized exchange of a country with a TI Index of 49 or less (2)
  • Publicly traded company registered in an internationally recognized exchange of a country with a TI Index of 50 or more  (0)

5. Subjective factor should also be considered and assigned by the Compliance Advisor responsible for each subsidiary after consultation with the respective Relationship Owner.  For example, the following may be subjective factors to consider and values that could be assigned 

  • Availability of Substitutes
    • Many substitute options for the products or services provided by the Third Party  (0)
    • Very few (less than five) substitute options for the products or services provided by the Third Party (2)

After all scores are compiled, the total score should be added and a preliminary risk allocation characterization should be determined.  For example, the following may be appropriate “Risk Allocation Scores” for a company:

  1. A score of 9 or higher is a “High Risk Third Party”
  2. A score of 7-8 is a “Medium Risk Third Party”
  3. A score of 6 or less is a “Low Risk Third Party”

Note:  Depending on the type of markets and the manner in which a subsidiary goes to market, and regardless of any other factors, “High Risk Third Parties” could include all distributors, sales agents, joint venture partners, licensees, consultants and agents who deal or may deal with government agencies on its behalf (examples include, customs, government owned hospitals, oil companies, airports, schools and the United Nations), expeditors and customs agencies doing business for the Company in a country with a Transparency International Index of 49 or less, and all parties, regardless of location, to whom we sell any product which requires an export license and all other parties with respect to which any red flag have been raised through this due diligence process. 

Step 3:  Gathering Information

Administrative Notes on Gathering Information

Note (1):    RPM uses World Check, which is run by Thomson Reuters and Truth Technologies to conduct initial information gathering of its Third Parties. World Check allows for information gathering to be segmented, and thus a company can run limited searches targeted at only identifying whether a Third Party is on a “denied parties/persons” lists (“Limited Trade Search(es)”) to meet trade compliance obligations, or they can run broad searches where the information gathered would not only include “denied parties/persons” lists, but also any derogatory information connected to fraud, anti-competition, anti-corruption, international trade and financial law or regulation violations, etc. (“Full Scope Search”)   Although RPM has a current contract with World Check that provides any of our companies with “preferred” pricing, no subsidiary is required to use World Check.  However, in accordance with RPM’s Third Party Due Diligence Policy, all operating companies are required to use a similar third party due diligence information gathering service (hereinafter “Information Gathering Service”) that has been approved by RPM, to perform Step 3 of the Third Party due diligence process.  Should a company wish to use World Check, beginning June 1, 2015, fees paid under the World Check contract will be allocated proportionally based upon total use to the operating groups that use that service. World Check and Navigant are approved by RPM as Information Gathering Services that may be used by the operating companies and groups.  For any Limited Trade Search targeting only the denied parties/persons lists, MK Data’s Denial Lists Service is a provider that is also approved.  Most providers have the capability to integrate their services into many existing ERP systems to facilitate automated gathering and record keeping of the information.  Most services also allow for continuous monitoring of Third Parties which will alert the subsidiary company of any new derogatory information about an existing Third Party.    

Note (2):    Depending on the overall risks of a subsidiary, and the manner in which it goes to market, it may be more efficient to partially combine Steps 2 and 3.  If the risks are narrowly focused, running all identified Third Parties through an Information Gathering Service to identify any derogatory information prior to conducting the Risk Assessments may reduce the number of Third Parties to which the objective and subjective factors must be considered and for which expanded due diligence may be required.  Unless the geographical area of operations, close connections to governmental contracts, or a close agency relationship with the Third Party requires, Third Parties who do not have any negative occurrences identified after using an Information Gathering Service may not require further due diligence or approval. 

Note (3):    In some cases, background checks of individuals and even companies may require the consent of the party being investigated.  If in doubt as to whether permission is required, Relationship Owners should check with their subsidiary’s operating group or RPM’s legal department prior to conducting background checks on Third Parties. 

The following procedure may be used to gather information about Third Parties:

1. For all Third Parties conduct and Information Gathering Service search that is broad in nature intended to identify and “flag” derogatory information related to each Third Party’s conduct in categories including, but not limited to, denied persons/parties lists, corruption, fraud, anti-competition, and US, European or local import, export or customs-related laws (“Full Scope Search”).  Negative finding should be evaluated by the relevant Reviewer to determine whether the Third Party poses a undue risk to the Company in the areas of corruption, fraud, money laundering, anti-competition, trade controls or otherwise.

Note: In accordance with RPM’s Third Party Due Diligence Policy, if a match is identified to a Third Party’s connection to a prohibited party/person or embargoed country or if the Third Party is identified as being actively involved in a scheme to defraud, money launder, corrupt or improperly influence competition, the Reviewer must confirm whether or not it is a false positive as opposed to a correct match using an appropriate level of due diligence.  If it is a correct match, the Reviewer shall immediately notify appropriate leaders of the subsidiary company and if the review findings present an elevated risk of corruption, anti-competition, fraud, money laundering, or trade violations, the Company MAY NOT do business with the Third Party without prior written approval from the applicable group’s or RPM’s legal department – Note that this is required to meet the spirit and intent of our Values & Expectations of 168.  Furthermore, if after the initial Full Scope Search the Reviewer or the appropriate legal department determines that additional due diligence is required, an expanded due diligence review may be requested, at an additional cost from any existing contracts, from an Information Gathering Service.  These expanded reviews are much more detailed than what is provided by the databases used during the initial information gathering, and should be considered for the High Risk Third Parties.     

2. Review all reports gathered from the Information Gathering Service search to confirm that the Third Party is not located in or does not plan to ship or transfer your products or services to, or source products or services on your behalf from, any of the following countries:  Cuba, Iran, North Korea, Sudan or Syria.

Note:  Under RPM’s Trade Compliance and Third Party Due Diligence Policies, all subsidiaries must have procedures in place to ensure that for all new customers and suppliers that Limited Trade Searches be done for all transactions prior to placing orders, shipping products or providing services.  For all existing customers and suppliers, Limited Trade Searches are required at least every quarter.  (See Exhibit B and RPM’s International Trade and U.S. Anti-Boycott Compliance Policy for the minimum lists to be searched under a Limited Trade Search).  Most outside vendors who provide a database service, such as World Check, can assist with the integration of their service into most corporate ERPs so that these searches occurs automatically prior to an invoice, order or shipment being sent. 

3. For all new Third Parties, you may use Dunn and Bradstreet or another service to conduct a “business information and credit search.”

4. For all Third Parties identified in Step 2 as a Medium Risk Third Party, or who were identified as Low Risk Third Parties after Step 2, but for which material derogatory information was found during the Information Gathering step, the Reviewer should complete an Internal Third Party Information Form (see Exhibit C). 

5. For all Third Parties identified in Step 2 to be High Risk Third Parties, or deemed to be High Risk Third Parties based upon information learned during the Step 3 Information Gathering stage, have the Relationship Owner request completion of a Third Party Information Request Form (see Exhibit D), and when completed provide it to the Reviewer.  If the Third Party fails to return the Form, you should obtain written approval from your legal department before conducting business with that Third Party.

6. For any Third Party identified by an Information Gathering Service as potentially having derogatory information, the Reviewer should refer to the Corruption and Trade Controls Red Flags (see Exhibit E) and evaluate whether any apply to the given situation. 

Step 4:  Decision:

The spirit and intent of the Values & Expectations of 168 and RPM’s Third Party Due Diligence Policy requires that once information is gathered, the information must be formally reviewed and a decision made by each operating group or company after taking into consideration the applicable Reviewer’s recommendations. The following process may be helpful: 

  1. Reviewers should evaluate the results of the searches and the subsidiary company will not engage or sell products to any Third Parties that the Reviewer determines may have material derogatory information until appropriate corporate management and, if required, the applicable group’s or RPM’s legal department, approves the relationship.  Under RPM’s Third Party Due Diligence Policy if any information identified during the due diligence procedures causes the Reviewer or the applicable legal department to believe or have concerns that that the Third Party represents an elevated or active corruption, anti-competition, money laundering or trade compliance risk to the Company, no relationship shall be commenced without written approval from the applicable group’s or RPM’s legal department.
  2. For all Third Parties that the Reviewer finds to be Low Risk Third Parties at the conclusion of Step 3, and who do not have any material derogatory information, no further approval process may be necessary.  Additionally, for any Medium or High Risk Third Parties who do not possess any NEW material derogatory information since proper management approval was last obtained, no further approval process may be necessary. 
  3. For ALL Third Parties that the Reviewer found NEW material derogatory information since approval was last obtained, the Reviewer should provide the completed Internal Third Party Information Forms and Third Party Information Request Forms to the appropriate management approval authorities.
  4. It is recommended that the following level of management be the final approval authorities for continued transactions with Third Parties for which derogatory information was found:
    1. High Risk Third Parties with new derogatory information:  Subsidiary company’s General Manager or President with the consent of the General Counsel of the subsidiary’s operating group or of RPM.
    2. Medium Risk or Low Risk Third Parties with new derogatory information:  Subsidiary company’s General Manager or President.   

Note:  Approvals may only occur if continued transactions with the Third Parties are in keeping with the Values & Expectations of 168.        

Step 5:  Sustainment and Mitigation:

A. Sustainment:  With the exception of searches of prohibited parties/persons lists related to customers and suppliers as outlined in RPM’s International Trade and U.S. Anti-Boycott Compliance Policy the frequency at which the broad scoped Third Party Due Diligence is conducted for existing Third Parties may differ depending on the risk associated with the Third Party, and the risks associated with a particular subsidiary company.   Following are the recommended time lines that the subsidiaries may want to use to conduct Third Party Due Diligence of existing Third Parties:

  1. High Risk Third Parties:  Yearly
  2. Medium Risk Third Parties:  Every two years
  3. Low Risk Third Parties:  Every three years

Note: RPM’s Third Party Due Diligence Policy requires that all subsidiaries conduct due diligence of Third Parties at least every three years regardless of their assigned or previously determined level of risk. 

B. Mitigation of Risks through Contractual Terms and Education:

In order to mitigate risks inherent with transactions with Third Parties, all subsidiaries should consider implementing the following procedures:

  1. Provide High Risk, and perhaps Medium Risk, Third Parties with education or instruction on the Values & Expectations of 168, with special emphasis on anti-corruption, fair competition and trade compliance subjects, as appropriate, and document the education or instruction in your files.
  2. Have suppliers sign a Supplier Certification Letter (See Exhibit F for an example) prior to the commencement of the relationship (or within one year from the effective date hereof for existing Third Party relationships) and no less than once every three years thereafter where they acknowledge their understanding and their commitment to adhere to RPM’s Values & Expectations of 168 and to be “Conflict Mineral Free.”
  3. Have all High Risk, and perhaps Medium Risk, Third Parties sign a Third Party Acknowledgement and Certification (see Exhibit G for an example) prior to the commencement of the relationship (or within one year from the effective date hereof for existing Third Party relationships) and no less than once every three years thereafter where they acknowledge having received education in, understanding, and their commitment to adhere to RPM’s Values & Expectations of 168.
  4. Adopt audit right provisions in contracts with High Risk, and perhaps Medium Risk, Third Parties, and exercise audit rights in situations where there are suspicions of corruption, fraud, theft, anti-competitive conduct, or trades that are inconsistent with RPM’s Values & Expectations of 168.
  5. Investigate any compliance concerns that arise during the relationship thoroughly and appropriately address and resolve any potential violations of the Values & Expectations of 168.       

EXHIBIT A

RPM INTERNATIONAL INC.’S (“RPM”) THIRD PARTY DUE DILIGENCE PROCEDURES

In order to fulfill its legal obligations, and comply with the Values & Expectations of 168 and RPM’s Third Party Due Diligence Policy, the following procedures will be followed by RPM to conduct its Third Party Due Diligence:

I. Definitions:

A. Reviewers: 

  1. Primary for all non-legal/compliance related Third Parties -- RPM’s Director of Global Compliance
  2. Secondary for all non-legal/compliance related Third Parties – Associate General Counsel
  3. Primary for all legal/compliance related Third Parties -- Director of Planning and Financial Analysis

B. Relationship Owners for “Type Category:”

  1. Finance Group:
    1. Tax Advice: Director of Global Tax Planning
    2. Treasury Services: Director of Global Treasury
    3. Accounting / Financial Reporting Advice: Senior Director of Financial Reporting
    4. Consolidated Service Providers:  Manager of Consolidated Services
  2. Purchasing: Manager of Community Affairs and Corporate Events
  3. IT Services / Hardware Providers:  Director of IT Operations
  4. Investment Relations and Promotion Service Providers:  Manager of Investor Relations
  5. Insurance, Insurance Defense Law Firms, and Liability Consultants: Vice President – First Continental Services/Claims
  6. Legal & Compliance Related Third Parties:
    1. Business Development Due Diligence Service Providers: Director of Corporate Development
    2. Legal Department Related Service Providers: Associate General Counsel
    3. Compliance Related Service Providers:  Director of Global Compliance
    4. Auditors: Senior Director, Internal Audit
  7. General Service Providers: Manager of Community Affairs and Corporate Events
  8. Political & Charitable Contributions: Director, Corporate Secretarial and Legal Services
  9. Human Resources Related Service Providers: Director of Human Resource Information Systems
  10. Investor Relations Service Providers: Manager of Investor Relations

C. Approving Authority:

  1. The Approving Authority for the initiation or continued interaction with Medium Risk and High Risk Third Parties (later defined) not related to legal or compliance services is RPM’s General Counsel.
  2. The Approving Authority for the initiation or continued interaction with Medium Risk and High Risk legal or compliance services Third Parties is RPM’s Chief Financial Officer. 
  3. Transactions with Low Risk Third Parties (later defined) are approved without review by RPM’s General Counsel or Chief Financial Officer unless the Reviewer in his or her discretion believes that further consideration is required by those RPM Officers.  

II. Step 1, Identifying all Third Parties:

A. Initial and Periodic Reviews:  On or about November 2014, and periodically as reflected in Section V.A. of this document, the Finance Department will provide a consolidated list to the Director of Global Compliance of all of RPM’s Third Parties who were either paid or invoiced at any time during the immediately preceding fiscal year.  The list shall include the corporate or individual’s name, address, and if possible applicable “Type Category” Identified in section I above.   

B. New Third Party:  Prior to entering into a business relationship with a Third Party, the applicable Relationship Owner identified with the primary Type Category for which the Third Party will provide services or products is responsible to ensure that Steps 2 through 4 of RPM’s Third Party Due Diligence Process are followed prior to finalizing transactions with the new Third Party.  In some cases, background checks of individuals and even companies may require the consent of the party being investigated.  If in doubt as to whether permission is required, Relationship Owners should check with RPM’s legal department prior to conducting background checks on Third Parties. 

Steps 2 & 3, Risk Assessment & Information Gathering: 

All identified Third Parties will be run using the broadest World Check Database available. 

All Third Parties “flagged” by World Check as having possible derogatory information will first be verified as “true positive” matches by the applicable Reviewer, with the assistance of the applicable Relationship Owners.  For all “true positive” matches the following Risk Assessment will be conducted by the appropriate Reviewer:

The following values shall be assessed:

a. TI CPI Index

  1. Primary agency of Third Party headquartered in a country with a TI Index of 39 or lower.  (3) 
  2. Primary agency headquartered in a country with a TI Index of more than 39, but less than or equal to 49. (2)
  3. Primary Headquarters in a country with a TI Index of 50 or more.  (0)

b. Primary Type of Service Provided (Use Highest Value)

  1. Agent or Advisor who independently or directly Files Documents or Represents RPM to governmental agencies, courts, or investors (3)
  2. Agent or Advisor who advises on the preparation of, or who prepares, documents under the supervision of RPM employees where the documents are relied upon by governmental agencies, courts, or investors. (2)
  3. Agency or Individual who provides training materials relied upon by RPM for Compliance, E, H &S, or Legal training. (1)
  4. Supplier of non-advisory products or services used at RPM Headquarters. (1)

c. Prior Regulatory or Criminal Activity:

  1. Any indication after the World Check review, or otherwise known to the Reviewer, that the Third Party was convicted or administratively sanctioned within the last 5 years, or is under current investigation, for criminal or regulatory violations involving fraud, trade violations, anti-competitive conduct, corruption, money laundering, or questionable financial reporting.  (3)
  2. Any indication after the World Check review, or otherwise known to the Reviewer, that the Third Party was convicted more than 5, but less than 10 years prior to RPM’s potential engagement for violations involving fraud, trade violations, anti-competitive conduct, corruption, money laundering, or questionable financial reporting. (1)  

d. Type of Third Party:

  1. Private for Profit (2)
  2. Political (3)
  3. Charitable, not for Profit (1)

C. Risk Allocations Scores:

  1. A score of 6 or higher is a “High Risk Third Party”
  2. A score of 4-5 is a “Medium Risk Third Party”
  3. A score of less than 4 is a “Low Risk Third Party”

D. High Risk Third Parties and Expanded Due Diligence: Reviewers will coordinate with the applicable Relationship Owner to have the Third Party complete the attached Information Request Form.  The applicable Reviewer, after consultation with the General Counsel (for non-legal or compliance related Third Parties) or the Chief Financial Officer (for all legal or compliance related Third Parties), will determine and appropriately document whether an outside “corporate intelligence gathering” agency should be retained to conduct additional due diligence (“Enhanced Due Diligence”) on the High Risk Third Party. 

E. Medium Risk Third Parties:  For all third parties who have any derogatory history involving fraud, trade violations, anti-competitive conduct, corruption, money laundering, or questionable financial reporting, the Reviewer will coordinate with the appropriate Relationship Owner and prepare the attached Internal Third Party Information Form.   For Medium Risk Third Parties without the previously mentioned derogatory history, the Internal Third Party Information Form need only be completed if in the Reviewer’s discretion it would assist the Approving Authority with his or her decision making.  In all cases, the World Check report for all Medium and High Risk Third Parties must be provided to the Approving Authority.  

Step 4,  Decision:

A. RPM’s Director of Global Compliance will create a spread sheet for all High and Medium Risk Third Parties identifying each by name, Type Category, applicable Reviewer and applicable Relationship Owner.   The spreadsheet will also have columns identifying “approved” or “disapproved” as well as whether Enhanced Due Diligence was performed.  (the spreadsheet is hereinafter referred to as the “Tracking Spreadsheet”).

B. For all non-legal or compliance related services High and Medium Risk Third Parties, the Director of Global Compliance will provide to RPM’s General Counsel all World Check and Enhanced Due Diligence Reports, completed Internal Third Party Information Forms, Information Gathering Request Forms, and the Tracking Spreadsheet.  After reviewing all information, RPM’s General Counsel will authorize or disapprove transactions with each of those Third Parties, and annotate that on the Tracking Spreadsheet. 

C. For all legal or compliance related service High and Medium Risk Third Parties, the Director of Global Compliance will provide to RPM’s Chief Financial Officer all World Check and Enhance Due Diligence Reports, completed Internal Third Party Information Forms, Information Gathering Request Forms, and the Tracking Spreadsheet.  After reviewing all information, RPM’s General Counsel will authorize or disapprove transactions with each of those Third Parties, and annotate that on the Tracking Spreadsheet. 

D. Any disagreements with the decisions made by RPM’s General Counsel or Chief Financial Officers may be resolved by presenting the matter to RPM’s Audit Committee for appropriate resolution by RPM’s Board of Directors. 

V:  Step 5, Sustainment and Mitigation:

A. Sustainment:

  1. Unless continuously monitoring is employed, Third Parties Identified during an immediately prior review as High Risk Third Parties will be processed through this due diligence procedure on or about November, each year.
    • If previously approved by the Approving Authority a Third Party Information Request Form and Step 4 (Decision) is only required if new material derogatory information is uncovered.  Otherwise, approval is assumed unless the Reviewer determines that the matter should again be brought to the attention of the Approving Authority.
  2. Unless continuously monitoring is employed, Third Parties Identified during an immediately prior review as Medium Risk Third Parties will be processed through this due diligence procedure on or about November, every two years.
    • If previously approved by the Approving Authority, an Internal Third Party Information Form and Step 4 (Decision) only required if new material derogatory information is uncovered.  If the Third Party is elevated to a “High Risk Third Party” after Steps 1 through 3, then a Third Party Information Request Form must be completed and Step 4 (Decision) must be performed.  In any other case, approval is assumed unless the Reviewer determines that the matter should again be brought to the attention of the Approving Authority.
  3. Unless continuously monitoring is employed, Third Parties Identified during an immediately prior review as Low Risk Third Parties will be processed through this due diligence procedure on or about November, every three years.

B. Mitigation:

  1. The Relationship Owners must consider whether Third Parties should be made aware that they are expected to adhere to the Values & Expectations of 168, and whether they should be asked in writing to read the Values & Expectations of 168, which may be found at https://www.rpminc.com/about-rpm/code-of-conduct/.  Some of the factors that may be considered when making this determination include, but are not limited to the Third Party’s assessed risk level, its legal formation, compliance history, reputation, and longevity in the industry.
  2. All RPM Relationship Owners should consider having their respective Third Parties sign the attached Acknowledgement and Certification.   The factors identified in the immediately preceding paragraph are relevant when considering whether a written Acknowledgement and Certification should be required. 

VI. Document Retention:

A. All World Check Reports, Enhanced Due Diligence Reports, Tracking Spreadsheets, Internal Third Party Information Forms and Third Party Information Request Forms shall be maintained by the Director of Global Compliance for a period seven years following the applicable “approval” or “disapproval” decision of each respective Third Party for which the documents pertain.  

B. Unless required to be maintained for a longer period of time by other policies, rules or regulations, Relationship Owners must maintain any Acknowledgement and Certifications Forms signed by their respective Third Parties for a period of seven years after the relationship ends; or for continuing relationships, for seven years after any form is superseded by the execution of another Acknowledgement and Certification Form. 

Leading Brands
Construction Brands Performance Coatings Brands Consumer Brands Specialty Brands
Investors
Investor Overview Why Invest? Shareholder Services Frequently Asked Questions Annual Meeting Presentations & Webcasts Email Alerts Analyst Coverage
Dividend
Current Dividend Dividend Reinvestment Plan Historical Dividends & Splits
Reports / Financials
Quarterly Results SEC Filings Financials Snapshot Annual Reports & Proxy Statements Section 172 Statements



rpm logo Footer 70Th Annual Fortune 500
rpm logo
2628 Pearl Road, Medina, OH 44256 | 330-273-5090 | info@rpminc.com
Footer 70Th Annual Fortune 500
From Fortune. ©2024 Fortune Media IP Limited. All rights reserved. Used under license.
youtube linkedin

Terms of Use Privacy Policy Cookie Policy Cookies Settings
© RPM International Inc.

Terms of Use
Privacy Policy Cookie Policy Cookies Settings
© RPM International Inc.