Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Dan Adamson: Sorry, watchlists aren’t due diligence either

With the growing number of data sources and changing regulation, compliance teams are under incredible pressure and scrutiny to implement the most thorough due diligence process available.

They are frustrated by the tools at hand, which are actually growing increasingly ineffective due to recent changes such as the “Right to Be Forgotten” rule. 

We’ve already established in a prior post that Google isn’t a sophisticated research tool for compliance teams. It’s easily manipulated and fraught with false positives that require compliance team members to chase endless paths leading them in the wrong direction. 

What may surprise you though, is the number of people who countered that argument by saying, “Well, we’re more sophisticated than that, we primarily use watchlist databases to assess our risk.”

This, unfortunately, does little to reassure anyone that your compliance assessments are thorough and timely. Just as a Google search provides you a one-point-in-time view of a possible risk, the watchlist database approach is riddled with challenges as well. How is the watchlist created and maintained?

The reality is that large groups of humans try to maintain these databases, but it’s a struggle for them to cover even a fraction of content that’s being published every day. The sheer volume of data they try to review and number of steps they take to try and control quality naturally slow updates.

Other consideration must be given to the successful lawsuits and requests made to have entities removed from these watchlists. This was occurring even before the “Right to Be Forgotten” legislation, which now makes it even easier for an individual to petition that information be removed if it is “inadequate, irrelevant or excessive.” This means that real terrorists or other bad actors might come off of watchlists when they should absolutely be flagged as high risk.

Generally, to avoid too many legal battles and controversy, being placed on the watchlist is the result of an actual conviction from a court of law. So what does this mean? The data on that watchlist is nowhere close to being real-time. In many cases, it could take years for a case to work through a legal system and for a verdict to be issued. Then and only then will a change be made to the watchlist. Can you really afford to wait that long?

No doubt, this is a complex challenge and it’s also error prone — at banks, KYC for onboarding is often done in duplicate to cut down on high error rates, and even then often requires a review process, making these traditional approaches even more inefficient and costly.

Ultimately, what is required is a blended approach that scales appropriately to the level of risk.  Investigative cognitive computing is now capable of this approach, allowing for the combination of watchlists, open web research, deep web sources and other premium content as well as internal sources. And it is capable of going shallow – doing a relatively simple screen — to going far further, when appropriate — discovering related entities and chasing down possible leads.

While some readers might be worried that robots are replacing human jobs, I would argue that’s not the case. What is happening instead, is that the cognitive computing platform does the time-consuming job of sifting through an extraordinary amount of available information, chasing down leads, marking off obvious false positives and flagging any possible risk issues — all while your team sleeps. When the team returns to the office in the morning, they can do what they were truly trained to do — assess potential risks to make better, more informed decisions.


 Dan Adamson is the Chief Executive Officer of OutsideIQ, a company that develops investigative cognitive computing, including DDIQ, to address today’s growing compliance requirements. He can be contacted here.

Share this post



  1. Agree with Dan on this. Reputed Vendors claim that within 24 hours they will have have their watchlists updated ! But these watchlists only contain a tiny fraction of the population that poses a risk to Banks.

    Moreover if you look at the risk based approach followed by banks for reviewing high risk customers once a year, medium risk customers once in three years and low risk customers once in 5 years , you will see that its an approach fraught with deep risk ! 🙂

    Actually its just a convenient approach taken by banks based on the "operational bandwidth" that they have.

    Cognitive computing based due diligence technology can actually , CONTINUOUSLY MONITOR the web for adverse media and provide an alert to banks on a daily basis…
    thus making the "risk based approach" passe …

    Wish the regulators would make such "continuous monitoring" MANDATORY for all banks and make the world a safer place ….

    We have all heard the famous words …… "mankind must abolish war or war will abolish mankind …" … I would like to add …

    banks must abolish watchlist based due diligence and risk based annual reviews…
    or the risky customers will abolish banks !

  2. Are there any tools you recommend we use for investigative cognitive computing?

  3. Good article Dan. Interesting points on how stale, incomplete, and potentially manipulated, the hundreds of watchlists may be. I would expect everyone in the third party risk management game knows that you have to look at a host of other available data via open web research, and subscription based premium content. One challenge is being able to pinpoint the obscure which I believe you refer to as the "deep web sources," as the greater challenge is having access to the right tools to more efficiently put together the skinny on your counterparty.
    As you appropriately point out in your conclusion, we will always need trained analysts to interrogate the results of any auto monitoring or screening and then determine what's relevant and when further research may be necessary.

  4. Interesting article Dan, thanks for this. I'm curious though – how does investigative cognitive computing work in environments where watch lists and such either do not exist at all, or are at their infancy at best? I live and work in such an environment (Nigeria) and we still rely very much on the traditional (read human) methods of conducting due diligence in response to enquiries from abroad. It would be great to hear your views and the views of others on this.

  5. Jessica, when it comes to cognitive computing I would recommend looking at DDIQ.

Comments are closed for this article!