We have already looked at some of the common pitfalls of modern due diligence, from the brute force open-source intelligence (OSINT) approach of Google searching to the over-reliance on manually curated watchlists.
The newly launched International Organization Standardization (ISO) anti-bribery standard, ISO 37001, actually has a lot of good to say about due diligence best practices, whether or not your goal is to strictly implement the standard or just properly implement a third-party due diligence program.
I will paraphrase a few key points that I strongly agree with: due diligence on the one hand has to be commensurate to the risk — it has to be practical — but at the same time it should go deeper than just the primary entity, looking at the relevant related entities, whether that includes subsidiaries, parents, a management team, beneficial owners or associates of an individual.
I’ve just highlighted two statements I agree with, but they are actually at odds with each other. For international companies, figuring out the spider web of relevant related entities can be a nightmare in itself, making due diligence complex. And doing due diligence on not just a vendor, but all of their executive team may be warranted – but can certainly be costly, at least by traditional approaches.
In fact, to conduct FCPA-compliant due diligence is a substantial cost. And with the current approaches, I would argue that is just not sustainable or realistic. No wonder CCOs have trouble getting the budgets they need to keep their companies out of trouble. No wonder CEOs knowingly take risks by not implementing proper compliance programs. And no wonder banks, in one recent survey taken at Sibos with top banking executives, suggested that compliance was their top initiative (ahead of customer service, new products, and profitability) and leading growing cost.
So how do we get out between this rock and a hard place? If there is no one single, simple source or best practice considered both sufficient and cost-effective for due diligence, I personally think that the answer has to lie in the modernization of due diligence technologies to incorporate cognitive computing.
Aggregation technologies (that bring back all of the content into one place) have been around for a long time. They can result in some efficiency gains, but they are clearly not enough. However, with new AI technologies, not only can the machines bring back all the content to one place, but to take a first pass at analyzing content (and even go deeper than humanly practical) to create a consolidated set of relevant information and weed out false positives.
If an article is obviously not about the correct subject, or is obviously in the wrong context, why do we want humans to focus on those? Instead, humans, should be focusing on the nuanced and sticky spots best not cleared by a machine. The goal is still not to completely automate due diligence, but to make it much more efficient while being thorough.
AI technologies can pay great dividends where companies are fighting to manage huge amounts of data to assess a situation, and in particular identify outliers. Prime examples are financial services companies looking for indications of payment fraud, money laundering and internal theft. We also see it in companies that are looking to monitor and evaluate investments, supply chain risks, as well as franchisees and resellers. Anywhere a human researcher must sift through large amounts of data and false positives, there is a real risk that true positives slip through the cracks. This is a great starting case for cognitive computing.
Turning a blind eye can result in hefty fines — we see them every day in the news. Institutions can’t afford to miss things and human nature brings a natural error rate and inconsistent methods of operation. With the proper cognitive computing technologies in place, traditional sanctions lists, watchlists, premium trusted sources of media, and open web content can be analyzed in a first pass by the system — researching, removing false positives and highlighting risks.
The results can be stellar. In one ROI study, over 95 percent of false positives were removed. In another case study with a financial institution, one in three cold cases were successfully cracked open not because of the system being smarter than a human, but because of the staggering amount of data that was analyzed. Data that was available, just presumably missed by humans.
The traditional brute force approach of doing research manually will hopefully make way soon to an enlightened approach that combines the best of machines and human reasoning. Advanced technology will become a key tool to help organizations remain competitive and compliant, keeping up with the ever-mounting information available on entities. The days of time consuming, and expensive manual research are hopefully fading away in place of sustainable, effective due diligence.
Dan Adamson, pictured above, is the Chief Executive Officer of OutsideIQ, a company that develops investigative cognitive computing solutions, including DDIQ, to address today’s growing compliance requirements. He can be contacted here.