Considering due diligence as a basic good in compliance, we could ask: “Is third party due diligence a commodity?” If you use due diligence from different producers to investigate the same entity, is the product the same?
Can you standardize and exchange different types of due diligence as easily as commodities like wheat or gold, regardless of the producer or region?
Underlying the definition of a commodity is the assumption that similar goods are of equal quality and are therefore interchangeable with each another, even if they come from dissimilar sources. However, according the DOJ-SEC FCPA guidance, due diligence should not follow a “one-size-fits-all” approach. Rather, businesses require due diligence tailored to their specific needs.
The purpose of the due diligence, its scope and your own risk relationships impact the type of due diligence required, while research methodology affects due diligence quality itself. As compliance professionals have varied backgrounds and unique business needs, it is inadvisable to adopt a commoditized, standardized approach to due diligence and assume due diligence processes can be homogenized across the industry.
Research methodology is one of the key differentiators between high and low grades of due diligence, and varies widely from producer to producer. Therefore, it is advisable to investigate how the information in reports is collected, consolidated and analyzed, in addition to how the researchers themselves are trained.
Researchers who cross-reference different sources of information such as local court records and relevant media findings, for example, will provide higher quality reports than those using single-source databases. Those with operations kept in-house will also deliver consistent reporting quality across time and regions, as they have a high degree of control over their internal processes, something that cannot be achieved by subcontracting work.
Unlike commodities which can be processed to achieve multiple end products, like gold, each type of due diligence is unique to its intended application. Due diligence on an entity in Ireland, for example, has subtle differences compared to the nuances of due diligence in China on a high net worth individual. Both checks may focus on past corruption records and government ties, but a thorough Chinese report will emphasize political exposure, derogatory media and litigation checks because those are key risk factors in that jurisdiction.
Understanding the methodology and scope of different report levels can be difficult, but is key to recognizing differences in due diligence quality. While some firms approach “Media Checks” as English language searches of databases which may include some derogatory media, other providers assign trained analysts to consolidate in-depth searches in both English and the local language, tapping into multilingual sources. The result of the latter is a comprehensive profile that evaluates positive and negative details surrounding an entity, while the former may lack the information necessary to assess risks at such a granular level.
Although quality differences may not be apparent in reports about low-profile entities, reports on high-profile entities or challenging research topics that require a nuanced approach will reveal such discrepancies. The end products will be entirely different at best, with low quality reports creating an incomplete and likely misleading profile of third parties for compliance professionals.
As the complexity of research required increases, the time spent on research and effectiveness of research methodology becomes obvious among providers. When this same understanding of scope and methodology is applied further to areas such as litigation searches, regulatory checks, company registration information and directorship searches, one can begin to appreciate the vast differences in scope and quality that are possible in due diligence.
Businesses also differ in size, scope, risk appetites and their distinct risk relationships. Whether you require in-depth reporting or continuous monitoring of third parties post-onboarding, whether your third party universe consists of mostly high risk or low risk relationships, and whether your relationships are global or concentrated in one region, for example, would warrant different research processes and require different information sources. If you have mostly low risk relationships, monitoring from databases may be sufficient for the majority of your due diligence, whereas high risk relationships require deeper level reporting.
Therefore, due diligence is not a commodity. It is inadvisable and perhaps even dangerous to think of it as such without disregarding different compliance needs across organizations.
As businesses expand and their third party universe grows, so too grows the need for third party due diligence to address concerns specific to our risk relationships and entities. By matching the risk level presented with appropriate levels of research, we can achieve a focused approach to best fit the requirements of compliance professionals, their departments and businesses.
Brad Gates, pictured above, is the Senior Vice President, Client Development, Americas for compliance research firm Blue Umbrella. He has more than two decades of experience in compliance risk management, SaaS and delivering complex global due diligence solutions.