Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

The Pandora’s box of automated risk profiling

Regulators are constantly telling compliance officers to take a “risk-based” approach to due diligence processes and procedures. In some cases, regulations go so far as to require third parties to be profiled appropriately based on their level of risk.

For example, under the Bank Secrecy Act (BSA), a customer’s risk level must be determined in order for appropriate due diligence procedures to ensue.

I covered developing an internal due diligence procedure in my previous post

What makes the risk profiling process so tedious and difficult for compliance officers? Like many hurdles faced by the compliance community, regulations and requirements regarding risk classification and third party due diligence vary vastly across jurisdictions. Moreover, the number and variety of factors that need to be considered when evaluating risk can be overwhelming.

Under the BSA alone, a banking organization should consider types of products and services offered by the money services business, locations and markets served by the money services business, anticipated account activity, and the purpose of the account.

Further, defining third parties and categorizing their risk profiles is not exactly second nature for lawyers or compliance professionals. Categorizing third parties is essentially asking compliance officers to see risks as black and white, putting boxes around concepts that they are trained to know and analyze as very grey areas.

Some compliance officers will approach the task of risk profiling by looking for an automated solution that will do the risk analysis for them. In essence, they want technology that will allow them to submit third party data and receive a magic risk score that tells them the exact risk associated with that particular third party. Some providers actually market this type of ideal solution. There are several issues with this approach.

First, a solution that spits out any type of number or assigned metric that speaks to risk (e.g. a “risk score”) may only be evaluating one compliance risk factor out of the many that should be analyzed when risk profiling as part of establishing a due diligence process and procedure. In other words, a “risk score” is not always the full “risk profile” of a third party.

For example, let’s say you have a third-party data management compliance solution that assigns a “risk score” to each of the third parties you feed into the system. What is the source of that “risk score?” Perhaps it is simply the third party’s home-country CPI rank.

While the CPI rank is very credible and can still be considered a “risk score,” it should not be mistaken for an analysis that reflects the entire risk profile of that particular third party because it only factors in the anti-corruption related risk associated with that country. It does not, for example, speak to anti-money laundering risks that may be associated with the individual.

This is why it is always imperative to understand the exact source and meaning of the “risk score” or any other number or evaluation that may be automatically assigned by your compliance solutions to a record or piece of data you are feeding into that solution. An assigned metric relating or speaking to risk should never be mistaken for a score that takes all risk factors into account unless you are absolutely sure.  

Second, even if the “risk score” is capturing multiple compliance factors, they are likely not tailored to your specific business, which means they still may not be completely accurate or reliable.

Also, risks have different weights depending on different industries and where business operations occur. For example, if a company does not conduct business with foreign governments, it may not have as much exposure to anti-corruption related risks as a company that operates globally and works with many state-owned entities.

Using a system that automates risk scores without any customization may not be weighing risks in proportion to your business’ actual risk exposure.


Lindsay Columbo, Esq. is a founder of eSpear LLC, a developer of due diligence and screening solutions, where she serves as the Global VP of Compliance & Support Services. She previously served as Associate Corporate Counsel, Global Ethics & Compliance for Brightstar Corp. a SoftBank company headquartered in Miami, Florida. She can be contacted here.

Share this post


Comments are closed for this article!