For compliance databases, a ‘no hit’ isn’t a green light

The recent Cobham Holdings Inc. OFAC settlement highlights a limitation in due diligence software: Cobham’s screening partner ran a name through a database and received no hits.

The name was later found to be a variation of a hit from the OFAC sanctions list, but wasn’t picked up due to the limitations of the search parameters. 

While companies who find themselves in this situation look to and hold their screening partner responsible, database and continuous monitoring services should be considered a minimum tool available for a compliance program’s due diligence. Marketed as a “one stop due diligence solution,” these programs are limited by the information available and provided. Misspellings and naming conventions are only two areas of potential complications that can cause countless false positives or as Cobham’s experience has shown, miss the intended party.

Contrary to the Resource Guide to the FCPA (pdf) released six years ago, many companies have adopted the “check the box” approach satisfied by the database and continuous monitoring services. Our experience has been that compliance departments with limited budgets purchase subscriptions to these services, upload a list of names and then wait for the red flags to find them. And who can blame them! What compliance head wouldn’t want to have a robust screening process in place at or under budget?

Unfortunately, regardless of advancements in technology and infrastructure, the human element is still irreplaceable in the due diligence process. In Cobham’s case, the engagement partner should have been subject to additional scrutiny due to location and perceived risk. Additional due diligence would have utilized an analyst with the knowledge of the variations of Russian names translated into English.

Due to expanding sanctions in Russia, additional due diligence regarding ownership would also have been prudent to determine any risk of denied parties being involved in the transactions. Peeling back that ownership onion can be a complex task, and one that requires the skill and knowledge of a licensed investigator. Ultimately, a much deeper dive than the initial screen should have been conducted. Doing so would have greatly increased the chances of finding the connections to sanctioned countries and lowering the risk to the company.  

A robust and exhaustive due diligence program, while ideal for an organization, comes at a cost. Compliance departments require the support (both in budget and tone at the top) that allows them to investigate beyond the constraints of a subscription database. The cost of an effective compliance program with risk-based due diligence is often minor compared to the total cost of the reputational harm, fines and legal fees that stem from violations.

______

Chris Weiss, pictured above left, is a global Due Diligence Consultant for the Kreller Group. He advises multinational companies in the areas of FCPA Compliance Program Construction and Third Party Due Diligence. He can be reached at [email protected]

Tracey Kungl, above right, is a lead investigator for the Kreller Group. She conducts domestic and international due diligence with an emphasis on special investigations. She can be reached at [email protected]