For Compliance Databases, a ‘No Hit’ Isn’t a Green Light
Monday, December 17, 2018
This post originally appeared on FCPABlog.com.
By Chris Weiss and Tracey Kungl
The recent Cobham Holdings Inc. OFAC settlement highlights a limitation in due diligence
software: Cobham’s screening partner ran a name through a database and received
name was later found to be a variation of a hit from the OFAC sanctions list,
but wasn't picked up due to the limitations of the search parameters.
companies who find themselves in this situation look to and hold their
screening partner responsible, database and continuous monitoring services
should be considered a minimum tool available for a compliance program’s due
diligence. Marketed as a “one stop due diligence solution,” these programs are
limited by the information available and provided. Misspellings and naming
conventions are only two areas of potential complications that can cause
countless false positives or as Cobham’s experience has shown, miss the
to the Resource Guide to the FCPA (pdf) released six years ago, many companies have adopted
the “check the box” approach satisfied by the database and continuous
monitoring services. Our experience has been that compliance departments with
limited budgets purchase subscriptions to these services, upload a list of
names and then wait for the red flags to find them. And who can blame them!
What compliance head wouldn’t want to have a robust screening process in place
at or under budget?
regardless of advancements in technology and infrastructure, the human element
is still irreplaceable in the due diligence process. In Cobham’s case, the
engagement partner should have been subject to additional scrutiny due to
location and perceived risk. Additional due diligence would have utilized an
analyst with the knowledge of the variations of Russian names translated into
expanding sanctions in Russia, additional due diligence regarding ownership
would also have been prudent to determine any risk of denied parties being
involved in the transactions. Peeling back that ownership onion can be a
complex task, and one that requires the skill and knowledge of a licensed
investigator. Ultimately, a much deeper dive than the initial screen should
have been conducted. Doing so would have greatly increased the chances of
finding the connections to sanctioned countries and lowering the risk to the
robust and exhaustive due diligence program, while ideal for an organization,
comes at a cost. Compliance departments require the support (both in budget and
tone at the top) that allows them to investigate beyond the constraints of a
subscription database. The cost of an effective compliance program with
risk-based due diligence is often minor compared to the total cost of the
reputational harm, fines and legal fees that stem from violations.