Harry Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Richard L. Cassin Editor at Large

Elizabeth K. Spahn Editor Emeritus 

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor

FCPA Blog Daily News

« Due Diligence in Russia: A public register of bribe payers | Main | Job: Compliance Manager – Business Partners Due Diligence »

The Pandora's box of automated risk profiling

Regulators are constantly telling compliance officers to take a “risk-based” approach to due diligence processes and procedures. In some cases, regulations go so far as to require third parties to be profiled appropriately based on their level of risk.

For example, under the Bank Secrecy Act (BSA), a customer’s risk level must be determined in order for appropriate due diligence procedures to ensue.

I covered developing an internal due diligence procedure in my previous post

What makes the risk profiling process so tedious and difficult for compliance officers? Like many hurdles faced by the compliance community, regulations and requirements regarding risk classification and third party due diligence vary vastly across jurisdictions. Moreover, the number and variety of factors that need to be considered when evaluating risk can be overwhelming.

Under the BSA alone, a banking organization should consider types of products and services offered by the money services business, locations and markets served by the money services business, anticipated account activity, and the purpose of the account.

Further, defining third parties and categorizing their risk profiles is not exactly second nature for lawyers or compliance professionals. Categorizing third parties is essentially asking compliance officers to see risks as black and white, putting boxes around concepts that they are trained to know and analyze as very grey areas.

Some compliance officers will approach the task of risk profiling by looking for an automated solution that will do the risk analysis for them. In essence, they want technology that will allow them to submit third party data and receive a magic risk score that tells them the exact risk associated with that particular third party. Some providers actually market this type of ideal solution. There are several issues with this approach.

First, a solution that spits out any type of number or assigned metric that speaks to risk (e.g. a “risk score”) may only be evaluating one compliance risk factor out of the many that should be analyzed when risk profiling as part of establishing a due diligence process and procedure. In other words, a “risk score” is not always the full “risk profile” of a third party.

For example, let’s say you have a third-party data management compliance solution that assigns a “risk score” to each of the third parties you feed into the system. What is the source of that “risk score?” Perhaps it is simply the third party’s home-country CPI rank.

While the CPI rank is very credible and can still be considered a “risk score,” it should not be mistaken for an analysis that reflects the entire risk profile of that particular third party because it only factors in the anti-corruption related risk associated with that country. It does not, for example, speak to anti-money laundering risks that may be associated with the individual.

This is why it is always imperative to understand the exact source and meaning of the “risk score” or any other number or evaluation that may be automatically assigned by your compliance solutions to a record or piece of data you are feeding into that solution. An assigned metric relating or speaking to risk should never be mistaken for a score that takes all risk factors into account unless you are absolutely sure.  

Second, even if the “risk score” is capturing multiple compliance factors, they are likely not tailored to your specific business, which means they still may not be completely accurate or reliable.

Also, risks have different weights depending on different industries and where business operations occur. For example, if a company does not conduct business with foreign governments, it may not have as much exposure to anti-corruption related risks as a company that operates globally and works with many state-owned entities.

Using a system that automates risk scores without any customization may not be weighing risks in proportion to your business’ actual risk exposure.


Lindsay Columbo, Esq. is a founder of eSpear LLC, a developer of due diligence and screening solutions, where she serves as the Global VP of Compliance & Support Services. She previously served as Associate Corporate Counsel, Global Ethics & Compliance for Brightstar Corp. a SoftBank company headquartered in Miami, Florida. She can be contacted here.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.